File name:	E-INVITE.msi
Full analysis:	https://app.any.run/tasks/40c08d52-6ae2-4acf-95db-07faed305953
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	February 03, 2026, 19:01:15
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc screenconnect tool rmm-tool remote rat
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {5F9A04B0-31C7-CA0C-1D6A-155DF22C571B}, Create Time/Date: Mon Dec 8 14:59:20 2025, Last Saved Time/Date: Mon Dec 8 14:59:20 2025, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
MD5:	EC24263C507FADE64EBBA66F89E0D78E
SHA1:	B305D1FD3EDC4A616DF44113B72843A38B242468
SHA256:	3E5F85BB6F9864ABC9C6503A54C52F490A01EAE9A07DB1516C379F24DB276B1E
SSDEEP:	98304:lhf8Yz+opekehLwU9+VcfHutlBmcua8ZhS2URDn52HZWe8sp9HRSWMpwTezaPir+:lW/WyWAW

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Default
Author:	ScreenConnect Software
Keywords:	Default
Comments:	Default
Template:	Intel;1033
RevisionNumber:	{5F9A04B0-31C7-CA0C-1D6A-155DF22C571B}
CreateDate:	2025:12:08 14:59:20
ModifyDate:	2025:12:08 14:59:20
Pages:	200
Words:	2
Software:	Windows Installer XML Toolset (3.11.0.1701)
Security:	Read-only recommended


(PID) Process:	(7088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000867D1C813F95DC01B01B0000300B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000867D1C813F95DC01B01B0000300B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000746666813F95DC01B01B0000300B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000BCDB7B813F95DC01B01B0000300B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000BCDB7B813F95DC01B01B0000A40C0000E803000001000000000000000000000091DF6A0951BCA84E83142ADB0698588100000000000000000000000000000000
(PID) Process:	(7476) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7476) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:	(7476) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7476) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	write	Name:	Element
Value: \EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:	(7476) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{872a075f-9aa9-11f0-b4fb-806e6f6e6963}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
7088	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
7088	msiexec.exe	C:\Windows\Installer\1e949d.msi		—
		MD5:—	SHA256:—
8064	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:AD2025E28D573EE70EBE4E93DE9C6929	SHA256:0A2EAAEA52F03B782CAC015E1370A8945DBC9A6C9BA44FB2650B7B3D4B330FC8
9048	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI6242.tmp-\ScreenConnect.InstallerActions.dll		executable
		MD5:EB6604715B8932B1F79AE00F480F0D49	SHA256:7071C7FA49E4B177126D58835D7DF40EC0A18424D5C9110242D612FEFB1974DF
8064	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:D25236DC4C5C7950F0BE39EDF39702EE	SHA256:5F907A490D8D888C49E7E1E42E7E04FDCC1D38BC1CB324E9780E7946EE454DF4
9048	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI6242.tmp-\Microsoft.Deployment.WindowsInstaller.dll		executable
		MD5:5EF88919012E4A3D8A1E2955DC8C8D81	SHA256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
8064	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI6242.tmp		executable
		MD5:83667F97BDAAD141715FAF9687A888FF	SHA256:80C78C9E4ECA39BDEFDC9D47B9A8B49DFCC3FE1C0F135338584C7E83702D539A
7088	msiexec.exe	C:\Windows\Installer\MSI9846.tmp		binary
		MD5:4D792F6951BB089A95D2A351BCE954FE	SHA256:42BF76B3B3186A609DEA6C41C2D9F79BC9E6862BD2A7014A92F4A62297AD1FCE
9048	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI6242.tmp-\Microsoft.Deployment.Compression.dll		executable
		MD5:4717BCC62EB45D12FFBED3A35BA20E25	SHA256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
9048	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI6242.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll		executable
		MD5:A921A2B83B98F02D003D9139FA6BA3D8	SHA256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.216.77.20:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1908	SIHClient.exe	GET	304	74.179.77.204:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	23.216.77.20:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6320	svchost.exe	GET	200	23.216.77.20:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
8064	msiexec.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
8064	msiexec.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAq7yhIMeYEKGC9y%2BJwENY8%3D	unknown	—	—	whitelisted
4812	svchost.exe	POST	403	88.221.169.205:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	386 b	whitelisted
4812	svchost.exe	POST	403	88.221.169.205:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	386 b	whitelisted
—	—	POST	403	23.59.18.102:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	386 b	unknown
4812	svchost.exe	POST	403	88.221.169.205:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	html	386 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
—	—	23.216.77.20:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6320	svchost.exe	23.216.77.20:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	23.216.77.20:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6320	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8064	msiexec.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
6712	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
self.events.data.microsoft.com	20.189.173.27 13.69.239.74	whitelisted
google.com	142.251.208.14	whitelisted
crl.microsoft.com	23.216.77.20 23.216.77.28 23.216.77.39 23.216.77.29 23.216.77.25 23.216.77.19 23.216.77.30 23.216.77.21 23.216.77.22 23.216.77.13 23.216.77.36 23.216.77.41 23.216.77.35 23.216.77.15 23.216.77.18	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
client.wns.windows.com	172.211.123.248 172.211.123.250 172.211.123.249	whitelisted
go.microsoft.com	88.221.169.205	whitelisted
instance-lxfmrn-relay.screenconnect.com	104.45.153.136	unknown
slscr.update.microsoft.com	74.179.77.204	whitelisted
www.microsoft.com	23.59.18.102	whitelisted

PID	Process	Class	Message
2292	svchost.exe	Misc activity	ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain
—	—	Misc activity	ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain

General Info

E-INVITE.msi

EC24263C507FADE64EBBA66F89E0D78E

B305D1FD3EDC4A616DF44113B72843A38B242468

3E5F85BB6F9864ABC9C6503A54C52F490A01EAE9A07DB1516C379F24DB276B1E

98304:lhf8Yz+opekehLwU9+VcfHutlBmcua8ZhS2URDn52HZWe8sp9HRSWMpwTezaPir+:lW/WyWAW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SCREENCONNECT has been detected

SUSPICIOUS

Executes as Windows Service

SCREENCONNECT mutex has been found

Creates or modifies Windows services

Screenconnect has been detected

Detects ScreenConnect RAT (YARA)

INFO

An automatically generated document

Reads the computer name

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Checks supported languages

Checks proxy server information

Create files in a temporary directory

CONNECTWISE has been detected

Manages system restore points

SCREENCONNECT has been detected

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings