Windows Analysis Report
MPJ_1281565D#U00ae.msi

Overview

General Information

Sample name: MPJ_1281565D#U00ae.msi
renamed because original name is a hash value
Original sample name: MPJ_1281565D.msi
Analysis ID: 1562228
MD5: c3541cf72e6fd5b278f8cc899dae304a
SHA1: fe9864fa355777efbe3f94a83abf51fa9272b6c6
SHA256: 49e22d098f3713fe44f1d75757904e13e758424288b81f7bb517d356f48cf88f
Tags: ConnectWisemsiuser-Porcupine
Infos:

Detection

ScreenConnect Tool
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.7% probability
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297693904.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3297016236.0000000000DA0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3297409679.0000000001122000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.2064073724.0000000000EBD000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe.1.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.2040950060.00000000046C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3300906861.000000001B972000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.1.dr, ScreenConnect.Windows.dll.4.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: MPJ_1281565D#U00ae.msi, 5435dd.rbs.1.dr, MSI3A9F.tmp.1.dr, MSI3D60.tmp.1.dr, 5435de.msi.1.dr, 5435dc.msi.1.dr, MSI3B8A.tmp.1.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3300906861.000000001B972000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.1.dr, ScreenConnect.Windows.dll.4.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297349091.00000000010C2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: MPJ_1281565D#U00ae.msi, 5435de.msi.1.dr, 5435dc.msi.1.dr, MSI31E4.tmp.0.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297349091.00000000010C2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000004.00000003.2037797193.0000000004840000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299876394.000000001B3C2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll.4.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking
barindex
Enables network access during safeboot for specific services
Source: C:\Windows\System32\msiexec.exe Registry value created: NULL Service Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: instance-c89u33-relay.screenconnect.com
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/Dw
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/Nt
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001695000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.00000000015E1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.00000000018CA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001735000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001371000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.00000000017E7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.000000000189D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/d
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/jt
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/tZ
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/xt
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001371000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000004.00000003.2037998683.00000000046C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000004.00000003.2037998683.00000000046C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000004.00000003.2037998683.00000000046C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr String found in binary or memory: http://wixtoolset.org/releases/
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsCredentialProvider.dll.1.dr String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.4.dr String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect Jump to behavior
Reads the System eventlog
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Contains functionality to launch a process as a different user
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05130110 CreateProcessAsUserW, 7_2_05130110
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5435dc.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3A9F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B8A.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D60.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5435de.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5435de.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}\DefaultIcon Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\Installer\wix{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}.SchedServiceConfig.rmi Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f) Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\33z52vm4.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\33z52vm4.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\qo0hcons.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\qo0hcons.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\alszbl3u.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\alszbl3u.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\nmnun0hu.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\nmnun0hu.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\r2kg0cka.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\r2kg0cka.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\srp51sxk.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\srp51sxk.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\yv4abzkt.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\yv4abzkt.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\fp5c33kt.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\fp5c33kt.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\vxgokhmo.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\vxgokhmo.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\kajzydm0.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\kajzydm0.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\flmhfwwk.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\flmhfwwk.newcfg Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI3B8A.tmp Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_00B8D588 7_2_00B8D588
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Code function: 8_2_00007FF848A810CF 8_2_00007FF848A810CF
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Code function: 8_2_00007FF848A810D7 8_2_00007FF848A810D7
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Code function: 8_2_00007FF848D96E8B 8_2_00007FF848D96E8B
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Code function: 8_2_00007FF848D95C31 8_2_00007FF848D95C31
Sample file is different than original file name gathered from version info
Source: MPJ_1281565D#U00ae.msi Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs MPJ_1281565D#U00ae.msi
Source: MPJ_1281565D#U00ae.msi Binary or memory string: OriginalFilenameSfxCA.dllL vs MPJ_1281565D#U00ae.msi
Source: MPJ_1281565D#U00ae.msi Binary or memory string: OriginalFilenamewixca.dll\ vs MPJ_1281565D#U00ae.msi
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal72.evad.winMSI@13/61@4/1
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f) Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI31E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5518000 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: MPJ_1281565D#U00ae.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\MPJ_1281565D#U00ae.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 390FD6DCD7E50BFBF112F96E3A0DE021 C
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI31E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5518000 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1B5721C1CE0E7EF98DD0EC09055781AD
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A228E7CE75C97BE8E56E19BF17938851 E Global\MSI0000
Source: unknown Process created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-c89u33-relay.screenconnect.com&p=443&s=8f47f859-e57f-4bd8-9f9a-e730d3b0dc96&k=BgIAAACkAABSU0ExAAgAAAEAAQDpI9qfgaQF9EqFatMP06CsRNHBTKHOK5%2bUtX0qmq8CA4QJH2XTUdjK0ggTdGE4t0YfU4unuKYheAHWWjw%2bjMFfbdlJ1G50ApzOoLoB%2b7pQWX2ZnbVh%2bLfj4JIFwgKtc6Wpc%2fHElrzDuV3d5egfIjs2stKs6RmevReV2ZtwZXMrYZKFQK5QgwhmOTs1pFbFBaiusdjG8NTEcpq2zEicxl0jNKmCw71zqxPy1Lyu3YkOHeZqzMfRsWjzH%2fYVBCAx2I5sAn2Al2rwnZGCoxiYVwlWGITSxEHyjKXWvvVVaCBwjSzlM79WD5B4aCG5QDHn9IzvPCVw%2bHuInNUKsgj2iTG7&t=pdfconvitHir"
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe" "RunRole" "d04726a4-55e2-40d7-93a5-312106824cb3" "User"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 390FD6DCD7E50BFBF112F96E3A0DE021 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1B5721C1CE0E7EF98DD0EC09055781AD Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A228E7CE75C97BE8E56E19BF17938851 E Global\MSI0000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI31E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5518000 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe" "RunRole" "d04726a4-55e2-40d7-93a5-312106824cb3" "User" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: MPJ_1281565D#U00ae.msi Static file information: File size 9920512 > 1048576
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297693904.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3297016236.0000000000DA0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3297409679.0000000001122000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.2064073724.0000000000EBD000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe.1.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.2040950060.00000000046C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3300906861.000000001B972000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.1.dr, ScreenConnect.Windows.dll.4.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: MPJ_1281565D#U00ae.msi, 5435dd.rbs.1.dr, MSI3A9F.tmp.1.dr, MSI3D60.tmp.1.dr, 5435de.msi.1.dr, 5435dc.msi.1.dr, MSI3B8A.tmp.1.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3300906861.000000001B972000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.1.dr, ScreenConnect.Windows.dll.4.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297349091.00000000010C2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: MPJ_1281565D#U00ae.msi, 5435de.msi.1.dr, 5435dc.msi.1.dr, MSI31E4.tmp.0.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297349091.00000000010C2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000004.00000003.2037797193.0000000004840000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299876394.000000001B3C2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll.4.dr
Binary contains a suspicious time stamp
Source: ScreenConnect.Client.dll.1.dr Static PE information: 0x94F102E7 [Mon Mar 8 13:28:07 2049 UTC]
PE file contains an invalid checksum
Source: MSI31E4.tmp.0.dr Static PE information: real checksum: 0x2f213 should be: 0x1125d0
PE file contains sections with non-standard names
Source: ScreenConnect.WindowsAuthenticationPackage.dll.1.dr Static PE information: section name: _RDATA
Source: ScreenConnect.WindowsCredentialProvider.dll.1.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05139541 pushfd ; retn 0004h 7_2_05139542
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_051395A8 pushfd ; retn 0004h 7_2_051395AA
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_051395D9 pushfd ; retn 0004h 7_2_051395DA
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_051365D8 pushad ; retn 0004h 7_2_051365D9
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05130460 push cs; retn 0004h 7_2_05130462
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05134730 push edx; retn 0004h 7_2_05134732
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05139650 pushfd ; retn 0004h 7_2_05139652
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05134658 push ecx; retn 0004h 7_2_0513465A
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_0513969F pushfd ; retn 0004h 7_2_051396A2
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_051346EF push ecx; retn 0004h 7_2_051346F2
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05138220 pushfd ; iretd 7_2_05138229
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05134F40 push edi; retn 0004h 7_2_05134F42
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05134FC1 push edi; retn 0004h 7_2_05134FC2
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05134FF1 push edi; retn 0004h 7_2_05134FF2
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_051349F8 push ebx; retn 0004h 7_2_051349FA
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_05134A41 push ebx; retn 0004h 7_2_05134A42
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Code function: 8_2_00007FF848A9096D push ebx; retf 8_2_00007FF848A9098A
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Code function: 8_2_00007FF848A922B1 push ebx; retf 8_2_00007FF848A922FA
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Code function: 8_2_00007FF848A908CD push ebx; retf 8_2_00007FF848A9098A
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Code function: 8_2_00007FF848A800BD pushad ; iretd 8_2_00007FF848A800C1
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Code function: 8_2_00007FF848D92F5A pushfd ; iretd 8_2_00007FF848D92F5B

Persistence and Installation Behavior
barindex
Possible COM Object hijacking
Source: c:\program files (x86)\screenconnect client (909a0bac52a7095f)\screenconnect.windowscredentialprovider.dll COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-9b96-92d47dcb003a}\inprocserver32
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsFileManager.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D60.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.Cab.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.InstallerActions.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsCredentialProvider.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsAuthenticationPackage.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsBackstageShell.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B8A.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D60.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B8A.tmp Jump to dropped file
May use bcdedit to modify the Windows boot settings
Source: ScreenConnect.ClientService.dll.1.dr Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Creates or modifies windows services
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application Jump to behavior
Modifies existing windows services
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (909a0bac52a7095f) Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: rundll32.exe, 00000004.00000003.2037797193.0000000004840000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3300906861.000000001B972000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297693904.0000000002C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297016236.0000000000DA0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297409679.0000000001122000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.1.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.1.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.4.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Memory allocated: B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Memory allocated: 1370000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Memory allocated: 3370000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Memory allocated: D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Memory allocated: 1AC00000 memory reserve | memory write watch Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsFileManager.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3D60.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.Cab.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.InstallerActions.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsCredentialProvider.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsAuthenticationPackage.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsBackstageShell.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3B8A.tmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe TID: 5880 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe TID: 5560 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3305338984.00000000048C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: ScreenConnect.ClientService.dll.1.dr, ClientService.cs Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (909a0bac52a7095f)\screenconnect.clientservice.exe" "?e=access&y=guest&h=instance-c89u33-relay.screenconnect.com&p=443&s=8f47f859-e57f-4bd8-9f9a-e730d3b0dc96&k=bgiaaackaabsu0exaagaaaeaaqdpi9qfgaqf9eqfatmp06csrnhbtkhok5%2butx0qmq8ca4qjh2xtudjk0ggtdge4t0yfu4unukyheahwwjw%2bjmffbdlj1g50apzoolob%2b7pqwx2znbvh%2blfj4jifwgktc6wpc%2fhelrzduv3d5egfijs2stks6rmevrev2ztwzxmryzkfqk5qgwhmots1pfbfbaiusdjg8ntecpq2zeicxl0jnkmcw71zqxpy1lyu3ykohezqzmfrswjzh%2fyvbcax2i5san2al2rwnzgcoxiyvwlwgitsxehyjkxwvvvvacbwjszlm79wd5b4acg5qdhn9izvpcvw%2bhuinnuksgj2itg7&t=pdfconvithir"
Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_0513119C CreateNamedPipeW, 7_2_0513119C
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe Code function: 7_2_00B84C62 RtlGetVersion, 7_2_00B84C62
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies security policies related information
Source: C:\Windows\System32\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages Jump to behavior
Yara detected ScreenConnect Tool
Source: Yara match File source: 8.2.ScreenConnect.WindowsClient.exe.2c7fa10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.ScreenConnect.WindowsClient.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3297693904.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1776, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 4592, type: MEMORYSTR
Source: Yara match File source: C:\Config.Msi\5435dd.rbs, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSI3A9F.tmp, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562228 Sample: MPJ_1281565D#U00ae.msi Startdate: 25/11/2024 Architecture: WINDOWS Score: 72 48 server-nix3a3cd951-relay.screenconnect.com 2->48 50 instance-c89u33-relay.screenconnect.com 2->50 54 .NET source code references suspicious native API functions 2->54 56 Contains functionality to hide user accounts 2->56 58 Possible COM Object hijacking 2->58 60 AI detected suspicious sample 2->60 8 msiexec.exe 94 49 2->8         started        12 ScreenConnect.ClientService.exe 17 25 2->12         started        15 msiexec.exe 6 2->15         started        signatures3 process4 dnsIp5 30 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->30 dropped 32 C:\...\ScreenConnect.ClientService.exe, PE32 8->32 dropped 34 C:\Windows\Installer\MSI3D60.tmp, PE32 8->34 dropped 38 9 other files (none is malicious) 8->38 dropped 64 Enables network access during safeboot for specific services 8->64 66 Modifies security policies related information 8->66 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        21 msiexec.exe 8->21         started        52 server-nix3a3cd951-relay.screenconnect.com 147.75.63.88, 443, 49704, 49705 PACKETUS Switzerland 12->52 68 Reads the Security eventlog 12->68 70 Reads the System eventlog 12->70 23 ScreenConnect.WindowsClient.exe 2 12->23         started        36 C:\Users\user\AppData\Local\...\MSI31E4.tmp, PE32 15->36 dropped file6 signatures7 process8 signatures9 26 rundll32.exe 11 17->26         started        62 Contains functionality to hide user accounts 23->62 process10 file11 40 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 26->40 dropped 42 C:\...\ScreenConnect.InstallerActions.dll, PE32 26->42 dropped 44 C:\Users\user\...\ScreenConnect.Core.dll, PE32 26->44 dropped 46 4 other files (none is malicious) 26->46 dropped 72 Contains functionality to hide user accounts 26->72 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.75.63.88
 server-nix3a3cd951-relay.screenconnect.com Switzerland
54825 PACKETUS false

Contacted Domains

Name IP Active
server-nix3a3cd951-relay.screenconnect.com 147.75.63.88 true
instance-c89u33-relay.screenconnect.com unknown unknown