Backdoor.DarkKomet.LB
Table of Contents
Analysis Report
General information
| Family Name: | Backdoor.DarkKomet.LB |
|---|---|
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
b36230bb88e0a49577d432f5967eabfa
SHA1:
2f7c559e95fe1a2b487cc38c155ec8a872584e30
File Size:
5.62 MB, 5622104 bytes
|
|
MD5:
f2f78e51d01ec71e45fa5c0ab0f72d22
SHA1:
6cc4e99ef2c6602e72b637846561b73001a6a666
File Size:
5.60 MB, 5600008 bytes
|
|
MD5:
7f2fae5fc30283dab3bccf84b99df8c2
SHA1:
f65f35130e48179a3ed7d3a1df6770117d289076
File Size:
5.60 MB, 5603008 bytes
|
|
MD5:
e402c77aed1f40031bd7d1acb54044af
SHA1:
956c355cfb0aaa9d114c9476ca8473135006d01b
File Size:
5.60 MB, 5602976 bytes
|
|
MD5:
7eed58851df2ec5e58e6c32692644c57
SHA1:
460454510d7766fffb87d9e5d948f5e6b9b9129a
File Size:
5.36 MB, 5360912 bytes
|
Show More
|
MD5:
ea109556101e39258bdc572a74518fa4
SHA1:
ea214b729c856058e11bdf417917d91955ba909c
File Size:
5.62 MB, 5621872 bytes
|
|
MD5:
2e91c591a2732995af9b6ddfba053e7c
SHA1:
b107daf7d319f0742e166303047ffecc18326ab6
File Size:
5.86 MB, 5861800 bytes
|
|
MD5:
71977472a5a248a0a458fee83a6fd46b
SHA1:
a20fcda3f7f524d328250796e74e1fda71da7375
File Size:
5.64 MB, 5642584 bytes
|
|
MD5:
9f039b9fdd46afe0437146affcf51900
SHA1:
81dfec45efc00a359280d72bb2fcd823a4230a40
File Size:
5.64 MB, 5644936 bytes
|
|
MD5:
3ee532fae6e98c4fcc87179a42c732bc
SHA1:
756f822b0299cbfefc51b1f60146b47e6efa039a
File Size:
5.45 MB, 5445504 bytes
|
|
MD5:
a623cfa129b7ed5690a46b72f50e5fa8
SHA1:
ca84c73bb615c5b55b3cbaddc1281d478a22a502
File Size:
5.35 MB, 5347592 bytes
|
|
MD5:
7d7ec5e27d5a71f011da79a5fcf7040f
SHA1:
76bdfc9e795237a0e4ca41409792e3128e08fb3a
File Size:
5.65 MB, 5651904 bytes
|
|
MD5:
491375c5ac55bc0cd18a9aa61439ae47
SHA1:
f3581f48063002411f192d75b0d90c765fef7d25
File Size:
5.62 MB, 5620216 bytes
|
|
MD5:
f8cdbdf6eed6a9ed1eca726e22884dde
SHA1:
bfc107680f674e7d972b15b9160e7ae29704e17a
File Size:
5.62 MB, 5622536 bytes
|
|
MD5:
725c0ff9a930764fea7604a36634bf1f
SHA1:
4bcbf71cd558c3cb2a5fe17ada2e87b53b36e4e3
File Size:
7.15 MB, 7151832 bytes
|
|
MD5:
5fe66c5a9c7fd4e0ee1eff2dc3eeea00
SHA1:
a5c65816f1138a578e0c0583af76ce45ce45f68a
File Size:
5.62 MB, 5622112 bytes
|
|
MD5:
343ed31d4295d0da9ac2d70f553a6999
SHA1:
6279650c16b36585826c35b7e48c2bf03bc53ead
File Size:
5.62 MB, 5622176 bytes
|
|
MD5:
fc52076dceba92f778e3ddfc779b82e4
SHA1:
1e7da743b04092d2683f5538354dd238902e8635
File Size:
5.85 MB, 5846840 bytes
|
|
MD5:
c0b10150f54316a9a30c357fe0ca07c6
SHA1:
2126bf383469cb7558620be8a4729f97c4018576
File Size:
5.62 MB, 5622808 bytes
|
|
MD5:
166528759bfef593f1e2bb0342b93a0c
SHA1:
487266762232cc86904acddf04806c2ff3473bf6
File Size:
5.65 MB, 5646112 bytes
|
|
MD5:
db4053531fe45c0bed8aaf7b10f4bbfc
SHA1:
653fd555cb10f7b2ddbade104842813ee5ff867c
SHA256:
0418ABA40BA81FFD832A5EE50B0B5D111E7C2801F793559E9F74B998965D872F
File Size:
5.62 MB, 5622552 bytes
|
|
MD5:
b01bd34cc328ad96322c7a00f348a0ce
SHA1:
0aef2073c6656a3a14ec33cf5a11068fc9b44dac
SHA256:
6BACBD566A64A64AEF0D4FD0739BA32B99E2B32AB67567D423EC809A817BFAAA
File Size:
5.63 MB, 5628704 bytes
|
|
MD5:
e416e997e27fa879db8402e2259f7a4f
SHA1:
f7879c16b823a480241910413ded3f1d4c4344e6
SHA256:
659164F5266D8D88E6258D4297A9FEF559A6D49211BCDDD4CB2F024C16ABF36D
File Size:
5.65 MB, 5652440 bytes
|
|
MD5:
89bc6c6c05d674318bb48fbe5ff69a5c
SHA1:
0256f6717e8bcc50896af68e66ee3920ff756061
SHA256:
F1484576D6E98C607FF04FB0ECAA9E68A0A1A95D1448226994482B2DFE110D5B
File Size:
5.62 MB, 5622152 bytes
|
|
MD5:
989a04b350eb4523f6c55bd5a0865075
SHA1:
065c7ebd2c3590ef443afeb15945b9e615731cca
SHA256:
81D3881E9C504136F56A2B9A345AE464D4BC6E2AC7C9CF8822EDBBAAD7B64F84
File Size:
5.62 MB, 5621840 bytes
|
|
MD5:
3be823c050ddaddea20639c4412a1b59
SHA1:
bcdef9eab165ed2fb1997b4e9c25143f57cf3607
SHA256:
F78CED44457A1DF6F47F54B33D9E41DC3D75695694EE27E939CA076E5E400334
File Size:
5.90 MB, 5898488 bytes
|
|
MD5:
89c60e38220b6184708f1ed53e2d71ea
SHA1:
17b641176b2f724bdfc4bdfa9bc86b02281042bf
SHA256:
1B66BAF1456F8BEDCF3186C0298B769EFA1D30AA172CE68FAD72570C923FBE6F
File Size:
5.79 MB, 5793504 bytes
|
|
MD5:
7af6c9543dfc3b98c904e90e6c8c4c59
SHA1:
db765bebd16e57d3aafacbc0006701e3d2270901
SHA256:
7AB54BEDB14F20D2085EACEFA9A8EE75906F9F3BFAD2127CC415BB0F3CEDDAF4
File Size:
5.80 MB, 5796624 bytes
|
|
MD5:
86780f7b35983c6c988e20b1f27bf776
SHA1:
1a23fbcddf66eaf307ce5984e4f0715ff2631529
SHA256:
A54952CB26DBAD8023251CEB2DF6AD4430824D1969F1CED2A6B58A0D80916669
File Size:
5.62 MB, 5624120 bytes
|
|
MD5:
7c6080add21384bb137dd9525710cb6a
SHA1:
0eaa1d53658c0d83256b66b9bae3b651eb522ced
SHA256:
A7FFEE8F45A7B995A17391B79D496DA14E2108E57DF9BC9021988A3DB701ECB4
File Size:
5.65 MB, 5647272 bytes
|
|
MD5:
5a9e44f477d8a853088ae4221e2c93d4
SHA1:
a769c24d1db56c582ed351d6048336ff3d9e92f5
SHA256:
CA7C64E4013CF4750609574208E2826D2F327E8496DC2D72A73D9EAB7AEBBA1A
File Size:
5.70 MB, 5696040 bytes
|
|
MD5:
c6b74ffd4e93461dbcd2f86178b5cca3
SHA1:
351f5be54bd7e712a3c3275aaff6467ec2a1648d
SHA256:
6FBBBFFD54B2321FB8765D3A14438BA85A7AB7530C3453D8FA3A0E6A43907FAB
File Size:
5.68 MB, 5684992 bytes
|
|
MD5:
80858cb619fdb4f81d716eaee3bea83d
SHA1:
abffa7dc4361712641b83c805ba2433d7549cdd4
SHA256:
304FC8971FBA2B6EFC1F90C6172B6471D43519A3E87DC08DD079C1AF2D143320
File Size:
5.62 MB, 5621448 bytes
|
|
MD5:
27bc0adbb37f7cf67754df8884ed04dd
SHA1:
1fb2c90bcbc1d72a7d09bb31d2b714a14af3eb97
SHA256:
A5ECFE288511F68B271CA9AC0187BB5688B972E9019E6D16CB7E6632C938C2B2
File Size:
5.48 MB, 5481536 bytes
|
|
MD5:
8b90b102547bf35ad1cbc215bcc5ab7e
SHA1:
cf99fb7a9bc9ab8fb29a5c73f89cd0d518e22538
SHA256:
8D39881CFC4502E9FDE9B02FF38015F2024938C1B216E5996B5BDFF0FC9F42B2
File Size:
5.66 MB, 5661432 bytes
|
|
MD5:
3abaa408826b6a8967d2ec82f5ca0cf5
SHA1:
75e99c023e209f539fe9eca6674eda53ac32fce7
SHA256:
DA795CE0BA91E857F25B164827D575F9CED03920127C5FD1E84971FAC45081A1
File Size:
5.48 MB, 5475864 bytes
|
|
MD5:
56ba83e9f552c802500769cbc545663b
SHA1:
e51765a2e3986c4a6d6de57a82887f696b909cff
SHA256:
E94E1AEF024F6F2FF6904BADE9136B9119E22B33F819C4E3C4CF864695BFF684
File Size:
5.42 MB, 5421424 bytes
|
|
MD5:
54f1864d64814a66d414e2dafd56d2e1
SHA1:
f8f4da4fda178555e3d65bf5da985454726e3ba8
SHA256:
0E011239E417CB2FE6722A1B9DC1BDC1D3552FA12017E2484C1C40247512C763
File Size:
5.72 MB, 5716936 bytes
|
|
MD5:
1e741ebbd88cb38a6d737c90a5bf704c
SHA1:
1967943912f099bdbe89ae19f7a5e99709448943
SHA256:
D4B8332E465CDEFBDDFABEA6E1372D5877295366B40FD01BAD5EF25AF50246B8
File Size:
7.15 MB, 7151504 bytes
|
|
MD5:
ae12c5dfe742d87687d4354d4869f77b
SHA1:
211493c627dab19432d6a98d80d23fff817fd4bc
SHA256:
20F0BA1768D5ADC545D293F5BB98DBFF4AECC6DCFE40BBF993A807C41C2A0F1F
File Size:
5.65 MB, 5646432 bytes
|
|
MD5:
4a3727583e7bd4b2713053734ecf06cb
SHA1:
a5590d3aa410024252a2395d4ddaa05c0d37f233
SHA256:
EA6C229E23B5291ED2724B18014AF7DA8C69B2AE60F5B3F280E252EF88F03564
File Size:
5.62 MB, 5622720 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| ConnectWise, LLC | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Self Signed |
| Connectwise, LLC | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Self Signed |
File Traits
- big overlay
- HighEntropy
- No Version Info
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 2,872 |
|---|---|
| Potentially Malicious Blocks: | 95 |
| Whitelisted Blocks: | 2,777 |
| Unknown Blocks: | 0 |
Visual Map
x
x
2
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
3
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
2
0
0
0
1
1
1
1
2
0
x
x
0
0
0
0
0
x
x
0
1
0
0
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
1
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
2
2
0
3
1
1
0
0
1
0
0
0
0
0
0
x
x
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
3
0
0
1
0
1
0
0
0
0
0
0
1
0
0
0
0
0
1
1
0
0
1
0
0
0
2
2
1
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
1
0
0
1
1
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
1
2
x
x
0
0
x
0
0
0
0
0
x
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
x
x
0
0
x
x
x
0
0
x
x
0
x
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
2
3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
2
2
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
2
0
1
1
1
0
0
1
x
x
0
0
0
x
0
x
0
x
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
x
0
x
x
x
x
0
0
0
0
0
0
0
x
x
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
1
0
0
0
x
x
0
0
0
x
x
0
x
x
x
0
0
x
0
0
0
x
0
0
x
0
0
0
0
x
0
0
1
0
x
x
x
2
0
1
0
0
0
0
0
2
0
0
0
2
0
0
0
0
0
0
0
1
0
0
0
0
0
1
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
2
x
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
1
0
0
1
1
0
0
1
0
0
2
2
0
0
0
1
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\msi5ab3.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\msi75ae1.log | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\screenconnect\0b03fa83feb97678\setup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.17.9294\4205d3d2c4079896\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.4.9026\b110193dd7ffa16b\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.6.9056\3a4594764213d345\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.6.9056\4dd34b872dc83e99\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.7.9067\096dfbe4f0fcf374\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.7.9067\13751a720371da47\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.7.9067\24e531e7599a1f36\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Show More
| c:\users\user\appdata\local\temp\screenconnect\24.3.7.9067\3d47c83d01f959c9\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.7.9067\6a3fdc8af50414e0\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.7.9067\6d46d368fa5f5694\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.7.9067\862c9d0811dcdbf4\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.7.9067\8fdd56e0b61fc0a0\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.7.9067\eb8eec7114d767d2\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.3.7.9067\faa13c12456679e2\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\24.4.5.9139\82859b5f801a1776\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.1.7.9171\c69d88186a651b0b\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.1.9.9185\2b158019a06b1e8b\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.1.9.9186\d9b0554a2975771c\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.2.3.9216\7af989ed2aa44201\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.2.3.9216\e9eb7e16e4985bbc\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.2.4.9229\1b913ae746a50099\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.2.4.9229\36f99f3e9b37aaae\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.2.4.9229\4bf9943d79f30631\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.2.4.9229\ca89e00e4acb6e0c\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.3.1.9245\ebaa6c9b1f6961cb\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.3.2.9271\f8c252a6de51af75\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.3.4.9288\ece2504b23176776\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.3.8.9294\c58b7a992149addd\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\25.4.3.9287\43e3f583da90a4d1\screenconnect.clientsetup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\472449c351f5d73b\setup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\5bf48dce8a56eb63\setup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\8cb78d3d3a881716\setup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\ad7cfea92c8da348\setup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\bf692ce7aa1ee17c\setup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\c892c7342a30c3dd\setup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\screenconnect\de5851ad6e374ce3\setup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\setup.msi | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| User Data Access |
|
| Anti Debug |
|
| Encryption Used |
|
| Other Suspicious |
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\Odayzgrq\AppData\Local\Temp\ScreenConnect\25.3.2.9271\f8c252a6de51af75\ScreenConnect.ClientSetup.msi"
|
(NULL) msiexec.exe /i "C:\Users\Odayzgrq\AppData\Local\Temp\ScreenConnect\25.3.2.9271\f8c252a6de51af75\ScreenConnect.ClientSetup.msi"
|