Windows Analysis Report
MPJ_1281565D#U00ae.msi

Reads the Security eventlog

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: instance-c89u33-relay.screenconnect.com

Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/Dw
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/Nt
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001695000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.00000000015E1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.00000000018CA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001735000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001371000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.00000000017E7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.000000000189D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/d
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/jt
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/tZ
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-c89u33-relay.screenconnect.com:443/xt
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000004.00000003.2037998683.00000000046C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000004.00000003.2037998683.00000000046C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000004.00000003.2037998683.00000000046C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsCredentialProvider.dll.1.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.4.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe

Code function: 7_2_05130110 CreateProcessAsUserW,

7_2_05130110

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI3B8A.tmp

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_00B8D588	7_2_00B8D588
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FF848A810CF	8_2_00007FF848A810CF
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FF848A810D7	8_2_00007FF848A810D7
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FF848D96E8B	8_2_00007FF848D96E8B
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FF848D95C31	8_2_00007FF848D95C31

Source: MPJ_1281565D#U00ae.msi	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs MPJ_1281565D#U00ae.msi
Source: MPJ_1281565D#U00ae.msi	Binary or memory string: OriginalFilenameSfxCA.dllL vs MPJ_1281565D#U00ae.msi
Source: MPJ_1281565D#U00ae.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs MPJ_1281565D#U00ae.msi

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal72.evad.winMSI@13/61@4/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI31E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5518000 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: MPJ_1281565D#U00ae.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\MPJ_1281565D#U00ae.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 390FD6DCD7E50BFBF112F96E3A0DE021 C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI31E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5518000 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1B5721C1CE0E7EF98DD0EC09055781AD
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A228E7CE75C97BE8E56E19BF17938851 E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-c89u33-relay.screenconnect.com&p=443&s=8f47f859-e57f-4bd8-9f9a-e730d3b0dc96&k=BgIAAACkAABSU0ExAAgAAAEAAQDpI9qfgaQF9EqFatMP06CsRNHBTKHOK5%2bUtX0qmq8CA4QJH2XTUdjK0ggTdGE4t0YfU4unuKYheAHWWjw%2bjMFfbdlJ1G50ApzOoLoB%2b7pQWX2ZnbVh%2bLfj4JIFwgKtc6Wpc%2fHElrzDuV3d5egfIjs2stKs6RmevReV2ZtwZXMrYZKFQK5QgwhmOTs1pFbFBaiusdjG8NTEcpq2zEicxl0jNKmCw71zqxPy1Lyu3YkOHeZqzMfRsWjzH%2fYVBCAx2I5sAn2Al2rwnZGCoxiYVwlWGITSxEHyjKXWvvVVaCBwjSzlM79WD5B4aCG5QDHn9IzvPCVw%2bHuInNUKsgj2iTG7&t=pdfconvitHir"
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe" "RunRole" "d04726a4-55e2-40d7-93a5-312106824cb3" "User"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 390FD6DCD7E50BFBF112F96E3A0DE021 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1B5721C1CE0E7EF98DD0EC09055781AD	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A228E7CE75C97BE8E56E19BF17938851 E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI31E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5518000 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe" "RunRole" "d04726a4-55e2-40d7-93a5-312106824cb3" "User"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Possible COM Object hijacking

Source: MPJ_1281565D#U00ae.msi

Static file information: File size 9920512 > 1048576

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297693904.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3297016236.0000000000DA0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3297409679.0000000001122000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.2064073724.0000000000EBD000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.2040950060.00000000046C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3300906861.000000001B972000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.1.dr, ScreenConnect.Windows.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: MPJ_1281565D#U00ae.msi, 5435dd.rbs.1.dr, MSI3A9F.tmp.1.dr, MSI3D60.tmp.1.dr, 5435de.msi.1.dr, 5435dc.msi.1.dr, MSI3B8A.tmp.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3300906861.000000001B972000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.1.dr, ScreenConnect.Windows.dll.4.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297349091.00000000010C2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: MPJ_1281565D#U00ae.msi, 5435de.msi.1.dr, 5435dc.msi.1.dr, MSI31E4.tmp.0.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297349091.00000000010C2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.3302471477.0000000002377000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299239769.0000000012C10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000004.00000003.2037797193.0000000004840000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3299876394.000000001B3C2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll.4.dr

Source: ScreenConnect.Client.dll.1.dr

Static PE information: 0x94F102E7 [Mon Mar 8 13:28:07 2049 UTC]

Source: MSI31E4.tmp.0.dr

Static PE information: real checksum: 0x2f213 should be: 0x1125d0

Source: ScreenConnect.WindowsAuthenticationPackage.dll.1.dr	Static PE information: section name: _RDATA
Source: ScreenConnect.WindowsCredentialProvider.dll.1.dr	Static PE information: section name: _RDATA

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_05139541 pushfd ; retn 0004h	7_2_05139542
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_051395A8 pushfd ; retn 0004h	7_2_051395AA
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_051395D9 pushfd ; retn 0004h	7_2_051395DA
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_051365D8 pushad ; retn 0004h	7_2_051365D9
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_05130460 push cs; retn 0004h	7_2_05130462
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_05134730 push edx; retn 0004h	7_2_05134732
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_05139650 pushfd ; retn 0004h	7_2_05139652
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_05134658 push ecx; retn 0004h	7_2_0513465A
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_0513969F pushfd ; retn 0004h	7_2_051396A2
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_051346EF push ecx; retn 0004h	7_2_051346F2
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_05138220 pushfd ; iretd	7_2_05138229
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_05134F40 push edi; retn 0004h	7_2_05134F42
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_05134FC1 push edi; retn 0004h	7_2_05134FC2
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_05134FF1 push edi; retn 0004h	7_2_05134FF2
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_051349F8 push ebx; retn 0004h	7_2_051349FA
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Code function: 7_2_05134A41 push ebx; retn 0004h	7_2_05134A42
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FF848A9096D push ebx; retf	8_2_00007FF848A9098A
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FF848A922B1 push ebx; retf	8_2_00007FF848A922FA
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FF848A908CD push ebx; retf	8_2_00007FF848A9098A
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FF848A800BD pushad ; iretd	8_2_00007FF848A800C1
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FF848D92F5A pushfd ; iretd	8_2_00007FF848D92F5B

Persistence and Installation Behavior

Source: c:\program files (x86)\screenconnect client (909a0bac52a7095f)\screenconnect.windowscredentialprovider.dll

COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-9b96-92d47dcb003a}\inprocserver32

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D60.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B8A.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D60.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B8A.tmp			Jump to dropped file

Source: ScreenConnect.ClientService.dll.1.dr

Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (909a0bac52a7095f)

Contains functionality to hide user accounts

Hooking and other Techniques for Hiding and Protection

Source: rundll32.exe, 00000004.00000003.2037797193.0000000004840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3300906861.000000001B972000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297693904.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297016236.0000000000DA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3297409679.0000000001122000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.4.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Memory allocated: B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Memory allocated: 3370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Memory allocated: D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Memory allocated: 1AC00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3D60.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3B8A.tmp	Jump to dropped file

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe TID: 5880	Thread sleep count: 49 > 30			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe TID: 5560	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: ScreenConnect.ClientService.exe, 00000007.00000002.3305338984.00000000048C2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: ScreenConnect.ClientService.dll.1.dr, ClientService.cs	Reference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)

Source: unknown

Process created: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (909a0bac52a7095f)\screenconnect.clientservice.exe" "?e=access&y=guest&h=instance-c89u33-relay.screenconnect.com&p=443&s=8f47f859-e57f-4bd8-9f9a-e730d3b0dc96&k=bgiaaackaabsu0exaagaaaeaaqdpi9qfgaqf9eqfatmp06csrnhbtkhok5%2butx0qmq8ca4qjh2xtudjk0ggtdge4t0yfu4unukyheahwwjw%2bjmffbdlj1g50apzoolob%2b7pqwx2znbvh%2blfj4jifwgktc6wpc%2fhelrzduv3d5egfijs2stks6rmevrev2ztwzxmryzkfqk5qgwhmots1pfbfbaiusdjg8ntecpq2zeicxl0jnkmcw71zqxpy1lyu3ykohezqzmfrswjzh%2fyvbcax2i5san2al2rwnzgcoxiyvwlwgitsxehyjkxwvvvvacbwjszlm79wd5b4acg5qdhn9izvpcvw%2bhuinnuksgj2itg7&t=pdfconvithir"

Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe

Code function: 7_2_0513119C CreateNamedPipeW,

7_2_0513119C

Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe

Code function: 7_2_00B84C62 RtlGetVersion,

7_2_00B84C62

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Modifies security policies related information

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Source: Yara match	File source: 8.2.ScreenConnect.WindowsClient.exe.2c7fa10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.ScreenConnect.WindowsClient.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3297693904.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 4592, type: MEMORYSTR
Source: Yara match	File source: C:\Config.Msi\5435dd.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI3A9F.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	11 Peripheral Device Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 Component Object Model Hijacking	1 Component Object Model Hijacking	1 Obfuscated Files or Information	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Timestomp	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Windows Service	1 Access Token Manipulation	1 DLL Side-Loading	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Scheduled Task/Job	2 Windows Service	1 File Deletion	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Bootkit	3 Process Injection	22 Masquerading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Valid Accounts	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	3 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Users	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Rundll32	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsAuthenticationPackage.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsCredentialProvider.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI31E4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.Cab.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.InstallerActions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Windows\Installer\MSI3B8A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3D60.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://instance-c89u33-relay.screenconnect.com:443/d	0%	Avira URL Cloud	safe
http://instance-c89u33-relay.screenconnect.com:443/Nt	0%	Avira URL Cloud	safe
http://instance-c89u33-relay.screenconnect.com:443/jt	0%	Avira URL Cloud	safe
http://instance-c89u33-relay.screenconnect.com:443/xt	0%	Avira URL Cloud	safe
http://instance-c89u33-relay.screenconnect.com:443/	0%	Avira URL Cloud	safe
http://instance-c89u33-relay.screenconnect.com:443/tZ	0%	Avira URL Cloud	safe
http://instance-c89u33-relay.screenconnect.com:443/Dw	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
server-nix3a3cd951-relay.screenconnect.com	147.75.63.88	true	false		unknown
instance-c89u33-relay.screenconnect.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wixtoolset.org/releases/	rundll32.exe, 00000004.00000003.2037998683.00000000046C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	false		high
http://instance-c89u33-relay.screenconnect.com:443/d	ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001695000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.00000000015E1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.00000000018CA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001735000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001371000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.00000000017E7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.000000000189D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-c89u33-relay.screenconnect.com:443/xt	ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-c89u33-relay.screenconnect.com:443/Nt	ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-c89u33-relay.screenconnect.com:443/tZ	ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	rundll32.exe, 00000004.00000003.2037998683.00000000046C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	false		high
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll.4.dr	false		high
https://docs.rs/getrandom#nodejs-es-module-support	ScreenConnect.WindowsCredentialProvider.dll.1.dr	false		high
http://instance-c89u33-relay.screenconnect.com:443/jt	ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-c89u33-relay.screenconnect.com:443/	ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/news/	rundll32.exe, 00000004.00000003.2037998683.00000000046C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2037797193.0000000004834000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	false		high
http://instance-c89u33-relay.screenconnect.com:443/Dw	ScreenConnect.ClientService.exe, 00000007.00000002.3297056595.00000000008FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ScreenConnect.ClientService.exe, 00000007.00000002.3298215886.0000000001371000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.75.63.88	server-nix3a3cd951-relay.screenconnect.com	Switzerland		54825	PACKETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562228
Start date and time:	2024-11-25 11:20:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MPJ_1281565D#U00ae.msi renamed because original name is a hash value
Original Sample Name:	MPJ_1281565D.msi
Detection:	MAL
Classification:	mal72.evad.winMSI@13/61@4/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 72% Number of executed functions: 177 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 1776 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: MPJ_1281565D#U00ae.msi

Simulations

Behavior and APIs

Time	Type	Description
05:21:11	API Interceptor	2x Sleep call for process: ScreenConnect.ClientService.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PACKETUS	hmips.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	arm7.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	x86.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	hmips.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	o4QEzeCniw.exe	Get hash	malicious	Unknown	Browse	193.26.115.43
	q1M9Xfi0yC.exe	Get hash	malicious	ScreenConnect Tool	Browse	173.46.80.52
	iZRt9uAa2V.exe	Get hash	malicious	ScreenConnect Tool	Browse	173.46.80.52
	QyCFuoyz9G.exe	Get hash	malicious	ScreenConnect Tool	Browse	147.75.50.76
	q1M9Xfi0yC.exe	Get hash	malicious	ScreenConnect Tool	Browse	173.46.80.52
	iZRt9uAa2V.exe	Get hash	malicious	ScreenConnect Tool	Browse	173.46.80.52

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll	AdobeAcrobatReader.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	AdobeAcrobatReader.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Support.Client (1).exe	Get hash	malicious	ScreenConnect Tool	Browse
	Support.Client (1).exe	Get hash	malicious	ScreenConnect Tool	Browse
	Rechnung_10401.js	Get hash	malicious	ScreenConnect Tool	Browse
	Rechnung_Datum_November 24_6957.js	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll	AdobeAcrobatReader.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	AdobeAcrobatReader.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Support.Client (1).exe	Get hash	malicious	ScreenConnect Tool	Browse
	Support.Client (1).exe	Get hash	malicious	ScreenConnect Tool	Browse
	Rechnung_10401.js	Get hash	malicious	ScreenConnect Tool	Browse
	Rechnung_Datum_November 24_6957.js	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\Config.Msi\5435dd.rbs

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	219312
Entropy (8bit):	6.582916431208033
Encrypted:	false
SSDEEP:	3072:q+49LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGac3:N4uH2aCGw1ST1wQLdqvac3
MD5:	570828F3081913321F14DF11F8F4361F
SHA1:	72FA8EB4FEEBB34E21ED61F75DA2666346B45E9F
SHA-256:	2085A5DB18D6142221A60BADCC79BB5E1B8E0D5969A90A658064830DEA062838
SHA-512:	C39251BD88558470441D3F5A75CC67453D1F9346510B7E1A7333D5E296BEF0D7486F0A97E01626E3AFD404C3E2A06F1B1837E57F96F1A1348BCF4754880F96F5
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\5435dd.rbs, Author: Joe Security
Reputation:	low
Preview:	...@IXOS.@.....@.*yY.@.....@.....@.....@.....@.....@......&.{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}'.ScreenConnect Client (909a0bac52a7095f)..MPJ_1281565D#U00ae.msi.@.....@.....@.....@......DefaultIcon..&.{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (909a0bac52a7095f)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{47A26A37-A09C-9C2B-F052-17D016FF460A}&.{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}.@......&.{FFA60116-BCE6-09BA-2F93-D6DD451B89E4}&.{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}.@......&.{4AE84DA6-0F60-EBBC-A87C-9F0E681E5F22}&.{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}.@......&.{D3E00442-84FA-B382-45F2-F5FD094C6BCC}&.{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}.@......&.{604A5AFD-E5C3-442C-132B-10096593AAF6}&.{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}.@......&.{0265A5B7-3750-60DF-278A-26B0155A5FF8}&.{FC4B6052-A51F-D41F-8C25-3D41FD

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\Client.en-US.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	50133
Entropy (8bit):	4.759054454534641
Encrypted:	false
SSDEEP:	1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
MD5:	D524E8E6FD04B097F0401B2B668DB303
SHA1:	9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
SHA-256:	07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
SHA-512:	E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\Client.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Client.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.586775768189165
Encrypted:	false
SSDEEP:	3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
MD5:	3724F06F3422F4E42B41E23ACB39B152
SHA1:	1220987627782D3C3397D4ABF01AC3777999E01C
SHA-256:	EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
SHA-512:	509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AdobeAcrobatReader.ClientSetup.exe, Detection: malicious, Browse Filename: AdobeAcrobatReader.ClientSetup.exe, Detection: malicious, Browse Filename: Support.Client (1).exe, Detection: malicious, Browse Filename: Support.Client (1).exe, Detection: malicious, Browse Filename: Rechnung_10401.js, Detection: malicious, Browse Filename: Rechnung_Datum_November 24_6957.js, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..\|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.06942231395039
Encrypted:	false
SSDEEP:	1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
MD5:	5DB908C12D6E768081BCED0E165E36F8
SHA1:	F2D3160F15CFD0989091249A61132A369E44DEA4
SHA-256:	FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
SHA-512:	8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AdobeAcrobatReader.ClientSetup.exe, Detection: malicious, Browse Filename: AdobeAcrobatReader.ClientSetup.exe, Detection: malicious, Browse Filename: Support.Client (1).exe, Detection: malicious, Browse Filename: Support.Client (1).exe, Detection: malicious, Browse Filename: Rechnung_10401.js, Detection: malicious, Browse Filename: Rechnung_Datum_November 24_6957.js, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95512
Entropy (8bit):	6.504684691533346
Encrypted:	false
SSDEEP:	1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
MD5:	75B21D04C69128A7230A0998086B61AA
SHA1:	244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
SHA-256:	F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
SHA-512:	8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Core.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.034211651049746
Encrypted:	false
SSDEEP:	12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
MD5:	14E7489FFEBBB5A2EA500F796D881AD9
SHA1:	0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
SHA-256:	A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
SHA-512:	2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.Windows.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639085961200334
Encrypted:	false
SSDEEP:	24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
MD5:	9AD3964BA3AD24C42C567E47F88C82B2
SHA1:	6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
SHA-256:	84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
SHA-512:	CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..\|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...\|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsAuthenticationPackage.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	260168
Entropy (8bit):	6.416438906122177
Encrypted:	false
SSDEEP:	3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
MD5:	5ADCB5AE1A1690BE69FD22BDF3C2DB60
SHA1:	09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
SHA-256:	A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
SHA-512:	812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsBackstageShell.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61208
Entropy (8bit):	6.310126082367387
Encrypted:	false
SSDEEP:	1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
MD5:	AFA97CAF20F3608799E670E9D6253247
SHA1:	7E410FDE0CA1350AA68EF478E48274888688F8EE
SHA-256:	E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
SHA-512:	FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsBackstageShell.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	602392
Entropy (8bit):	6.176232491934078
Encrypted:	false
SSDEEP:	6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
MD5:	1778204A8C3BC2B8E5E4194EDBAF7135
SHA1:	0203B65E92D2D1200DD695FE4C334955BEFBDDD3
SHA-256:	600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
SHA-512:	A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsCredentialProvider.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	842248
Entropy (8bit):	6.268561504485627
Encrypted:	false
SSDEEP:	12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
MD5:	BE74AB7A848A2450A06DE33D3026F59E
SHA1:	21568DCB44DF019F9FAF049D6676A829323C601E
SHA-256:	7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
SHA-512:	2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..\|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...\|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...\|..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsFileManager.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81688
Entropy (8bit):	5.8618809599146005
Encrypted:	false
SSDEEP:	1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
MD5:	1AEE526DC110E24D1399AFFCCD452AB3
SHA1:	04DB0E8772933BC57364615D0D104DC2550BD064
SHA-256:	EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
SHA-512:	482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsFileManager.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\app.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1408
Entropy (8bit):	4.6834451483854815
Encrypted:	false
SSDEEP:	24:389hKK5AfdHv05AfdHvv/dHva/dHvc/dHvLdHvidHvAOPdHvJOPdHvLOPdHvP:Oh95AfdH85AfdHH/dHS/dH0/dHjdH6dv
MD5:	6E52818C1E99B3A54A79E311C0E84D3F
SHA1:	C74942596522D2DA3D88966F1A357DD4BA014700
SHA-256:	0370AE43EBB8C44C6B5AE9CB0761E495829E301D3D380BFC3CF5AE1BD3298C53
SHA-512:	5C0E81133662DFF1EA743E706B819FE74D5E87C59DDC8A7D1A2AF28ACAA621DB4EC9DF4CB85665CE8F13DBC1C7B613365BA59BE98AE05C6029529BA858849FE5
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="ShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnHide" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnHide" serializeAs="String">.. <value>false</val

C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\system.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (468), with CRLF line terminators
Category:	dropped
Size (bytes):	958
Entropy (8bit):	5.7830327552367224
Encrypted:	false
SSDEEP:	24:2dL9hK6E4dl/5xxuv/unqopA36rW9hCDyLWPRvH:chh7HH5Kv/cqfjvov
MD5:	738622FEFB00B23C2343FD3F55677E34
SHA1:	311A6C27E59FEA3A7521F684B3BBF37BFA06A69D
SHA-256:	379F4C7AF43947BD659E7635AA9B366C22C748DB5EAD27AAB07C4EA8B166EAAF
SHA-512:	E14F201BF49B9FD29037AD14EB2559C0B98A68DE8A32D5C0D5B3CB1D1C2ADB94A35BBCE9DEFEF977383D051DB3CD49B64CB9BA0FAFEC8F25E571D0F0995072A5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=instance-c89u33-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQDpI9qfgaQF9EqFatMP06CsRNHBTKHOK5%2bUtX0qmq8CA4QJH2XTUdjK0ggTdGE4t0YfU4unuKYheAHWWjw%2bjMFfbdlJ1G50ApzOoLoB%2b7pQWX2ZnbVh%2bLfj4JIFwgKtc6Wpc%2fHElrzDuV3d5egfIjs2stKs6RmevReV2ZtwZXMrYZKFQK5QgwhmOTs1pFbFBaiusdjG8NTEcpq2zEicxl0jNKmCw71zqxPy1Lyu3YkOHeZqzMfRsWjzH%2fYVBCAx2I5sAn2Al2rwnZGCoxiYVwlWGITSxEHyjKXWvvVVaCBwjSzlM79WD5B4aCG5QDHn9IzvPCVw%2bHuInNUKsgj2iTG7</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	746
Entropy (8bit):	5.349174276064173
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
MD5:	ED994980CB1AABB953B2C8ECDC745E1F
SHA1:	9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
SHA-256:	D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
SHA-512:	61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Temp\MSI31E4.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1088392
Entropy (8bit):	7.789940577622617
Encrypted:	false
SSDEEP:	24576:QUUGGHn+rUGemcPe9MpKL4Plb2sZWV+tLv0QYu5OPthT+gd:jGHpRPqMpvlqs0O4iO2k
MD5:	8A8767F589EA2F2C7496B63D8CCC2552
SHA1:	CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
SHA-256:	0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
SHA-512:	518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..\|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\CustomAction.config

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	4.977464602412109
Encrypted:	false
SSDEEP:	6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
MD5:	6F52EBEA639FD7CEFCA18D9E5272463E
SHA1:	B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
SHA-256:	7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
SHA-512:	B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.Cab.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.62694170304723
Encrypted:	false
SSDEEP:	768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
MD5:	77BE59B3DDEF06F08CAA53F0911608A5
SHA1:	A3B20667C714E88CC11E845975CD6A3D6410E700
SHA-256:	9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
SHA-512:	C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.Compression.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.340550904466943
Encrypted:	false
SSDEEP:	384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
MD5:	4717BCC62EB45D12FFBED3A35BA20E25
SHA1:	DA6324A2965C93B70FC9783A44F869A934A9CAF7
SHA-256:	E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
SHA-512:	BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.657268358041957
Encrypted:	false
SSDEEP:	768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
MD5:	A921A2B83B98F02D003D9139FA6BA3D8
SHA1:	33D67E11AD96F148FD1BFD4497B4A764D6365867
SHA-256:	548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
SHA-512:	E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	5.775360792482692
Encrypted:	false
SSDEEP:	3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
MD5:	5EF88919012E4A3D8A1E2955DC8C8D81
SHA1:	C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
SHA-256:	3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
SHA-512:	4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!\|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Core.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.034211651049746
Encrypted:	false
SSDEEP:	12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
MD5:	14E7489FFEBBB5A2EA500F796D881AD9
SHA1:	0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
SHA-256:	A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
SHA-512:	2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.InstallerActions.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.273875899788767
Encrypted:	false
SSDEEP:	192:V8/Qp6lCJuV3jHXtyVNamVNG1YZfCrMmbfHJ7kjvLjbuLd9NEFbM64:y/cBJaLXt2NaheUrMmb/FkjvLjbuZj64
MD5:	73A24164D8408254B77F3A2C57A22AB4
SHA1:	EA0215721F66A93D67019D11C4E588A547CC2AD6
SHA-256:	D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
SHA-512:	650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....^.(.......&...%...}....:.(......}....:.(......}....:.(......}........0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(......{....s .....-..o!.......{....r}..p.o

C:\Users\user\AppData\Local\Temp\MSI31E4.tmp-\ScreenConnect.Windows.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639085961200334
Encrypted:	false
SSDEEP:	24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
MD5:	9AD3964BA3AD24C42C567E47F88C82B2
SHA1:	6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
SHA-256:	84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
SHA-512:	CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..\|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...\|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Windows\Installer\5435dc.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	9920512
Entropy (8bit):	7.960609527199316
Encrypted:	false
SSDEEP:	98304:IwJ4t1h0cG5FGJRPxow8OBwJ4t1h0cG5HwJ4t1h0cG5VwJ4t1h0cG52wJ4t1h0cW:RWh0cGwoWh0cGeWh0cG0Wh0cG9Wh0cG
MD5:	C3541CF72E6FD5B278F8CC899DAE304A
SHA1:	FE9864FA355777EFBE3F94A83ABF51FA9272B6C6
SHA-256:	49E22D098F3713FE44F1D75757904E13E758424288B81F7BB517D356F48CF88F
SHA-512:	3D617A7AD2C0B45EDB76BD014CEC628B743146C8686754D90779D1675BBA4C5800FED37890F584E41CD76FB2C8E7176BBB88E52B9869C65963585944915D8B62
Malicious:	false
Preview:	......................>.......................................................\|...s...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\5435de.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	9920512
Entropy (8bit):	7.960609527199316
Encrypted:	false
SSDEEP:	98304:IwJ4t1h0cG5FGJRPxow8OBwJ4t1h0cG5HwJ4t1h0cG5VwJ4t1h0cG52wJ4t1h0cW:RWh0cGwoWh0cGeWh0cG0Wh0cG9Wh0cG
MD5:	C3541CF72E6FD5B278F8CC899DAE304A
SHA1:	FE9864FA355777EFBE3F94A83ABF51FA9272B6C6
SHA-256:	49E22D098F3713FE44F1D75757904E13E758424288B81F7BB517D356F48CF88F
SHA-512:	3D617A7AD2C0B45EDB76BD014CEC628B743146C8686754D90779D1675BBA4C5800FED37890F584E41CD76FB2C8E7176BBB88E52B9869C65963585944915D8B62
Malicious:	false
Preview:	......................>.......................................................\|...s...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3A9F.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	423435
Entropy (8bit):	6.577388403500759
Encrypted:	false
SSDEEP:	6144:CuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvn:CuH2anwohwQUv5uH2anwohwQUvn
MD5:	B2AE2303F2F435201011FDE22F39FF7A
SHA1:	03BA02E1D892312A337358EC063A3E331C71FB05
SHA-256:	8BFB31734848369D718C71564793CA80DF787A77E30C96506C44BDE72B3EE481
SHA-512:	DD5AAEE43DBF70FF68EB97FB07635E514B17F37A650E5AE1BB8FE6289F7F63FA6CBA49C216C77D038F0A45AB7C5B4B39897F2A793A56B48FC3DD4F3EE8718C47
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI3A9F.tmp, Author: Joe Security
Preview:	...@IXOS.@.....@.*yY.@.....@.....@.....@.....@.....@......&.{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}'.ScreenConnect Client (909a0bac52a7095f)..MPJ_1281565D#U00ae.msi.@.....@.....@.....@......DefaultIcon..&.{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (909a0bac52a7095f)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{47A26A37-A09C-9C2B-F052-17D016FF460A}^.C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{FFA60116-BCE6-09BA-2F93-D6DD451B89E4}f.C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{4AE84DA6-0F60-EBBC-A87C-9F0E681E5F22}c.C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsFileManager.e

C:\Windows\Installer\MSI3B8A.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3D60.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1692140901205845
Encrypted:	false
SSDEEP:	12:JSbX72FjBAGiLIlHVRpRh/7777777777777777777777777vDHFT+XHPD+l0i8Q:JPQI5FMF
MD5:	A89BD40B7130D9E54C67387A46B20CE1
SHA1:	1A2D428267ED0243759F2BE8FF4455380EB99BCE
SHA-256:	448139380C74B8F3BE808C883C1A52876B662A680B5055A17D0A772290BD08F8
SHA-512:	8B10B7B27C41D7DD135F09C2421EFFFBCA54CC9CD5B7084539E9500DBC38633D93F2C1844F0D4E039EDE5F9F669C6F6B7D9C838636E37191EDD251FD77DC5B10
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7871912368912732
Encrypted:	false
SSDEEP:	48:/948PhsuRc06WXJmFT5AyOCqcq56AduNsSimh4PdBWdRvAr8LQOv/C2CttOnr2AS:FHhs19FTqyO3pysfBd69jy2CttbsiHP
MD5:	17D7FEAA2FE1D42CA444A430D21006D1
SHA1:	8B0F1FB46A44BEDC146FB6741214A7308E9F6E99
SHA-256:	D0E829F441BDDE5709031D4A0FA7A875E833D04DD2AD25C73DBD1C5700768C41
SHA-512:	3092BFF0AE6A56CC195D67BE7521EB0AA025CBCB29C74EFC136FE171C9A1DB95E483323F468D0F600B6D6DDACA12F3E6ED688DBD7CA309132C4A0F5E3ED47B0C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}\DefaultIcon

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
Category:	dropped
Size (bytes):	435
Entropy (8bit):	5.289734780210945
Encrypted:	false
SSDEEP:	12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
MD5:	F34D51C3C14D1B4840AE9FF6B70B5D2F
SHA1:	C761D3EF26929F173CEB2F8E01C6748EE2249A8A
SHA-256:	0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
SHA-512:	D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
Malicious:	false
Preview:	..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	364484
Entropy (8bit):	5.365500031595004
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauB:zTtbmkExhMJCIpEm
MD5:	5A1FEAF6E7561BB12EFFBC2ADE66564A
SHA1:	CA19C3A9CFC1FB066A2690F3F01270D9464EF51B
SHA-256:	1F8A0F5595C99C54D2CAF0AD798795FEA4CB65AC63661EF17CF1EEC73C626786
SHA-512:	1CF812FBF8C413F8570CCD9AD79553DF9A476FC430235BF30F4363C4AC83947457BA9FA4637D4717C1A7588AC4EEF3E816554245DAF5EE243ECCB525E7050A76
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\33z52vm4.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.030189805200607
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4hv/vXbAa3xT:2dL9hK6E46YPRxDC3vH
MD5:	24BCF43FA74478844C2C5F4CA25E4E25
SHA1:	0C578A874A4AE5A13D99E1E19B275113369639A1
SHA-256:	F5AA8B82BC45EEB542A9D87C1684E5F8D99318627BED306BF71443A0E615271A
SHA-512:	148250AFAC00B1CA390FFA08923643AE6E903989EC380B8DD651EF42A4EE4287B3044D92FD9303558587ABDE7317C74D28C395B2C30EAA6DD77B142E148BAAB7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a21%3a05</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\alszbl3u.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.028922438011653
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q42/vXbAa3xT:2dL9hK6E46YPRxD1vH
MD5:	E51D75D0910939AD83825F45ED8063CA
SHA1:	E7784C1ACB299FCACE15695AC535F10663DCC0A5
SHA-256:	0ACD386D73873436BFC982C8588573EB0A5FF355AAE20EE8AD35D54F094386E9
SHA-512:	A88BAFCC2113B9DB5EBAB498A81858B73F4FB83143C263CB69BE8DDC97679E7CB1E431D099DFFE0353343FE897724F2C899527B18DD0D82820AF9F014352A1FD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a21%3a11</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\flmhfwwk.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	583
Entropy (8bit):	5.030189805200607
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4Vw/vXbAa3xT:2dL9hK6E46YPRxDZvH
MD5:	257091FAAC26E30BC462E5B1AE49BD1C
SHA1:	B9E471A5FD7545D7AEDCD377B667A12F1A98DEA0
SHA-256:	9BF22B789CAA2F6133CB325FBC08C7A9DFED2D60C32D4E04C14CB4F5E9916A0D
SHA-512:	24A42909247A376D72FA1CB3B941D0570840855B88E58DC388796E0C575D67427D7759619D4A22C83793ABE149A37DD36BC5484860B3C0A887C334109A87DCDB
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a24%3a01</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\fp5c33kt.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.030001666970642
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4pk/vXbAa3xT:2dL9hK6E46YPRxDdvH
MD5:	333779FD319907D6C83B1B09BFF89008
SHA1:	B703EA63CB330E31038FA3F5F638C2123095A91E
SHA-256:	274E965B86ACD595FA9C228089BAC6F24C4A8F5917CF1974FE319CCFBADA4BF6
SHA-512:	D70EF31DF6A66FB89C896386A713EDD4060C9334C1C9A912552F507C059F10EC98335D071EC3C631F1E01CCE95F44C1DE4DC4361857C44A6945E9886727DB2E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a22%3a18</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\kajzydm0.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.030914306723026
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4tk/vXbAa3xT:2dL9hK6E46YPRxDkqvH
MD5:	E665E1E0B063E72CFF87E74E6AD21994
SHA1:	9915F82B782A56C1F972FFFE0BF589D29EF6C72D
SHA-256:	AE8913289DB6E86A6A4E2EB74B9DB2C9FB8C127E943C6F9B7E3DDF6F0C93DE18
SHA-512:	CFD8CC24CFA890AF97966E1FA36661AD5EDE4C5878A028F6E3559FA61BC62E18B584512CB1090CD04B4A03B26EEED7DB7F3E5D67D40103F1D6B0FCF2A8F09563
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a22%3a58</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\nmnun0hu.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.031767308697251
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4sev/vXbAa3xT:2dL9hK6E46YPRxDO3vH
MD5:	8E70EE531BE7E26342A6801CBDD368BE
SHA1:	76DF23E3B07A472552BF5B1487B87676C4F41F90
SHA-256:	10464432E6DD4D7DF10C5B2D29F3EF9AB0488489A7E18CCA93E681DC9BFA6F1D
SHA-512:	8CE898265272C37F10C6394B43923DBB06C9D87585F6D5518C0E335022BBFE1358F80A7EB84AD2ACA9216796E1E829DC68073965D5E11EFAB656047FD1007EAD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a21%3a45</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\qo0hcons.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.029691530662951
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4Zm/vXbAa3xT:2dL9hK6E46YPRxDLvH
MD5:	8257E4AB22B5F38F46479BF6B5DDEAB4
SHA1:	C3C2B9C6BAB865CA73FEE5142579CA69A460DA87
SHA-256:	C6ECD3C2EB6ADCA36FE34A7A3B9E058BB05DEC7DE9405DF4DA3EB2AAFADB6AD9
SHA-512:	5B79B325CC6A1119B17405B0768220DD6BBEC748831A8930CBD3322DCD23DAF03DD71BD7CBA2BFCA567B25A724EFC5A62072AB25A08695F66E50EEC6AC2848CA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a21%3a08</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\r2kg0cka.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.032392571092792
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4h/vXbAa3xT:2dL9hK6E46YPRxDwvH
MD5:	57F4A5B0FA0C7D13D193E18F755211EB
SHA1:	EE589323B17A1432303048F00A774B60B30A481A
SHA-256:	943922C6F8CB7BFDFFA22C574723AE5E3EE3F10822740C64872F86A92E7134DE
SHA-512:	D1213DD92F8CEA80DDE16DCDEE965AA9A68A5D53852D14F82635120E8728ABFA7E812482654E536F136026D35001B226CDCDEE6E50A6B5542E406CA56656473B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a21%3a49</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\srp51sxk.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.031269034159596
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4ev/vXbAa3xT:2dL9hK6E46YPRxD93vH
MD5:	6148D19F9B13B710FAB58B6F9D96DF07
SHA1:	5BA8461769E20CE06490FB80F0FB5C292AC54B88
SHA-256:	6FC8DD14675577D1A10EBBD89D6A89D0DF97173010A75BDF3FB77EBD9F05ADF2
SHA-512:	DD24C602BD6B64F83A018F326F77F09743F879C438A24E486E4A33FA9E17B1F8DE402D0C9CA79A4D9FA984EDEA530A096BCE845A844068D2BCE814ECB0F4C0D2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a21%3a55</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\user.config (copy)

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.030189805200607
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4hv/vXbAa3xT:2dL9hK6E46YPRxDC3vH
MD5:	24BCF43FA74478844C2C5F4CA25E4E25
SHA1:	0C578A874A4AE5A13D99E1E19B275113369639A1
SHA-256:	F5AA8B82BC45EEB542A9D87C1684E5F8D99318627BED306BF71443A0E615271A
SHA-512:	148250AFAC00B1CA390FFA08923643AE6E903989EC380B8DD651EF42A4EE4287B3044D92FD9303558587ABDE7317C74D28C395B2C30EAA6DD77B142E148BAAB7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a21%3a05</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\vxgokhmo.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.030499941508298
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4MQv/vXbAa3xT:2dL9hK6E46YPRxD1Q3vH
MD5:	3F872277E8362CA48C33172E6C4E55CE
SHA1:	5D4EE4E1E2DC47C7E1F8578EDFE2B2E6BBA4BB11
SHA-256:	CB7772B7DC5385A3DDDD937B1333BE966EC823A658B4C374192965E0B543470A
SHA-512:	CA4670D80636AB0936E78CDBF48AA2F879C69F15A06CD60D077BCF5B1D5E394EA8CED240337B4FBA33F62C5010AC3421B8C2D9845666F1B72656E411BA4ED964
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a22%3a35</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (909a0bac52a7095f)\yv4abzkt.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.031301206361418
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlxci8Q4b/vXbAa3xT:2dL9hK6E46YPRxDivH
MD5:	05DB0F4E67A7A8ECF6CB56B034CD4320
SHA1:	FBD24B8BD121082D7382D98EB7E887D213F1FEC5
SHA-256:	D339E858D1CA719C64A4D4ADF91394C00C52AC85EA4D06208F07A82C77EEC0E6
SHA-512:	C3909DB78330428C1603B4CEA5905EB7AD3DC37B75A56C9FC536DD7639C12255DD55C6803A96359D5158C37DEF7BBB62A96BA001A6D4E73BF23BA7916855835E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-c89u33-relay.screenconnect.com=147.75.63.88-25%2f11%2f2024%2010%3a22%3a06</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\Temp\~DF1287FB349E316B08.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9003C778866CA410.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07578188694559738
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOTNdwquXV1vPqEAVky6l+:2F0i8n0itFzDHFT+XHPD+
MD5:	1DB89D881BDF859E80F447640F312F92
SHA1:	0C8C545F54AFC119ABBC535960A94F1DDF8BE8A1
SHA-256:	55EF7209DE5653AEA8787FFB921DE3148A3E785BDECE61F8587FD4A9B82166DF
SHA-512:	95E36CDEC4CD903D1549DFC05F616EED84BDE364D2D9EEC1E1A8EA3876EE66FB287E1B261BD2FDD7C1215D167EB2515D1383B5C246B02BAA184C25CAA123259E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9C897626114DCDCC.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9F07C4AE9479BC02.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4106725402095102
Encrypted:	false
SSDEEP:	48:vPEuqPveFXJnT50UyyOCqcq56AduNsSimh4PdBWdRvAr8LQOv/C2CttOnr2AduN9:nESPTOVyO3pysfBd69jy2CttbsiHP
MD5:	8AE1BC40DFF987A51F14849582898294
SHA1:	1E7B6053E99A977737AA3B77BA0181D4F87BBF1C
SHA-256:	24AE49352DD6FFA5F8391529E705A2F566F32E2BC0FA51737DEF11F7102DE4F7
SHA-512:	616C59BC16E22163D0A606910D8158EA73485DEDA65DBB9B5CD43BFF0EC9DE00218DD607CBA366B732B3D5EB89B5F3ED6E180AB1B2D1C8DA03CAD107D43746A9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA088DC1B033C0F10.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA7D4F494FD1B300A.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.2289388916311724
Encrypted:	false
SSDEEP:	48:P5aHEDBAduNsS3qcq56AduNsSimh4PdBWdRvAr8LQOv/C2CttOnrBly:P0H4sxpysfBd69jy2Cttyly
MD5:	2B662EC54667F3A9429CCB6580163E3E
SHA1:	E2BB7026C636F5B10317A1F472C4CD471085917A
SHA-256:	531D28237CB6069DA8F1898C05644A84D83CFD3CFE66C82EADBE835ECEC86F15
SHA-512:	35D921BCB77FBFF492F8BA4DC51779742CE3920852E70A2CBBC1CFFD3F239E8D5D756FE8FFBA06389FA065F677A1DAEBB71D6D80BCD13DB9EB6628451877C5DB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAD7539D935F1AA5B.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4106725402095102
Encrypted:	false
SSDEEP:	48:vPEuqPveFXJnT50UyyOCqcq56AduNsSimh4PdBWdRvAr8LQOv/C2CttOnr2AduN9:nESPTOVyO3pysfBd69jy2CttbsiHP
MD5:	8AE1BC40DFF987A51F14849582898294
SHA1:	1E7B6053E99A977737AA3B77BA0181D4F87BBF1C
SHA-256:	24AE49352DD6FFA5F8391529E705A2F566F32E2BC0FA51737DEF11F7102DE4F7
SHA-512:	616C59BC16E22163D0A606910D8158EA73485DEDA65DBB9B5CD43BFF0EC9DE00218DD607CBA366B732B3D5EB89B5F3ED6E180AB1B2D1C8DA03CAD107D43746A9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC583695CB9981331.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDC22F29E2BF7A44A.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE0944E9792142A27.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7871912368912732
Encrypted:	false
SSDEEP:	48:/948PhsuRc06WXJmFT5AyOCqcq56AduNsSimh4PdBWdRvAr8LQOv/C2CttOnr2AS:FHhs19FTqyO3pysfBd69jy2CttbsiHP
MD5:	17D7FEAA2FE1D42CA444A430D21006D1
SHA1:	8B0F1FB46A44BEDC146FB6741214A7308E9F6E99
SHA-256:	D0E829F441BDDE5709031D4A0FA7A875E833D04DD2AD25C73DBD1C5700768C41
SHA-512:	3092BFF0AE6A56CC195D67BE7521EB0AA025CBCB29C74EFC136FE171C9A1DB95E483323F468D0F600B6D6DDACA12F3E6ED688DBD7CA309132C4A0F5E3ED47B0C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE791BE45F270EA48.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7871912368912732
Encrypted:	false
SSDEEP:	48:/948PhsuRc06WXJmFT5AyOCqcq56AduNsSimh4PdBWdRvAr8LQOv/C2CttOnr2AS:FHhs19FTqyO3pysfBd69jy2CttbsiHP
MD5:	17D7FEAA2FE1D42CA444A430D21006D1
SHA1:	8B0F1FB46A44BEDC146FB6741214A7308E9F6E99
SHA-256:	D0E829F441BDDE5709031D4A0FA7A875E833D04DD2AD25C73DBD1C5700768C41
SHA-512:	3092BFF0AE6A56CC195D67BE7521EB0AA025CBCB29C74EFC136FE171C9A1DB95E483323F468D0F600B6D6DDACA12F3E6ED688DBD7CA309132C4A0F5E3ED47B0C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF02838E50EB1AD23.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4106725402095102
Encrypted:	false
SSDEEP:	48:vPEuqPveFXJnT50UyyOCqcq56AduNsSimh4PdBWdRvAr8LQOv/C2CttOnr2AduN9:nESPTOVyO3pysfBd69jy2CttbsiHP
MD5:	8AE1BC40DFF987A51F14849582898294
SHA1:	1E7B6053E99A977737AA3B77BA0181D4F87BBF1C
SHA-256:	24AE49352DD6FFA5F8391529E705A2F566F32E2BC0FA51737DEF11F7102DE4F7
SHA-512:	616C59BC16E22163D0A606910D8158EA73485DEDA65DBB9B5CD43BFF0EC9DE00218DD607CBA366B732B3D5EB89B5F3ED6E180AB1B2D1C8DA03CAD107D43746A9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {FC4B6052-A51F-D41F-8C25-3D41FD6C6B5C}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Entropy (8bit):	7.960609527199316
TrID:	Microsoft Windows Installer (60509/1) 57.88% ClickyMouse macro set (36024/1) 34.46% Generic OLE2 / Multistream Compound File (8008/1) 7.66%
File name:	MPJ_1281565D#U00ae.msi
File size:	9'920'512 bytes
MD5:	c3541cf72e6fd5b278f8cc899dae304a
SHA1:	fe9864fa355777efbe3f94a83abf51fa9272b6c6
SHA256:	49e22d098f3713fe44f1d75757904e13e758424288b81f7bb517d356f48cf88f
SHA512:	3d617a7ad2c0b45edb76bd014cec628b743146c8686754d90779d1675bba4c5800fed37890f584e41cd76fb2c8e7176bbb88e52b9869c65963585944915d8b62
SSDEEP:	98304:IwJ4t1h0cG5FGJRPxow8OBwJ4t1h0cG5HwJ4t1h0cG5VwJ4t1h0cG52wJ4t1h0cW:RWh0cGwoWh0cGeWh0cG0Wh0cG9Wh0cG
TLSH:	AFA6232523FD801AE8F75A7DED3682F45971BE64CE22C11E9328B90D2A74D4096737B3
File Content Preview:	........................>.......................................................\|...s..........................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 11:21:06.407020092 CET	49704	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:06.407068014 CET	443	49704	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:06.407149076 CET	49704	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:07.711982965 CET	49704	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:07.712054968 CET	443	49704	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:07.712146044 CET	443	49704	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:09.819720030 CET	49705	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:09.819758892 CET	443	49705	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:09.821471930 CET	49705	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:09.823245049 CET	49705	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:09.823262930 CET	443	49705	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:09.823318958 CET	443	49705	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:12.738759995 CET	49706	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:12.738795996 CET	443	49706	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:12.738922119 CET	49706	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:12.741285086 CET	49706	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:12.741302967 CET	443	49706	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:12.741354942 CET	443	49706	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:16.423388004 CET	49707	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:16.423449993 CET	443	49707	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:16.423532009 CET	49707	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:16.426829100 CET	49707	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:16.426856995 CET	443	49707	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:16.426904917 CET	443	49707	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:20.897454023 CET	49712	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:20.897526026 CET	443	49712	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:20.897615910 CET	49712	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:20.903199911 CET	49712	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:20.903232098 CET	443	49712	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:20.903294086 CET	443	49712	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:26.960737944 CET	49726	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:26.960803032 CET	443	49726	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:26.960874081 CET	49726	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:26.963155985 CET	49726	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:26.963182926 CET	443	49726	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:26.963251114 CET	443	49726	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:37.419131994 CET	49752	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:37.419251919 CET	443	49752	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:37.419352055 CET	49752	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:37.421957970 CET	49752	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:37.421994925 CET	443	49752	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:37.422048092 CET	443	49752	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:49.350208044 CET	49778	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:49.350246906 CET	443	49778	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:49.350330114 CET	49778	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:49.353136063 CET	49778	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:21:49.353148937 CET	443	49778	147.75.63.88	192.168.2.5
Nov 25, 2024 11:21:49.353195906 CET	443	49778	147.75.63.88	192.168.2.5
Nov 25, 2024 11:22:06.222387075 CET	49820	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:22:06.222431898 CET	443	49820	147.75.63.88	192.168.2.5
Nov 25, 2024 11:22:06.222498894 CET	49820	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:22:06.224884033 CET	49820	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:22:06.224901915 CET	443	49820	147.75.63.88	192.168.2.5
Nov 25, 2024 11:22:06.225033998 CET	443	49820	147.75.63.88	192.168.2.5
Nov 25, 2024 11:22:29.904342890 CET	49872	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:22:29.904381990 CET	443	49872	147.75.63.88	192.168.2.5
Nov 25, 2024 11:22:29.904475927 CET	49872	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:22:29.907002926 CET	49872	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:22:29.907030106 CET	443	49872	147.75.63.88	192.168.2.5
Nov 25, 2024 11:22:29.907079935 CET	443	49872	147.75.63.88	192.168.2.5
Nov 25, 2024 11:23:02.791063070 CET	49947	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:23:02.791089058 CET	443	49947	147.75.63.88	192.168.2.5
Nov 25, 2024 11:23:02.791156054 CET	49947	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:23:02.795286894 CET	49947	443	192.168.2.5	147.75.63.88
Nov 25, 2024 11:23:02.795300961 CET	443	49947	147.75.63.88	192.168.2.5
Nov 25, 2024 11:23:02.795356035 CET	443	49947	147.75.63.88	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 11:21:05.917572021 CET	49305	53	192.168.2.5	1.1.1.1
Nov 25, 2024 11:21:06.372212887 CET	53	49305	1.1.1.1	192.168.2.5
Nov 25, 2024 11:21:36.928484917 CET	64180	53	192.168.2.5	1.1.1.1
Nov 25, 2024 11:21:37.401145935 CET	53	64180	1.1.1.1	192.168.2.5
Nov 25, 2024 11:22:29.352715969 CET	51587	53	192.168.2.5	1.1.1.1
Nov 25, 2024 11:22:29.887006998 CET	53	51587	1.1.1.1	192.168.2.5
Nov 25, 2024 11:23:02.289222002 CET	63965	53	192.168.2.5	1.1.1.1
Nov 25, 2024 11:23:02.759721994 CET	53	63965	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 11:21:05.917572021 CET	192.168.2.5	1.1.1.1	0xa0c0	Standard query (0)	instance-c89u33-relay.screenconnect.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 11:21:36.928484917 CET	192.168.2.5	1.1.1.1	0x701d	Standard query (0)	instance-c89u33-relay.screenconnect.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 11:22:29.352715969 CET	192.168.2.5	1.1.1.1	0x9593	Standard query (0)	instance-c89u33-relay.screenconnect.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 11:23:02.289222002 CET	192.168.2.5	1.1.1.1	0x8def	Standard query (0)	instance-c89u33-relay.screenconnect.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 11:21:06.372212887 CET	1.1.1.1	192.168.2.5	0xa0c0	No error (0)	instance-c89u33-relay.screenconnect.com	server-nix3a3cd951-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 11:21:06.372212887 CET	1.1.1.1	192.168.2.5	0xa0c0	No error (0)	server-nix3a3cd951-relay.screenconnect.com		147.75.63.88	A (IP address)	IN (0x0001)	false
Nov 25, 2024 11:21:37.401145935 CET	1.1.1.1	192.168.2.5	0x701d	No error (0)	instance-c89u33-relay.screenconnect.com	server-nix3a3cd951-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 11:21:37.401145935 CET	1.1.1.1	192.168.2.5	0x701d	No error (0)	server-nix3a3cd951-relay.screenconnect.com		147.75.63.88	A (IP address)	IN (0x0001)	false
Nov 25, 2024 11:22:29.887006998 CET	1.1.1.1	192.168.2.5	0x9593	No error (0)	instance-c89u33-relay.screenconnect.com	server-nix3a3cd951-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 11:22:29.887006998 CET	1.1.1.1	192.168.2.5	0x9593	No error (0)	server-nix3a3cd951-relay.screenconnect.com		147.75.63.88	A (IP address)	IN (0x0001)	false
Nov 25, 2024 11:23:02.759721994 CET	1.1.1.1	192.168.2.5	0x8def	No error (0)	instance-c89u33-relay.screenconnect.com	server-nix3a3cd951-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 11:23:02.759721994 CET	1.1.1.1	192.168.2.5	0x8def	No error (0)	server-nix3a3cd951-relay.screenconnect.com		147.75.63.88	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:21:00
Start date:	25/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\MPJ_1281565D#U00ae.msi"
Imagebase:	0x7ff6e1ab0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	1
Start time:	05:21:00
Start date:	25/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6e1ab0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	05:21:01
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 390FD6DCD7E50BFBF112F96E3A0DE021 C
Imagebase:	0x930000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	05:21:01
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI31E4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5518000 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Imagebase:	0xa50000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	05:21:03
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 1B5721C1CE0E7EF98DD0EC09055781AD
Imagebase:	0x930000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	05:21:04
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding A228E7CE75C97BE8E56E19BF17938851 E Global\MSI0000
Imagebase:	0x930000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	05:21:04
Start date:	25/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-c89u33-relay.screenconnect.com&p=443&s=8f47f859-e57f-4bd8-9f9a-e730d3b0dc96&k=BgIAAACkAABSU0ExAAgAAAEAAQDpI9qfgaQF9EqFatMP06CsRNHBTKHOK5%2bUtX0qmq8CA4QJH2XTUdjK0ggTdGE4t0YfU4unuKYheAHWWjw%2bjMFfbdlJ1G50ApzOoLoB%2b7pQWX2ZnbVh%2bLfj4JIFwgKtc6Wpc%2fHElrzDuV3d5egfIjs2stKs6RmevReV2ZtwZXMrYZKFQK5QgwhmOTs1pFbFBaiusdjG8NTEcpq2zEicxl0jNKmCw71zqxPy1Lyu3YkOHeZqzMfRsWjzH%2fYVBCAx2I5sAn2Al2rwnZGCoxiYVwlWGITSxEHyjKXWvvVVaCBwjSzlM79WD5B4aCG5QDHn9IzvPCVw%2bHuInNUKsgj2iTG7&t=pdfconvitHir"
Imagebase:	0xeb0000
File size:	95'512 bytes
MD5 hash:	75B21D04C69128A7230A0998086B61AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	8
Start time:	05:21:05
Start date:	25/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe" "RunRole" "d04726a4-55e2-40d7-93a5-312106824cb3" "User"
Imagebase:	0x7a0000
File size:	602'392 bytes
MD5 hash:	1778204A8C3BC2B8E5E4194EDBAF7135
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000000.2072833360.00000000007A2000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000002.3297693904.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (909a0bac52a7095f)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false