ab17098a430aacf82f5c33d5cb6156f23525623815eb63fbc0e969cb38b59fea

Analysis

max time kernel
1789s
max time network
1795s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/04/2024, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

assist.msi
Size

2.8MB
MD5

0c61143cdd787c28fa456b33834d1513
SHA1

56a157b6081b5f21b9b7f637c2de98558062485c
SHA256

ab17098a430aacf82f5c33d5cb6156f23525623815eb63fbc0e969cb38b59fea
SHA512

02f2fce34bdd9db6c51b2b4466c95270c6d94d80e76153fcd7bb6233653e86f9f9b16abb29c86b7b5ce69daeaf99e75abf04025bd7bc4ed95caa5e1f0d978b74
SSDEEP

49152:FGN8erCckNGjQq7DODBzl01h6K4dYdJSN52GcPmfLKyrOxRnEOJk1g:0qe9kNDqnS2wdYdsSG1f2yrOnTJk

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (12e6ae703360b1e5)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (12e6ae703360b1e5)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=aloha-assist.com&p=443&s=d2f72a54-0de1-4816-abe2-89fb9168b222&k=BgIAAACkAABSU0ExAAgAAAEAAQBRXVM%2f0zYukVOauF8gEYOCB0rCvmoWG%2bh46z7gQzdgnkGPtzjrebucQeKkm8qsbi5X0y0VsCHHG1XEDoURZH95JQnNkl%2f3tx3ViglzRdDhOa%2b5Nfob4XRPDBxwODOgX4IJZZJO3AnA9MX3RLhFapfmPCQjDYCbUowQ9cTiAObWHp4Se5EEf%2fbuvrXFiEwGau1ceiB0nuVtY9s%2fbxbyQSqiQywHYIBKc0MEgkS7EZelWCymok5wktn1Sf2vX9lSb7Lyyz7OV%2bQnrz%2fkwJjI84r5xQ0j1TRd8AYaN%2bL6KVUI0SZiP4mh5T2%2b08pFoKrPy02ScVcoQtd9Ht9fOnigbfav&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAQkSHUhsU2USd21LAncseqQAAAAACAAAAAAAQZgAAAAEAACAAAAAABpZO8LJF1L5cpcx4mlimPXOighMW8oJSFUrIE9qesAAAAAAOgAAAAAIAACAAAAAwySagkkBqYaCe3flB2H3IhGhq8ksd4mJTJKYj3PRBnKAEAAB3HSdL7m1NkIOtLZuXg%2bJhazw1kR5RY4dTvJBFsS5oOeAaO6YShaPiSjSmOOEEMc%2f%2fk0nwyb1a4c82ZV9yQuU5xkz0EALWPTsGrjdHWfuAkHWEPYTSSTf1Irzb1v8%2frW4fu6%2be9KgSQq8rckj8pDXpcrRSvpdZujKL20AAj3vefaVzrIrelyX7cIu5QA0LT03qscYrnl%2bKI7Bi1a%2b%2bkXP52Ers8AKPEDs6T8ZsjlKndQrN00MKOuTOYeNHZz1pRhbo3b3oQ1Dh3lC7dShR0v5%2boKZakOj1CNbCsbTno5ar5xAWlT9ANtVDPuiFuXAczsQIBLZjn1g%2ffPOI2n7nP%2fWPQnE8fm0jhUqc7kpQfToH3qrxG7ie3Y7KFZyZXx99IakgNqqizCdtKZSoXQkLoxrOgRtpLMn9Byv01mErn9mm9CkbGtyKpedDrF5PvK%2f2xaFADKEWpS5lUIeaeY%2fZMKOLijzRMlpSTCC8IrjGAF9qXPrep%2f9X2JhvNSojNQzrQR21xwCyGkis65396k01BnDie0ypLAGhDFSdu%2bnFWBcWDV5fyNCexScYpsmjD3G4zPITnllFp9IIdTa3PSo7Fy7TSO3J7JqVvg3OfgSzMKTyXgZsguTMikE9tnJ6EnfGkKtiSF%2fJ5iU9aDEjHXlpgWELTsDmhqbXANwFJX%2fqCUa5lXelt8jnziq3GGoiGGtyahdy3fus35rTyDGXDgPbwEUskEuS170xUaWaeP0tHJ%2fN8f6QGjKdokqXZGQqVku9EmcwmFD4EvkMi1B8FmwX4GRZK9OxE0pZd8WVBHzKwr0tZEK1aWKFcaIYuk2dEUfMssl2gaA2KaUo%2fzrVPXAPf0GvybiTSfekT%2fiMtpwNzh6%2bavS3ajrpPqZgcOkNHm89JsEgoUQQBMuMYLStz6dMSkGyL1K6WWpSOgj1wIGQKRgptsEvOvM8tsZf3PjDhOkjqUeYOt8B9PSykxBaXY9VzhG3IurYlTMZpEQDf5%2favuCpxYy1ywMW5OovxKxnS8Oouc8V9jlgBUf7oCrEyXafOKEH0QtL7FXBzUbSTsdKNs3qI%2fl2Dy4TCabFQV00TX8QLv2uHdjDcWdNIqgkgrHnj6oWP9HMRSZrDIBmQFMX8KsDicj9pWeWimo6MKgE8KkAogrW5JeE%2fKxfdXZjLUdlD5QrCr94fegAO5aEoamOCA4uwVyNro%2fs5ynewoYgztojFl4Ral8a8xTfvuEqVkYXGsJRaB4yt0w83psfOum7K68%2bZyKrkNAwyL2ab2%2fsQGOnY7MemDK%2bMlMHLU%2fobh8CcAzKG3DYRhv95FLrootjD%2fMN1iDAThL0zJPGP5qNcm7V7zGh%2fgKpy%2fwY77nZ9gALZM0UbvXxOeciQ71XaMiDAvI%2fU7OUuR224%2fl%2fPheFiTlU8npTWUABMT8aGjLHhVv%2fm0ctTormqdIxjznHFsw2e2JxxHsajXnKcDaTKirjjCRYl6s7EBLLK6tdN833oUlDx%2fHGz71VJBammV5DG8adnuW4IdFSeuBjPkEe9x2HAEqkgwlALG%2bqJAIQ3avNABoz%2bZfM8MS7xwza70JUZuD4xl63W0AAAAC7fZhzYrbmW6AY2dvns%2fgkq1sM9d1rsF2Aw3ipbKQ%2b%2fjTrpLYAJpvCIUBiQE2P%2bphu0kOWIsrnjcR9LFSYrOkG&c=admin1&c=&c=&c=&c=&c=&c=&c=\""	ScreenConnect.ClientService.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\kvgnx0lu.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\i4dd1xzl.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\lmggsa0x.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\43mc2v4i.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\xg4ffjq3.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\xg4ffjq3.newcfg	ScreenConnect.ClientService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\xg4ffjq3.newcfg	ScreenConnect.ClientService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\kvgnx0lu.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\vaburzsl.newcfg	ScreenConnect.ClientService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\lmggsa0x.newcfg	ScreenConnect.ClientService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\43mc2v4i.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\43mc2v4i.newcfg	ScreenConnect.ClientService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\cg2ehvnj.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\i4dd1xzl.tmp	ScreenConnect.ClientService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\user.config	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\lmggsa0x.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\cg2ehvnj.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\kvgnx0lu.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\vaburzsl.tmp	ScreenConnect.ClientService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\vaburzsl.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\cg2ehvnj.tmp	ScreenConnect.ClientService.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIED6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED7E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ebe8.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4F2D03AB-B994-41D9-9D8C-89AC929B86F4}	msiexec.exe
File created	C:\Windows\Installer\wix{4F2D03AB-B994-41D9-9D8C-89AC929B86F4}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\{4F2D03AB-B994-41D9-9D8C-89AC929B86F4}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ebe6.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE89.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ebe6.msi	msiexec.exe
File created	C:\Windows\Installer\{4F2D03AB-B994-41D9-9D8C-89AC929B86F4}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4136	ScreenConnect.ClientService.exe
4800	ScreenConnect.WindowsClient.exe

Loads dropped DLL 20 IoCs

pid	Process
4620	MsiExec.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
512	MsiExec.exe
2080	MsiExec.exe
4136	ScreenConnect.ClientService.exe
4136	ScreenConnect.ClientService.exe
4136	ScreenConnect.ClientService.exe
4136	ScreenConnect.ClientService.exe
4136	ScreenConnect.ClientService.exe
4136	ScreenConnect.ClientService.exe
4136	ScreenConnect.ClientService.exe
4136	ScreenConnect.ClientService.exe
4136	ScreenConnect.ClientService.exe
4136	ScreenConnect.ClientService.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-0A5F-0EA704A4C255}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-0A5F-0EA704A4C255}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (12e6ae703360b1e5)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-0A5F-0EA704A4C255}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-12e6ae703360b1e5\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-12e6ae703360b1e5\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-0A5F-0EA704A4C255}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\PackageCode = "97EA4DE1F63E4ED41BDA0FCA9881B6C0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-12e6ae703360b1e5\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (12e6ae703360b1e5)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-0A5F-0EA704A4C255}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (12e6ae703360b1e5)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-12e6ae703360b1e5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\ProductIcon = "C:\\Windows\\Installer\\{4F2D03AB-B994-41D9-9D8C-89AC929B86F4}\\DefaultIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-12e6ae703360b1e5\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\ProductName = "ScreenConnect Client (12e6ae703360b1e5)"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-12e6ae703360b1e5\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-12e6ae703360b1e5\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-12e6ae703360b1e5\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-0A5F-0EA704A4C255}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-0A5F-0EA704A4C255}\ = "ScreenConnect Client (12e6ae703360b1e5) Credential Provider"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-0A5F-0EA704A4C255}\InprocServer32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\69A686A05E0BAD58216EEA0733061B5E	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-12e6ae703360b1e5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\SourceList\PackageName = "assist.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BA30D2F4499B9D14D9C898CA29B9684F\Full	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\69A686A05E0BAD58216EEA0733061B5E\BA30D2F4499B9D14D9C898CA29B9684F	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BA30D2F4499B9D14D9C898CA29B9684F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\Version = "386007049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA30D2F4499B9D14D9C898CA29B9684F	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4800	ScreenConnect.WindowsClient.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1056	msiexec.exe
1056	msiexec.exe
4136	ScreenConnect.ClientService.exe
4136	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4672	msiexec.exe
Token: SeSecurityPrivilege	1056	msiexec.exe
Token: SeCreateTokenPrivilege	4672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4672	msiexec.exe
Token: SeLockMemoryPrivilege	4672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4672	msiexec.exe
Token: SeMachineAccountPrivilege	4672	msiexec.exe
Token: SeTcbPrivilege	4672	msiexec.exe
Token: SeSecurityPrivilege	4672	msiexec.exe
Token: SeTakeOwnershipPrivilege	4672	msiexec.exe
Token: SeLoadDriverPrivilege	4672	msiexec.exe
Token: SeSystemProfilePrivilege	4672	msiexec.exe
Token: SeSystemtimePrivilege	4672	msiexec.exe
Token: SeProfSingleProcessPrivilege	4672	msiexec.exe
Token: SeIncBasePriorityPrivilege	4672	msiexec.exe
Token: SeCreatePagefilePrivilege	4672	msiexec.exe
Token: SeCreatePermanentPrivilege	4672	msiexec.exe
Token: SeBackupPrivilege	4672	msiexec.exe
Token: SeRestorePrivilege	4672	msiexec.exe
Token: SeShutdownPrivilege	4672	msiexec.exe
Token: SeDebugPrivilege	4672	msiexec.exe
Token: SeAuditPrivilege	4672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4672	msiexec.exe
Token: SeChangeNotifyPrivilege	4672	msiexec.exe
Token: SeRemoteShutdownPrivilege	4672	msiexec.exe
Token: SeUndockPrivilege	4672	msiexec.exe
Token: SeSyncAgentPrivilege	4672	msiexec.exe
Token: SeEnableDelegationPrivilege	4672	msiexec.exe
Token: SeManageVolumePrivilege	4672	msiexec.exe
Token: SeImpersonatePrivilege	4672	msiexec.exe
Token: SeCreateGlobalPrivilege	4672	msiexec.exe
Token: SeCreateTokenPrivilege	4672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4672	msiexec.exe
Token: SeLockMemoryPrivilege	4672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4672	msiexec.exe
Token: SeMachineAccountPrivilege	4672	msiexec.exe
Token: SeTcbPrivilege	4672	msiexec.exe
Token: SeSecurityPrivilege	4672	msiexec.exe
Token: SeTakeOwnershipPrivilege	4672	msiexec.exe
Token: SeLoadDriverPrivilege	4672	msiexec.exe
Token: SeSystemProfilePrivilege	4672	msiexec.exe
Token: SeSystemtimePrivilege	4672	msiexec.exe
Token: SeProfSingleProcessPrivilege	4672	msiexec.exe
Token: SeIncBasePriorityPrivilege	4672	msiexec.exe
Token: SeCreatePagefilePrivilege	4672	msiexec.exe
Token: SeCreatePermanentPrivilege	4672	msiexec.exe
Token: SeBackupPrivilege	4672	msiexec.exe
Token: SeRestorePrivilege	4672	msiexec.exe
Token: SeShutdownPrivilege	4672	msiexec.exe
Token: SeDebugPrivilege	4672	msiexec.exe
Token: SeAuditPrivilege	4672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4672	msiexec.exe
Token: SeChangeNotifyPrivilege	4672	msiexec.exe
Token: SeRemoteShutdownPrivilege	4672	msiexec.exe
Token: SeUndockPrivilege	4672	msiexec.exe
Token: SeSyncAgentPrivilege	4672	msiexec.exe
Token: SeEnableDelegationPrivilege	4672	msiexec.exe
Token: SeManageVolumePrivilege	4672	msiexec.exe
Token: SeImpersonatePrivilege	4672	msiexec.exe
Token: SeCreateGlobalPrivilege	4672	msiexec.exe
Token: SeCreateTokenPrivilege	4672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4672	msiexec.exe
Token: SeLockMemoryPrivilege	4672	msiexec.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4672	msiexec.exe
4672	msiexec.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe
4800	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 4620	1056	msiexec.exe	74
PID 1056 wrote to memory of 4620	1056	msiexec.exe	74
PID 1056 wrote to memory of 4620	1056	msiexec.exe	74
PID 4620 wrote to memory of 2560	4620	MsiExec.exe	75
PID 4620 wrote to memory of 2560	4620	MsiExec.exe	75
PID 4620 wrote to memory of 2560	4620	MsiExec.exe	75
PID 1056 wrote to memory of 4628	1056	msiexec.exe	79
PID 1056 wrote to memory of 4628	1056	msiexec.exe	79
PID 1056 wrote to memory of 512	1056	msiexec.exe	81
PID 1056 wrote to memory of 512	1056	msiexec.exe	81
PID 1056 wrote to memory of 512	1056	msiexec.exe	81
PID 1056 wrote to memory of 2080	1056	msiexec.exe	82
PID 1056 wrote to memory of 2080	1056	msiexec.exe	82
PID 1056 wrote to memory of 2080	1056	msiexec.exe	82
PID 4136 wrote to memory of 4800	4136	ScreenConnect.ClientService.exe	85
PID 4136 wrote to memory of 4800	4136	ScreenConnect.ClientService.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\assist.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4672

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 70BBA3D3469F7F3980744B5CEE4D4D4D C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI878F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240617671 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    PID:2560
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6E1E52ED4654F72BF09FE4296588A35F
  2⤵
  - Loads dropped DLL
  PID:512
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3D5D84D454BC12FBC837EA1617DC73A9 E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  PID:2080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3040

C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=aloha-assist.com&p=443&s=d2f72a54-0de1-4816-abe2-89fb9168b222&k=BgIAAACkAABSU0ExAAgAAAEAAQBRXVM%2f0zYukVOauF8gEYOCB0rCvmoWG%2bh46z7gQzdgnkGPtzjrebucQeKkm8qsbi5X0y0VsCHHG1XEDoURZH95JQnNkl%2f3tx3ViglzRdDhOa%2b5Nfob4XRPDBxwODOgX4IJZZJO3AnA9MX3RLhFapfmPCQjDYCbUowQ9cTiAObWHp4Se5EEf%2fbuvrXFiEwGau1ceiB0nuVtY9s%2fbxbyQSqiQywHYIBKc0MEgkS7EZelWCymok5wktn1Sf2vX9lSb7Lyyz7OV%2bQnrz%2fkwJjI84r5xQ0j1TRd8AYaN%2bL6KVUI0SZiP4mh5T2%2b08pFoKrPy02ScVcoQtd9Ht9fOnigbfav&c=admin1&c=&c=&c=&c=&c=&c=&c="
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.WindowsClient.exe" "RunRole" "49316c0e-7078-4839-863a-a927c2f767ca" "User"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ebe7.rbs

Filesize
212KB

MD5
7c8af574fc3437a1729efe5ecfbcd561

SHA1
6c284b883bd049572e0c33087c55a7ff5a136a13

SHA256
657e89c73d9e490b1a3371469d94af036e1f24558a5f3870a840d376b45b91c3

SHA512
feb65a2c1bcd824a5bb3cba6936bc9fa5e98fd86bbf8fb8184f798dec0e95bd9a73cb5cae9d771cf5d642601fae7f31f2614a0a9cd5e72b726adf89da0bdecd6

Download Submit
C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\Client.en-US.resources

Filesize
47KB

MD5
e5d912067630d3efe53f290b9c9d0d27

SHA1
b0fc2105716c6eab770f89b9ed88ce2a36bdb5b2

SHA256
a023527e773b886fb64c5f31de484f659c5816cf4ab696be7c98a3ea4de57d41

SHA512
13fcb0f3f0208c072c86f1df8efe73cfade2803bc4b04e666787a95e10f49289fe6c1b8e10e7dbb5071cae92345fa12139fc220dc23dee4b098cc77fc53a316b

Download Submit
C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.Client.dll

Filesize
177KB

MD5
32d230704c43f4bf811ce214fa23700b

SHA1
87c48d902f206c196ed6b69747f2ff1ec401a969

SHA256
3b0cd76c1d949d6d6e4073c73e637c531bac18827f9ec02a6be6c5e6bbcfe368

SHA512
cda6fbd99180f590658b47a418e28c6456dc298f14a7c1aa229a6fd97355dc6caa9278659d2d885cee1000298f54556f16ef359990d9f3b31fd01293adb8efa1

Download Submit
C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
256081d2d140ed2727c1957317627136

SHA1
6c0b6758aef7980868e56a0739c877d4fa837ed9

SHA256
72b206d8c2ea0378f096c5e7c13022f67a0a0f670a10c1534b6f7a1ba95e8be6

SHA512
40d15bfab3fcac4c1a5f9ebf4618982f600a00659e48a8bc1e7d5223852a2b6c1f047e17d93dd5545c9d8af11f943f243392f7db44ba993345e15e106a7246f0

Download Submit
C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
254d64388c6c52228d7a921960a03f6b

SHA1
b023b69348bb06c4b4ad67bee0f55bb9cfb3748c

SHA256
05e78416a344f74095e36ff14baa719867e9e163e1ae9a96c29df8615748b0ae

SHA512
2c52f6627fd1592f7e38b82f3a2d199fbed7b27268d9251b855fe2310d757d7b98db5a0e56956612794d6fce8035d30a6b9cecbd1262c570f0c01430e6e11459

Download Submit
C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.WindowsClient.exe

Filesize
561KB

MD5
254a33ec9d5391577b95d2cea3cf06d8

SHA1
a23587d95e94d7d5222b675867b3d525c2b4db5f

SHA256
6bd3ab0299b3826e476461caf1244e672d9f12858243921beb3939134618b790

SHA512
e9a7550678d11b86032869a888bef1fe75d89eb895ae561937a26a6b364fa78f5903c53ad0ee74bdb2e235baa5570b16cfa97133e060ceb3033d469f62712bb6

Download Submit
C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.WindowsCredentialProvider.dll

Filesize
746KB

MD5
f01a59c5cf7ec437097d414d7c6d59c4

SHA1
9ea1c3fbf3b5adbe5a23578dea3b511d44e6a2dd

SHA256
62b405f32a43da0c8e8ed14a58ec7b9b4422b154bfd4aed4f9be5de0bc6eb5e8

SHA512
587748ad4dd18677a3b7943eab1c0f8e77fe50a45e17266ba9a0e1363eda0ff1eabcf11884a5d608e23baf86af8f011db745ad06bcdecdfd01c20430745fe4bb

Download Submit
C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\app.config

Filesize
1KB

MD5
5fdc2cfa0c47337d707ab781e167b333

SHA1
b264dabe8cdb1261315154b8812fd21276ad372a

SHA256
8a31d61e07cdf19181c20918e66209d22b1364f73dcc5ed793373ad6d9aae177

SHA512
4b6c310cdfe961947010ca5cef0df61988124b754c1876ea188cca8982b50dbc7d59c0dbf2f7c4ee62415d95f36df1ba279e7630a5c34d73f1749047cc03e14a

Download Submit
C:\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\system.config

Filesize
941B

MD5
64918732e3bc6c92c79533c570e8d55b

SHA1
78b5f5f8f2d95880d42e06306fdf93b65e75eada

SHA256
bef498ec2a76fae9d3caf239406cd4d880f34982c5cbdd3b6d6378af4462a942

SHA512
7856e5ff573d251fb1356c8bc6331555555c0bebf86a83a0a93a323aedff9e6b8c4f331bcc4a6074bf5f546153ae74634eb590f80f4d89226869db99d640ca4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI878F.tmp

Filesize
1.0MB

MD5
8a9bfe7a382fbe927cfe4649e0a416f9

SHA1
8889cbcabe01478e90dfff1ccb74f89e01709304

SHA256
0f216a5b1b84137bfd24c55f5e39ea5539b13452bc9b933572e8017551563493

SHA512
b50c6429e1a5d20470e53f62666e2e07d8e8771163a82ec6e846cd62ff3c8dbf25672d605aef2941f4661ec51bfeb6ccdaebd5148438c80d9cf474c3ec71280f

Download Submit
C:\Windows\Installer\MSIED7E.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\e57ebe6.msi

Filesize
2.8MB

MD5
0c61143cdd787c28fa456b33834d1513

SHA1
56a157b6081b5f21b9b7f637c2de98558062485c

SHA256
ab17098a430aacf82f5c33d5cb6156f23525623815eb63fbc0e969cb38b59fea

SHA512
02f2fce34bdd9db6c51b2b4466c95270c6d94d80e76153fcd7bb6233653e86f9f9b16abb29c86b7b5ce69daeaf99e75abf04025bd7bc4ed95caa5e1f0d978b74

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\kvgnx0lu.newcfg

Filesize
566B

MD5
540d3b0dde5ffa50b1a11beff201cd39

SHA1
584aabfc2adbac26a9ae4b794e616ab8cef7ed12

SHA256
eda2ac71017d0a637192199b8d22bf3779fdc0cb4a250e0c5d654b50ed8d6662

SHA512
627b8c3b2bf4e1fcf239009a0e2c4263f11ca408240a46e31215a1cf30d303998cfc34d36552318aa2a748e3cd5c64c0951aa2efba454fa80c99232360c6da15

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\lmggsa0x.newcfg

Filesize
566B

MD5
64b0b8ff4162aad88190f6cd7b39397c

SHA1
a6423705b876fa97182d392d30ea829fc2b1d190

SHA256
94014af68219f8df2d46d467aad4801c6e67dc1953d40ca37704cc0c445effc7

SHA512
d1f24bf1c84994d506130d570a290f1575efeb339ead19d79d97f65733fc12c8acc9035ef027d297207c43e8c4e16f2389a7772cef2a69ee327f7dfdff842498

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\user.config

Filesize
566B

MD5
40d5d6dbbf033257410222668c76280e

SHA1
1f3ac8ab19c5d06ffdae3166e062a6236e4364c8

SHA256
9a2bf7793ed0f03ec760c1dea35f76cb8f32489869a4e76b8592aa41e0cbb3cb

SHA512
22aec9994710f7d0fbf247d74e1a2ccb674305e883a14483d5f5b617444ab30261aed2c8288d08ebec75f545cee6994ad60673dd9d2b0866af29e17721ffbffe

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\user.config

Filesize
566B

MD5
b7c5a44004b63ed33b21c377fc88ed70

SHA1
af9872559b43f78848a32cc429b57eb2f0067a55

SHA256
4223bd78012c56b0d64851f253267cca8dd44b13bd6a3b8eb27d120cfb966bdb

SHA512
1d38051f981c42f269e21301168c01cadc4e729fb46ad554cb418b4d3cb84f787bb6e0c26d4dd210e69d1fd46bc3e2ade73d2fe8f2f19bd9d30432d58709372c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\user.config

Filesize
566B

MD5
5abe1824da94eb0128cff679fe0b690a

SHA1
3cee662bf43ee5baa037dfb8dcf11b46486f36b4

SHA256
4a98dab01fc5eb1aaaa7525eb2bfc704478adfe8c1ecdbd2c5ed6478e852a709

SHA512
d709565feee49a512691a548b5dc34f1877db4154fc999910e171a8bc917b2fad15e4cd76d01739cb0bed62f2bf003d28eef3b575596542affcb7735b05f8882

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\user.config

Filesize
566B

MD5
ccd5fd97f4f91d25a1139fa8f8ea8bc4

SHA1
d97b1aa3ea9270f8f38a318f6fc6642f33ba96bd

SHA256
b3017a71afd776cb61b999d2ccdb4b7b04980338ce615dbef311e0ef63c5a9af

SHA512
ab53f1dff49d5b8e7ebc4aff773bfbe3e6e8a91b2902ae2304d619dc2a37da86b283fd212977c64df3e8ed8ebeff8749ba5a54234f186506c8dc4f8eef863947

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (12e6ae703360b1e5)\xg4ffjq3.newcfg

Filesize
566B

MD5
5eec6e6531dd458bb665575a3a53c359

SHA1
4e85e03e3fbf6c84407601152a3994a95b9354db

SHA256
3b2b91f4d164f4747c78fbff5ac2a88a2838fdf9227a018e98882c222cacbc24

SHA512
8a898d40d1bbde5333a4ddef7e46c6515bacd552db961d4a6c50c0f9f2e66ab887abd5229fae6f274659781e1c5e22a82a7e0a9db627a89f6abbba766a03f99c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
889c33d319d71d3a08c9686f465a4f1c

SHA1
114f28e5aa0f6f361cc22f25b956f67315865469

SHA256
1317e4010e44ef03e9296948f47036143b25bd2f76594fe48352eda5b2023d60

SHA512
668e64e4f12137614d86d4feea6911659885b34c4fda0336405f3c0f080a9b3935ba4b8681babcf615feaca5a75fcd6453f7c2257b3b052790fff8e8d57942ed

Download Submit
\??\Volume{344d456e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3aa5e8a4-592d-490f-93ac-e258f2cabe6e}_OnDiskSnapshotProp

Filesize
5KB

MD5
beb43f5e6119f2001caca9e10fccafa0

SHA1
7164fc45c95f59db1a050f8256f5604760959c76

SHA256
456592903ab844ee1a24ccf394b02996057f3c0c399db1e33e0f0e2c2e657e3f

SHA512
16385548a89b9a4f844082a3e9892e695eb7e2eb4ec26c657ee47e22a8511abb8bece85921ba925f97239ade9b9ef7366a7fa616bedbdfd81e3f011276de4c5d

Download Submit
\Program Files (x86)\ScreenConnect Client (12e6ae703360b1e5)\ScreenConnect.ClientService.dll

Filesize
58KB

MD5
b1346a9380086791abef5aa98903c80e

SHA1
ce77b0812363223bb04bfee60d383987ca405225

SHA256
43bbdb1c62d021a137e51cfb23241d3765089f98042e2a12a0b1449647290135

SHA512
a28b593bdaeb8e742d0c009cf2b7c60c8f25bccc7d824ed18e37be9b797946c3539f9fc12f0c74e6ccf28114936d77b2dd0fee6b08697c72741c4d6149f24b1d

Download Submit
\Users\Admin\AppData\Local\Temp\MSI878F.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
\Users\Admin\AppData\Local\Temp\MSI878F.tmp-\ScreenConnect.Core.dll

Filesize
489KB

MD5
6c5d0928642bf37ceed295b984e05be2

SHA1
46be0d5a7db56cb1ad77274709d0db053a3c0999

SHA256
3b0c45370ca9295881ef5e9d14402c42dfb45803f54d542e6a7e595a05f365a1

SHA512
bb95297e937dcf689ea9a02f487f55bebf3d6766a0aa75ffdbc932638717e79719f88787a325550d660af5856c3620cb1c6d165bbb9af87bd74af1f30e23c19b

Download Submit
\Users\Admin\AppData\Local\Temp\MSI878F.tmp-\ScreenConnect.InstallerActions.dll

Filesize
21KB

MD5
cbb8bdc4b5ba00ef9b1ba60396cd6250

SHA1
840c6b1346061425a95be9f7bdbc9a12a61b5326

SHA256
c135cc9a4c96c1014c45a3fb0e470a74e9c9af991da0d271039008ad3ea30a8e

SHA512
35ac5651e445ac5552f8b2f5ba808c350810dec05ca7214c50d03ed420fdb07485dfa6c7f9d1902a81a404b8212f755f0a03e2e0825f3baea7f0415f2c64a8be

Download Submit
memory/2560-33-0x0000000004C20000-0x0000000004C2C000-memory.dmp

Filesize
48KB

Download
memory/2560-28-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2560-27-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2560-26-0x0000000004BE0000-0x0000000004C0E000-memory.dmp

Filesize
184KB

Download
memory/2560-29-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2560-37-0x0000000007010000-0x0000000007090000-memory.dmp

Filesize
512KB

Download
memory/2560-49-0x00000000732E0000-0x00000000739CE000-memory.dmp

Filesize
6.9MB

Download
memory/2560-22-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2560-20-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2560-19-0x00000000732E0000-0x00000000739CE000-memory.dmp

Filesize
6.9MB

Download
memory/4136-122-0x00000000038A0000-0x00000000038F0000-memory.dmp

Filesize
320KB

Download
memory/4136-104-0x00000000039F0000-0x0000000003B90000-memory.dmp

Filesize
1.6MB

Download
memory/4136-91-0x00000000035E0000-0x00000000035F4000-memory.dmp

Filesize
80KB

Download
memory/4136-94-0x00000000733F0000-0x0000000073ADE000-memory.dmp

Filesize
6.9MB

Download
memory/4136-95-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/4136-96-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/4136-103-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/4136-129-0x0000000003930000-0x00000000039EE000-memory.dmp

Filesize
760KB

Download
memory/4136-105-0x0000000004090000-0x000000000458E000-memory.dmp

Filesize
5.0MB

Download
memory/4136-151-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/4136-150-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/4136-127-0x0000000003B90000-0x0000000003C22000-memory.dmp

Filesize
584KB

Download
memory/4136-126-0x00000000038F0000-0x0000000003922000-memory.dmp

Filesize
200KB

Download
memory/4136-149-0x00000000733F0000-0x0000000073ADE000-memory.dmp

Filesize
6.9MB

Download
memory/4800-145-0x0000000003100000-0x0000000003114000-memory.dmp

Filesize
80KB

Download
memory/4800-146-0x000000001C590000-0x000000001C5A0000-memory.dmp

Filesize
64KB

Download
memory/4800-152-0x00007FFAEDE90000-0x00007FFAEE87C000-memory.dmp

Filesize
9.9MB

Download
memory/4800-153-0x000000001C590000-0x000000001C5A0000-memory.dmp

Filesize
64KB

Download
memory/4800-144-0x0000000001920000-0x0000000001934000-memory.dmp

Filesize
80KB

Download
memory/4800-143-0x000000001C2F0000-0x000000001C3C6000-memory.dmp

Filesize
856KB

Download
memory/4800-142-0x000000001C150000-0x000000001C2F0000-memory.dmp

Filesize
1.6MB

Download
memory/4800-140-0x000000001BF30000-0x000000001BFB0000-memory.dmp

Filesize
512KB

Download
memory/4800-141-0x00007FFAEDE90000-0x00007FFAEE87C000-memory.dmp

Filesize
9.9MB

Download
memory/4800-139-0x0000000003120000-0x0000000003152000-memory.dmp

Filesize
200KB

Download
memory/4800-138-0x0000000000FF0000-0x0000000001080000-memory.dmp

Filesize
576KB

Download