Wipro endpoints that were seeded with ScreenConnect, a legitimate remote access tool sold by Connectwise.com. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks. Additionally, investigators found at least one of the compromised endpoints was attacked with Mimikatz, an open source tool that can dump passwords stored in the temporary memory cache of a Microsoft Windows device.