dd05d8ec2686eb4de74903891cd260e58ceaf38358dbd73ee035f472be91b4c5

Analysis

max time kernel
78s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2022, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConnectWiseControl.Client.exe
Size

85KB
MD5

a8d46cab0683d47ac7b98219a0193c8f
SHA1

07d5968aea955a61710954db8b33a493fdb2c53d
SHA256

dd05d8ec2686eb4de74903891cd260e58ceaf38358dbd73ee035f472be91b4c5
SHA512

678c03f65a172ab729bd5336f101ac96e1d6a34e93af7cec96630400dc02668b9d6fd49b6c816fc59c31512c7a42b67df1b735d8835b94ac282805b3a616dab9
SSDEEP

1536:fXn1JYSnExFkcgKKjxfmqshiKW5Xs/iYQqQJtsWFcdfRMvb+xWoJngv/:fE3x5KBDYiKWm/iSw0fRMvygqG/

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2160	ScreenConnect.WindowsClient.exe
2076	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3432	ScreenConnect.WindowsClient.exe

Loads dropped DLL 20 IoCs

pid	Process
2076	ScreenConnect.ClientService.exe
2076	ScreenConnect.ClientService.exe
2076	ScreenConnect.ClientService.exe
2076	ScreenConnect.ClientService.exe
2076	ScreenConnect.ClientService.exe
2076	ScreenConnect.ClientService.exe
2076	ScreenConnect.ClientService.exe
2076	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_b15b0581876c57	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_b15b0581876c57 = 68747470733a2f2f626d68656c702e75732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_b15b0581876c57b7_0016.0003_b163bd1189c97eef\appid = 68747470733a2f2f626d68656c702e75732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_b15b0581876c57b7_0016.0003_none_96ae35868d55f54c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0016.0003_none_354091f987fa8e89\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\scre..core_4b14c015c87c1ad8_0016.0003_none_354091f987 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0016.0003_none_96876b1d70de7196\lock!0c0000008dc4560e34130000e80000000000000000000000 = 30303030313333342c30316438633739313037303762383961	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0016.0003_none_354091f987fa8e89\lock!1a000000d5c5560e70080000c40500000000000000000000 = 30303030303837302c30316438633739313063636634626333	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_b15b0581876c57b7_798b8bce7e5ef6cc\LastRunVersion = 68747470733a2f2f626d68656c702e75732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0016.0003_none_354091f987fa8e89	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_b15b0581876c57b7_0016.0003_none_96ae35868d55f54c\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_b15b0581876c57b7_0016.0003_none_d42d45809c4afc21\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0016.0003_none_cb55efcb9749e48d\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0016.0003_none_39b869dac448a1b9\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_b15b0581876c57 = 3c004100700070006c00690063006100740069006f006e00540072007500730074002000760065007200730069006f006e003d002200310022000d000a00460075006c006c004e0061006d0065003d002200680074007400700073003a002f002f0062006d00680065006c0070002e00750073002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320032002e0033002e0037003400380037002e0038003100330030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0062003100350062003000350038003100380037003600630035003700620037002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320032002e0033002e0037003400380037002e0038003100330030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0062003100350062003000350038003100380037003600630035003700620037002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e003300320022000d000a00540072007500730074006500640054006f00520075006e003d002200740072007500650022000d000a0050006500720073006900730074003d002200740072007500650022003e000d000a003c00440065006600610075006c0074004700720061006e0074003e000d000a003c0050006f006c00690063007900530074006100740065006d0065006e0074002000760065007200730069006f006e003d002200310022003e000d000a003c005000650072006d0069007300730069006f006e00530065007400200063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e005000650072006d0069007300730069006f006e0053006500740022000d000a00760065007200730069006f006e003d002200310022000d000a00490044003d00220043007500730074006f006d0022000d000a00530061006d00650053006900740065003d002200730069007400650022000d000a0055006e0072006500730074007200690063007400650064003d002200740072007500650022000d000a0078006d006c006e0073003a00610073006d00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600310022000d000a0078006d006c006e0073003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a00610073006d00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a007800730069003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300031002f0058004d004c0053006300680065006d0061002d0069006e007300740061006e006300650022000d000a0078006d006c006e0073003a0063006f002e00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600310022000d000a0078006d006c006e0073003a00610073006d00760033003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600330022000d000a0078006d006c006e0073003a0064007300690067003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300030002f00300039002f0078006d006c006400730069006700230022000d000a0078006d006c006e0073003a0063006f002e00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600320022003e000d000a003c0049005000650072006d0069007300730069006f006e00200063006c006100730073003d002200530079007300740065006d002e004e00650074002e005700650062005000650072006d0069007300730069006f006e002c002000530079007300740065006d002c002000560065007200730069006f006e003d0032002e0030002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d00620037003700610035006300350036003100390033003400650030003800390022000d000a00760065007200730069006f006e003d002200310022003e000d000a003c0043006f006e006e006500630074004100630063006500730073003e000d000a003c0055005200490020007500720069003d00220028006800740074007000730029003a002f002f0062006d00680065006c0070005c002e00750073002f002e002a0022002f003e000d000a003c002f0043006f006e006e006500630074004100630063006500730073003e000d000a003c002f0049005000650072006d0069007300730069006f006e003e000d000a003c002f005000650072006d0069007300730069006f006e005300650074003e000d000a003c002f0050006f006c00690063007900530074006100740065006d0065006e0074003e000d000a003c002f00440065006600610075006c0074004700720061006e0074003e000d000a003c004500780074007200610049006e0066006f00200044006100740061003d00220030003000300031003000300030003000300030004600460046004600460046004600460030003100300030003000300030003000300030003000300030003000300030003000430030003200300030003000300030003000350037003500330037003900370033003700340036003500360044003200450035003700360039003600450036003400360046003700370037003300320045003400360036004600370032003600440037003300320043003200300035003600360035003700320037003300360039003600460036004500330044003300340032004500330030003200450033003000320045003300300032004300320030003400330037003500360043003700340037003500370032003600350033004400360045003600350037003500370034003700320036003100360043003200430032003000350030003700350036003200360043003600390036003300340042003600350037003900350034003600460036004200360035003600450033004400360032003300370033003700360031003300350036003300330035003300360033003100330039003300330033003400360035003300300033003800330039003000350030003100300030003000300030003000330030003500330037003900370033003700340036003500360044003200450035003300360035003600330037003500370032003600390037003400370039003200450035003000360046003600430036003900360033003700390032004500340031003700300037003000360043003600390036003300360031003700340036003900360046003600450035003400370032003700350037003300370034003400350037003800370034003700320036003100340039003600450036003600360046003000310030003000300030003000300031003800370032003600350037003100370035003600350037003300370034003700330035003300360038003600350036004300360043003400390036004500370034003600350036003700370032003600310037003400360039003600460036004500300030003000310030003200300030003000300030003000300030003000420022002f003e000d000a003c002f004100700070006c00690063006100740069006f006e00540072007500730074003e000d000a000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_b15b0581876c57 = 0000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0016.0003_none_cb55efcb9749e48d\implication!scre..tion_b15b0581876c57b7_0016.0003_b16 = 68747470733a2f2f626d68656c702e75732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0016.0003_none_39b869dac448a1b9\identity = 53637265656e436f6e6e6563742e57696e646f77732c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_b15b0581876c57b7_0016.0003_none_d42d45809c4afc21\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0016.0003_none_e6942a421db9f1f4\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_be0320f6461d0cb9\LastRunVersion = 68747470733a2f2f626d68656c702e75732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0016.0003_none_cb55efcb9749e48d\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0016.0003_none_354091f987fa8e89\lock!0e0000008dc4560e34130000e80000000000000000000000 = 30303030313333342c30316438633739313037303762383961	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0016.0003_none_96876b1d70de7196\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "YZ461A3V25Q653ET9K3EA2D9"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_b15b0581876c57 = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_b15b0581876c57 = 30003000300031002f00300031002f00300031002000300030003a00300030003a00300030000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0016.0003_none_354091f987fa8e89\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_b15b0581876c57b7_0016.0003_b163bd1189c97eef	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_b15b0581876c57b7_0016.0003_b163bd1189c97eef\scre...exe_b15b0581876c57b7_0016.0003_none_d42d45809c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0016.0003_none_354091f987fa8e89\DigestValue = a90468d2430e51ff816ed4598b21fb66cfc4df16	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\scre...exe_b15b0581876c57b7_0016.0003_none_d42d45809c = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0016.0003_none_e6942a421db9f1f4\lock!1c000000d5c5560e70080000c40500000000000000000000 = 30303030303837302c30316438633739313063636634626333	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0016.0003_none_96876b1d70de7196\lock!18000000d5c5560e70080000c40500000000000000000000 = 30303030303837302c30316438633739313063636634626333	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_b15b0581876c57b7_0016.0003_none_96ae35868d55f54c\SizeOfStronglyNamedComponent = ba50010000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0016.0003_none_96876b1d70de7196\Files\ScreenConnect.WindowsClient.exe_6492277df2 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_be0320f6461d0cb9	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0016.0003_none_cb55efcb9749e48d	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0016.0003_none_e6942a421db9f1f4\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0016.0003_none_cb55efcb9749e48d\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0016.0003_none_96876b1d70de7196	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\SubstructureCreated = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0016.0003_none_39b869dac448a1b9\lock!08000000a6c5560e70080000c40500000000000000000000 = 30303030303837302c30316438633739313063636634626333	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_b15b0581876c57b7_0016.0003_none_d42d45809c4afc21\Files\ScreenConnect.WindowsClient.exe.config_f7f = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0016.0003_none_39b869dac448a1b9\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_b15b0581876c57b7_0016.0003_none_96ae35868d55f54c\lock!040000008dc4560e34130000e80000000000000000000000 = 30303030313333342c30316438633739313037303762383961	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0016.0003_none_cb55efcb9749e48d	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_b15b0581876c57 = 68747470733a2f2f626d68656c702e75732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32322e332e373438372e383133302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623135623035383138373663353762372c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\scre..vice_4b14c015c87c1ad8_0016.0003_none_e6942a421d	dfsvc.exe

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D4D75FDE705713CC3D28AABB99DA6BA16B3DFCDE	ConnectWiseControl.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D4D75FDE705713CC3D28AABB99DA6BA16B3DFCDE\Blob = 030000000100000014000000d4d75fde705713cc3d28aabb99da6ba16b3dfcde20000000010000002c0500003082052830820410a0030201020210085dfb7228e907cf98022c52c511bc66300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e67204341301e170d3139313032323030303030305a170d3232313032363132303030305a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374576973652c204c4c433119301706035504031310436f6e6e656374576973652c204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100aff44932097c6f6581818041beb0983e68f9af594959e60adb9948991d0cb693bd3e6febc4e08d0895d3b77970b3ea171c377224b71a12b163385f1480f498cd0eae93b0e6eed61dbdbdfbfb5e3b4a9c7b63f52bf30e027cefe53b449160ea09969e6f474a3ba8b9ec92df855f3031f42eed4813cf5b31080f7677df2941be2157134683184629972bfaa24a8184e6aeee5f4485a4c86e1342118fd4d203c3537b91931279de62ddf5fc6f378f1371e0d987ce9a1daa873f8c9eac570f684cc150c11195f9e66ea6a7579574eaf1c635a247b19a74e9853ef8aeb2f9985e37a6591caae42453745c4e4f67d55472e67a8b4566913e978d351a9c53277a51a5ed0203010001a38201c5308201c1301f0603551d230418301680145ac4b97b2a0aa3a5ea7103c060f92df665750e58301d0603551d0e04160414a6b7faeec29169953f10837d11e48f3c596bd80b300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330770603551d1f0470306e3035a033a031862f687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c3035a033a031862f687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818406082b0601050507010104783076302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304e06082b060105050730028642687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132417373757265644944436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382010100693660b45165355d831c324c3ae47a4960602e321c9bd34546dd87d86d9af9e78d39bd42972273587ffa2ea32f4c7fd35d9a1b8c901a7422e322810e84e1bfda958363de1e32f4700d9b0867eadc5b018c71f5f2dd0238194e42f6d744c7f65f2eddb04740b85ad62f821ecc9c9ddb474b6ee71035ef99251518183e8cb0f7fab4bac08bbad55522b23ed20e065f917956f6b24df8f89af1a32901512db2fbe1783ea37b645aad71e15bd4e5522b83bae0696744f7ec21143befd856afca78c62f9d989a0bc67c1e33204a1ea4154940b7078de53fe15a71d6f0dea3957a099aa65c4c4c33f4316b2db58cb221d712d10c177cae393427529e04346d029b2d24	ConnectWiseControl.Client.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\92C1588E85AF2201CE7915E8538B492F605B80C6	ConnectWiseControl.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\92C1588E85AF2201CE7915E8538B492F605B80C6\Blob = 03000000010000001400000092c1588e85af2201ce7915e8538b492f605b80c62000000001000000340500003082053030820418a00302010202100409181b5fd5bb66755343b56f955008300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3133313032323132303030305a170d3238313032323132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100f8d3b31c7f0e11af677707d30b314919cfd0fb4599b13adb44f57fe5a89ddb32d771ea769d052eb78ffa9243c0a5f989d43719d7b6aaf09c86a5d825ac0e79283a7ee9d167d3c6fb2927c7d37b2394e4912396907782f9a18423661254335074b12826bb2469c2c252f214678a8945d42da1a3e9882c2095ae1c4a8708df0cf5e24d6018beaac4b2ae70316633713eac70a2abce7fe97ccb92a1e53b311ccfeaf20ae457bb4ab5e974e62bfe6ccb7e7439360d90efe4b54ea4a9ea6a0aab84f3ac674eb5c4f78cd1202523eb08643e5296c1f20f12f4c58e0fc1a2e82c51f773bcbd85b1628373418207e4388b6a7320d00f64733c9e9fa633a9fd19df2593d10203010001a38201cd308201c930120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c304f0603551d20044830463038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300a06086086480186fd6c03301d0603551d0e041604145ac4b97b2a0aa3a5ea7103c060f92df665750e58301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010b050003820101003eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef	ConnectWiseControl.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D4D75FDE705713CC3D28AABB99DA6BA16B3DFCDE	ConnectWiseControl.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\92C1588E85AF2201CE7915E8538B492F605B80C6	ConnectWiseControl.Client.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3220	ScreenConnect.ClientService.exe
3220	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	dfsvc.exe
Token: SeDebugPrivilege	2160	ScreenConnect.WindowsClient.exe
Token: SeDebugPrivilege	3220	ScreenConnect.ClientService.exe
Token: SeDebugPrivilege	3432	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 4916	3136	ConnectWiseControl.Client.exe	84
PID 3136 wrote to memory of 4916	3136	ConnectWiseControl.Client.exe	84
PID 4916 wrote to memory of 2160	4916	dfsvc.exe	90
PID 4916 wrote to memory of 2160	4916	dfsvc.exe	90
PID 4916 wrote to memory of 2160	4916	dfsvc.exe	90
PID 2160 wrote to memory of 2076	2160	ScreenConnect.WindowsClient.exe	92
PID 2160 wrote to memory of 2076	2160	ScreenConnect.WindowsClient.exe	92
PID 2160 wrote to memory of 2076	2160	ScreenConnect.WindowsClient.exe	92
PID 3220 wrote to memory of 3432	3220	ScreenConnect.ClientService.exe	95
PID 3220 wrote to memory of 3432	3220	ScreenConnect.ClientService.exe	95
PID 3220 wrote to memory of 3432	3220	ScreenConnect.ClientService.exe	95

C:\Users\Admin\AppData\Local\Temp\ConnectWiseControl.Client.exe
"C:\Users\Admin\AppData\Local\Temp\ConnectWiseControl.Client.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.exe" "?y=Guest&h=bmhelp.us&p=8041&s=77b9db64-93a4-415b-a400-0e3d2584ac60&k=BgIAAACkAABSU0ExAAgAAAEAAQDFIYFw%2bEW3NFzxIYD%2fRwtGClTA0Q8c9gxyG1xMArnelgZP5ifHErSPI66odOh2GLIDsvRruPQmwmS2r9ZUmoho00bAc5DK%2bhN2st%2fFv0t4d%2bNprSWAy04i08HuwVk5KUVjQW2iOKna0PXFR3gXWjlxjf1UDXQs3%2f8xjZp5WDPDKxtAxagFktuUpNNK%2bJbhMCwvAosdf3KCjJzHDxZoz4bYOFEytju1YV7MsW9OWK2yKNHAzrfELacFjTvLdpqbFYQ9JPXFzhY%2fimfkFy%2bhVG%2fM1sBVRwFYWEJ8KF6TNYN%2bqUUT80h%2bcK5oaR%2fSxoxBmcgoZme7wfLemoUEt1vMBAWr&r=&i=Helen"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2076

C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.exe" "?y=Guest&h=bmhelp.us&p=8041&s=77b9db64-93a4-415b-a400-0e3d2584ac60&k=BgIAAACkAABSU0ExAAgAAAEAAQDFIYFw%2bEW3NFzxIYD%2fRwtGClTA0Q8c9gxyG1xMArnelgZP5ifHErSPI66odOh2GLIDsvRruPQmwmS2r9ZUmoho00bAc5DK%2bhN2st%2fFv0t4d%2bNprSWAy04i08HuwVk5KUVjQW2iOKna0PXFR3gXWjlxjf1UDXQs3%2f8xjZp5WDPDKxtAxagFktuUpNNK%2bJbhMCwvAosdf3KCjJzHDxZoz4bYOFEytju1YV7MsW9OWK2yKNHAzrfELacFjTvLdpqbFYQ9JPXFzhY%2fimfkFy%2bhVG%2fM1sBVRwFYWEJ8KF6TNYN%2bqUUT80h%2bcK5oaR%2fSxoxBmcgoZme7wfLemoUEt1vMBAWr&r=&i=Helen"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe" "RunRole" "bc2909ae-2881-4d85-b05e-5f9396bac121" "User"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\user.config

Filesize
543B

MD5
e94da16bae7fad498f8be1ede0873982

SHA1
60ce0ca51e905e84f842cca14d0b1b552f0d42b0

SHA256
d5f6299694744a4c9bc010be5b4e472a8297e5a67a772170bfb2fd20e687c472

SHA512
68353d26014ed7df96fdda5e91f2001f910accb8f406754b519d49aa48a52338e52f29c9bf818caedd37a352b6b01270ad7e917041cb74cbf1cbd54720420ca9

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\Manifests\scre..tion_b15b0581876c57b7_0016.0003_none_96ae35868d55f54c.manifest

Filesize
72KB

MD5
0c4c1944a7897b633d3178a8a37aa863

SHA1
5ace09e483337ac30cfa0872bbf876ff343741a4

SHA256
63ae109329082d10238dc50d9e0cfa41e79d21566acb7cbcfb3cc8468e3b46f0

SHA512
e0742161a8b6fbd10617800b203c7e861160608bd25cc081a454fc11fd7c09b2b53fb21f0f2a37d37ef6af2a1b36ab816328b3127511d2392502429598ab8334

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\manifests\scre...exe_b15b0581876c57b7_0016.0003_none_d42d45809c4afc21.cdf-ms

Filesize
19KB

MD5
a39d1020b3015eaf03f12a7ef19ece14

SHA1
064ea4c97ebe5e4b2422b7dc379786aa3c60ab49

SHA256
20de8f9a4578f968cd17108ff5447632d640f22bf7750b7cf3e907e61a511d8e

SHA512
0d4eb4b3adb69362dabd96db522b34dd1b8beafada2cd9d8d9804e669412dc07de93e7495b9580a30fcd2fc4e0afe42720eeebeb26b2331bc731a51daaead615

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\manifests\scre..core_4b14c015c87c1ad8_0016.0003_none_354091f987fa8e89.cdf-ms

Filesize
3KB

MD5
6724e067c9ce5f6192fa13c35f545b7c

SHA1
78126ac2fffac87ea19cff56964939bbaea8775b

SHA256
8577f531e8a1b92165c96d332933c5e5306e47619eebcca6a7d3f1ddc89b2e11

SHA512
b2aee13c6db699a0832ca6d1da4c58f1eabf088aae48e21dad051c46376ba47a1eea6457b397650410df3af21755193a6f82622daff96ac95b08a340e7e7d3a3

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\manifests\scre..dows_4b14c015c87c1ad8_0016.0003_none_39b869dac448a1b9.cdf-ms

Filesize
5KB

MD5
f37c27aee55776983faf5a06d89d29db

SHA1
a0739da95f2448984c13be4217394ea6f12efb24

SHA256
db89204f95b6d7add99da21647169737d8cd6f8315cb22f6238b6b39bf7b56aa

SHA512
cddb9a819d66dffd6e6127908879ee4d2cb1784acd68e9133fd4e241dc840e3a179f7197d8804f84ae672820c589975dcb419654521059b68b489223c8b2c3df

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\manifests\scre..ient_4b14c015c87c1ad8_0016.0003_none_96876b1d70de7196.cdf-ms

Filesize
6KB

MD5
504b5efef4bc56de42b8fe5f04f6d5f4

SHA1
42c3f852c1732ad1e681cb48730b054a1a3b0334

SHA256
53fb364204a3e71bcc8054289b897226f033298bac4788395045710d8954952b

SHA512
b0a6d4b7577aa084e7d3287ba5786fc5da61981483d2f194ead8c5b9b615e0d70b8cb3833c2b312710be04ac59e37b71b2a0510027d26563c54ae7005adfc69a

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\manifests\scre..ient_4b14c015c87c1ad8_0016.0003_none_cb55efcb9749e48d.cdf-ms

Filesize
2KB

MD5
8df0a1e1b0d185fee976071f3ad6342e

SHA1
4dbf02d69e58e90c366bcc91fff6cd3e76216e70

SHA256
31198970b97cf5db005aa77709b0735b3f7c9592d2f34eec977f010687a50bef

SHA512
43e39f8533b5ac7b3c187670ea87de084950f4ebf553c39423034d3cb90e2db8ff9ae27077b5c3d9e34bdd03de31eaaed5416237f6cbfddf8639144593175fea

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\manifests\scre..tion_b15b0581876c57b7_0016.0003_none_96ae35868d55f54c.cdf-ms

Filesize
12KB

MD5
3c8f34ca07bc49865490080fd480ddba

SHA1
37644d83ad46a8e01e8254e07384f821f459c470

SHA256
16307ad32178801b9ff922f74a17665d96a18ea502eebed457f0d8ba6d7ebd44

SHA512
7642ef42cccf60d52d873b05beba2d2e2a4fe8777017bcd8a33e97cb20293d3d7cda532bb36bc69339bcfac1ff1c9239c48a1713a70af4d78778c6ff3ad96d38

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\manifests\scre..vice_4b14c015c87c1ad8_0016.0003_none_e6942a421db9f1f4.cdf-ms

Filesize
3KB

MD5
5ea2e5dc3aad4f46a47c198514ca7237

SHA1
acef272605fbc5f5a5a86ae08cae6c2ce49bf0ff

SHA256
afe4a7e1574a6eebb5930382089cc5be1ebd6beb679cfa16f334712bea5959d3

SHA512
65001e4d9413daa76d3aafd3005ed01ee05b70101d6f7b5dbb1f7abdf1403e7925f4f7b472675324ca29d5772ec385fe3673d792576646cf246221c9752f8eef

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\Client.Override.en-US.resources

Filesize
463B

MD5
b3a1057d68bdb61abdf1b56b025095c8

SHA1
db481154a619501a287ed058cdf90c27e78418a2

SHA256
0762bbb8aa144c932bdadeb18bd36f75794ab06f2fee33b6b8686cdd1064dee4

SHA512
7376695a5b7d536e8d7ac8d76596c6eb76d321538015d9aa94bbb4ccf6a4c2f3587ff82b8ad9b5f318159c8d0d11bf0c9f15ee0372b3ca84c39254fb39f944dc

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\Client.Override.resources

Filesize
256B

MD5
5c8c08f17e200cb71548df0725517888

SHA1
ee96caaaae105d30987dcc5ec565f177bf2e772e

SHA256
2438083eaad56605a0f8d2538073e17313345e20520ff173abde4d51655ada00

SHA512
d468c45ca851a95a29a8917ba50716e5fccf1ed2c84dedc096d7908da5ac23c6a3b1da1c5780ae5f4dc2ac85efaf8f606f07971b7be01d971ebb31777e63d635

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\Client.en-US.resources

Filesize
41KB

MD5
f862361c5564b0e325a0f1aae36d9459

SHA1
2da5d59b5c2e701f23a2348fe23799548b0229fc

SHA256
1bac9eeb70667e1486c41253803be12fb7a57897aff6f37ff1aa031562f4beb8

SHA512
81e8e022fdb6e5022a4888d8170a429bb995bc8acdd4cdbf318159713ce21ac95172fb81db9e30e3ebf3095ea7c10c7308f115ba5a88817d04f4a7ab774ae682

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\Client.resources

Filesize
2KB

MD5
0b47901f2c782922f034fba8e8062916

SHA1
893075f8ca04f92dbef7f6e81223e1b08e29328f

SHA256
64da2cfeacfcba97cad701da9288618bc42a20f69dd4a0fe5652ce49ef92524c

SHA512
b3db1c4ffed1dbaef5e03f4819bcba5f0a6864c26123e059b6a649911adbd380ae3aa1eb63c2397ea1ea5fc61103468b5db838080d7c7d5de848b5002c31cbd6

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Client.dll

Filesize
180KB

MD5
e245d2bcdbb56510dbf08ad4d6fb462a

SHA1
9c3959c52003215cf1c9d3cb1c875872a821d1b3

SHA256
03b8adae21b2d9cb4e18c18d440e16b585c00a272827ccc515d13898bfb5a6d3

SHA512
3b08e812f8ce1aa6996ac8379498a28b8dba837729aa979d5e8eb5402b028b46077984181187bdc7f2f6b9f0c3de010da4c3f3b23f9c4908ac01033662e7ead5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Client.dll

Filesize
180KB

MD5
e245d2bcdbb56510dbf08ad4d6fb462a

SHA1
9c3959c52003215cf1c9d3cb1c875872a821d1b3

SHA256
03b8adae21b2d9cb4e18c18d440e16b585c00a272827ccc515d13898bfb5a6d3

SHA512
3b08e812f8ce1aa6996ac8379498a28b8dba837729aa979d5e8eb5402b028b46077984181187bdc7f2f6b9f0c3de010da4c3f3b23f9c4908ac01033662e7ead5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Client.dll

Filesize
180KB

MD5
e245d2bcdbb56510dbf08ad4d6fb462a

SHA1
9c3959c52003215cf1c9d3cb1c875872a821d1b3

SHA256
03b8adae21b2d9cb4e18c18d440e16b585c00a272827ccc515d13898bfb5a6d3

SHA512
3b08e812f8ce1aa6996ac8379498a28b8dba837729aa979d5e8eb5402b028b46077984181187bdc7f2f6b9f0c3de010da4c3f3b23f9c4908ac01033662e7ead5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Client.dll

Filesize
180KB

MD5
e245d2bcdbb56510dbf08ad4d6fb462a

SHA1
9c3959c52003215cf1c9d3cb1c875872a821d1b3

SHA256
03b8adae21b2d9cb4e18c18d440e16b585c00a272827ccc515d13898bfb5a6d3

SHA512
3b08e812f8ce1aa6996ac8379498a28b8dba837729aa979d5e8eb5402b028b46077984181187bdc7f2f6b9f0c3de010da4c3f3b23f9c4908ac01033662e7ead5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Client.dll

Filesize
180KB

MD5
e245d2bcdbb56510dbf08ad4d6fb462a

SHA1
9c3959c52003215cf1c9d3cb1c875872a821d1b3

SHA256
03b8adae21b2d9cb4e18c18d440e16b585c00a272827ccc515d13898bfb5a6d3

SHA512
3b08e812f8ce1aa6996ac8379498a28b8dba837729aa979d5e8eb5402b028b46077984181187bdc7f2f6b9f0c3de010da4c3f3b23f9c4908ac01033662e7ead5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Client.manifest

Filesize
1KB

MD5
57af326407fb99456e93cb6e93e984e5

SHA1
71afef3fe293f832b55b7fec0dea9d83444cf779

SHA256
1e1cc7b366e871ce234963ebba5b5a3a37a30d1232497d3b5c87a1421c484ade

SHA512
7533f19c054c320f7256953245f3adad2f321c34c39d9547841212bb98dcf5650776df7aee23682d8d03fd9d3845d7c4464eee4a20b0f041121b4518aed812d1

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.dll

Filesize
32KB

MD5
f3c35d71ca61d455fc70b083f2ffccff

SHA1
febad304055fbc346801301bc1a2314c76a0e7ac

SHA256
7a0135739d307a9c92d02f4870439e70ac2123206599c7b3524f0fd801a679a8

SHA512
a1968984ffdd5b99aa90adf8539b81c1214ec5ba7b7602079a51f5e0c7eb9341d9208a6706cc2dbf45e326d21cfca304a2990e3d71891f84b3c695d6ef80721c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.dll

Filesize
32KB

MD5
f3c35d71ca61d455fc70b083f2ffccff

SHA1
febad304055fbc346801301bc1a2314c76a0e7ac

SHA256
7a0135739d307a9c92d02f4870439e70ac2123206599c7b3524f0fd801a679a8

SHA512
a1968984ffdd5b99aa90adf8539b81c1214ec5ba7b7602079a51f5e0c7eb9341d9208a6706cc2dbf45e326d21cfca304a2990e3d71891f84b3c695d6ef80721c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.dll

Filesize
32KB

MD5
f3c35d71ca61d455fc70b083f2ffccff

SHA1
febad304055fbc346801301bc1a2314c76a0e7ac

SHA256
7a0135739d307a9c92d02f4870439e70ac2123206599c7b3524f0fd801a679a8

SHA512
a1968984ffdd5b99aa90adf8539b81c1214ec5ba7b7602079a51f5e0c7eb9341d9208a6706cc2dbf45e326d21cfca304a2990e3d71891f84b3c695d6ef80721c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.dll

Filesize
32KB

MD5
f3c35d71ca61d455fc70b083f2ffccff

SHA1
febad304055fbc346801301bc1a2314c76a0e7ac

SHA256
7a0135739d307a9c92d02f4870439e70ac2123206599c7b3524f0fd801a679a8

SHA512
a1968984ffdd5b99aa90adf8539b81c1214ec5ba7b7602079a51f5e0c7eb9341d9208a6706cc2dbf45e326d21cfca304a2990e3d71891f84b3c695d6ef80721c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.dll

Filesize
32KB

MD5
f3c35d71ca61d455fc70b083f2ffccff

SHA1
febad304055fbc346801301bc1a2314c76a0e7ac

SHA256
7a0135739d307a9c92d02f4870439e70ac2123206599c7b3524f0fd801a679a8

SHA512
a1968984ffdd5b99aa90adf8539b81c1214ec5ba7b7602079a51f5e0c7eb9341d9208a6706cc2dbf45e326d21cfca304a2990e3d71891f84b3c695d6ef80721c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.dll

Filesize
32KB

MD5
f3c35d71ca61d455fc70b083f2ffccff

SHA1
febad304055fbc346801301bc1a2314c76a0e7ac

SHA256
7a0135739d307a9c92d02f4870439e70ac2123206599c7b3524f0fd801a679a8

SHA512
a1968984ffdd5b99aa90adf8539b81c1214ec5ba7b7602079a51f5e0c7eb9341d9208a6706cc2dbf45e326d21cfca304a2990e3d71891f84b3c695d6ef80721c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.dll

Filesize
32KB

MD5
f3c35d71ca61d455fc70b083f2ffccff

SHA1
febad304055fbc346801301bc1a2314c76a0e7ac

SHA256
7a0135739d307a9c92d02f4870439e70ac2123206599c7b3524f0fd801a679a8

SHA512
a1968984ffdd5b99aa90adf8539b81c1214ec5ba7b7602079a51f5e0c7eb9341d9208a6706cc2dbf45e326d21cfca304a2990e3d71891f84b3c695d6ef80721c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.dll

Filesize
32KB

MD5
f3c35d71ca61d455fc70b083f2ffccff

SHA1
febad304055fbc346801301bc1a2314c76a0e7ac

SHA256
7a0135739d307a9c92d02f4870439e70ac2123206599c7b3524f0fd801a679a8

SHA512
a1968984ffdd5b99aa90adf8539b81c1214ec5ba7b7602079a51f5e0c7eb9341d9208a6706cc2dbf45e326d21cfca304a2990e3d71891f84b3c695d6ef80721c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.dll

Filesize
32KB

MD5
f3c35d71ca61d455fc70b083f2ffccff

SHA1
febad304055fbc346801301bc1a2314c76a0e7ac

SHA256
7a0135739d307a9c92d02f4870439e70ac2123206599c7b3524f0fd801a679a8

SHA512
a1968984ffdd5b99aa90adf8539b81c1214ec5ba7b7602079a51f5e0c7eb9341d9208a6706cc2dbf45e326d21cfca304a2990e3d71891f84b3c695d6ef80721c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.exe

Filesize
92KB

MD5
34700aa76a0d019e4fe3a99e46b3c2b2

SHA1
cbe71bdc124e767529c2b22b0bf654317e559b59

SHA256
a26036993ed4663c1194bcca3d863952d70660a232dd4fd311e1786dca51d424

SHA512
b380e59d0d0f7eb7f3154d01dba7843b91eadf00086936ced484883612165b7211c68fa25ff9c4697130c61e7a1f4a9429a95ed27fc14259ef75a08e58e6e97d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.exe

Filesize
92KB

MD5
34700aa76a0d019e4fe3a99e46b3c2b2

SHA1
cbe71bdc124e767529c2b22b0bf654317e559b59

SHA256
a26036993ed4663c1194bcca3d863952d70660a232dd4fd311e1786dca51d424

SHA512
b380e59d0d0f7eb7f3154d01dba7843b91eadf00086936ced484883612165b7211c68fa25ff9c4697130c61e7a1f4a9429a95ed27fc14259ef75a08e58e6e97d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.exe

Filesize
92KB

MD5
34700aa76a0d019e4fe3a99e46b3c2b2

SHA1
cbe71bdc124e767529c2b22b0bf654317e559b59

SHA256
a26036993ed4663c1194bcca3d863952d70660a232dd4fd311e1786dca51d424

SHA512
b380e59d0d0f7eb7f3154d01dba7843b91eadf00086936ced484883612165b7211c68fa25ff9c4697130c61e7a1f4a9429a95ed27fc14259ef75a08e58e6e97d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.ClientService.manifest

Filesize
1KB

MD5
8a486a199403982bb60b9b673125a28a

SHA1
972b1a4820ad230551527d1ade15b11fe577ddc3

SHA256
2dfec823921c14cd28de42263228a6d908f7f444fc739a390344a2983f14c0ef

SHA512
a5b5539abf5d1393af0bd8e0c09aab5360bd254042f31f8bf48f176fc87ba84eab6c1855a07ce12c652a47a5957e05e8b0bb1b5fbbc4cd785d40a737a4bfe114

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Core.dll

Filesize
441KB

MD5
99eab5cd79dc04097f1c22e8ed0d840b

SHA1
a90468d2430e51ff816ed4598b21fb66cfc4df16

SHA256
6b0adba76fef5b60a1ce5c21ef514d1463f31925f415aabb71ca00de79eb9d4e

SHA512
5a3f8ee7c58ab0c770d0a229066f90427950463e1e41c4f71772ae573c75debf77f4225c935b880cf2472f1915cea7b31dadb439d72c497aa131213ea26c469b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Core.dll

Filesize
441KB

MD5
99eab5cd79dc04097f1c22e8ed0d840b

SHA1
a90468d2430e51ff816ed4598b21fb66cfc4df16

SHA256
6b0adba76fef5b60a1ce5c21ef514d1463f31925f415aabb71ca00de79eb9d4e

SHA512
5a3f8ee7c58ab0c770d0a229066f90427950463e1e41c4f71772ae573c75debf77f4225c935b880cf2472f1915cea7b31dadb439d72c497aa131213ea26c469b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Core.dll

Filesize
441KB

MD5
99eab5cd79dc04097f1c22e8ed0d840b

SHA1
a90468d2430e51ff816ed4598b21fb66cfc4df16

SHA256
6b0adba76fef5b60a1ce5c21ef514d1463f31925f415aabb71ca00de79eb9d4e

SHA512
5a3f8ee7c58ab0c770d0a229066f90427950463e1e41c4f71772ae573c75debf77f4225c935b880cf2472f1915cea7b31dadb439d72c497aa131213ea26c469b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Core.dll

Filesize
441KB

MD5
99eab5cd79dc04097f1c22e8ed0d840b

SHA1
a90468d2430e51ff816ed4598b21fb66cfc4df16

SHA256
6b0adba76fef5b60a1ce5c21ef514d1463f31925f415aabb71ca00de79eb9d4e

SHA512
5a3f8ee7c58ab0c770d0a229066f90427950463e1e41c4f71772ae573c75debf77f4225c935b880cf2472f1915cea7b31dadb439d72c497aa131213ea26c469b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Core.dll

Filesize
441KB

MD5
99eab5cd79dc04097f1c22e8ed0d840b

SHA1
a90468d2430e51ff816ed4598b21fb66cfc4df16

SHA256
6b0adba76fef5b60a1ce5c21ef514d1463f31925f415aabb71ca00de79eb9d4e

SHA512
5a3f8ee7c58ab0c770d0a229066f90427950463e1e41c4f71772ae573c75debf77f4225c935b880cf2472f1915cea7b31dadb439d72c497aa131213ea26c469b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Core.manifest

Filesize
1KB

MD5
0c3c42bc36372806f3a9c94a14bf5942

SHA1
0eb22e50cf3fa826df0d3060f15158c6f3b14a26

SHA256
553adb708c4113f36854a8a12509e3983fabd71cfa032ef3074b394e5a9965af

SHA512
5b7dd0a23dea5154afa63415a7fbc03d6bc47896eef89e29e227d895b9405a0eff9d19d7f05b2c102afa4b8360024973ff1504f0c0842bcc706dcabc39a79cdd

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
ee9a6b55f260fcbcecdde33bcb320e4f

SHA1
c133edbf13e324ea06799c2990532b4443575fa0

SHA256
fa9af5bc6b913c84bd55387b854fa16e676102cdf7dbfe30b53a5ec76b68af35

SHA512
f4bd9673e47b0d4cf8fdee8b3c31d4b860d90920ebce65ab8225237365ad375b155343a9f5ca97b0c31dbe12de4735e34c52860119f1de5a52dacc898e5e5d53

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
ee9a6b55f260fcbcecdde33bcb320e4f

SHA1
c133edbf13e324ea06799c2990532b4443575fa0

SHA256
fa9af5bc6b913c84bd55387b854fa16e676102cdf7dbfe30b53a5ec76b68af35

SHA512
f4bd9673e47b0d4cf8fdee8b3c31d4b860d90920ebce65ab8225237365ad375b155343a9f5ca97b0c31dbe12de4735e34c52860119f1de5a52dacc898e5e5d53

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
ee9a6b55f260fcbcecdde33bcb320e4f

SHA1
c133edbf13e324ea06799c2990532b4443575fa0

SHA256
fa9af5bc6b913c84bd55387b854fa16e676102cdf7dbfe30b53a5ec76b68af35

SHA512
f4bd9673e47b0d4cf8fdee8b3c31d4b860d90920ebce65ab8225237365ad375b155343a9f5ca97b0c31dbe12de4735e34c52860119f1de5a52dacc898e5e5d53

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.Windows.manifest

Filesize
2KB

MD5
42801219c28fd1eb2ca5bae9644e6292

SHA1
569d1a83d8645913a19e0316e0a9ac9aa75ef78e

SHA256
b46663103b128cc1fcc745a44642472c58fa7762a08f7b7bc4ca5936acded8d9

SHA512
c527f5bf17edf7c9c446dc018a2d7476415bc1b819b4b3d6536ae586ee38d0066159a8c9c9c26b87b43e61fa957e54ccfb6ed6075cd6962120c88ee0dea6fdc7

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe

Filesize
559KB

MD5
bb0c17757097f078181ecafedf8ccc38

SHA1
67fafb862dd43a928585ea6f06561b7e8bdbabbe

SHA256
a7c624c71889f0df5d4b8959122fa26d917e53984f2af2fcdb199cad27ec03d3

SHA512
0b7c12ba8c04d2dd0744429c896cf0048c6b9451822b533b850c5a8e77367b5b6a419d8bbd2011301094c1357d4d9799bccf04985249403bad8d451384b41888

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe

Filesize
559KB

MD5
bb0c17757097f078181ecafedf8ccc38

SHA1
67fafb862dd43a928585ea6f06561b7e8bdbabbe

SHA256
a7c624c71889f0df5d4b8959122fa26d917e53984f2af2fcdb199cad27ec03d3

SHA512
0b7c12ba8c04d2dd0744429c896cf0048c6b9451822b533b850c5a8e77367b5b6a419d8bbd2011301094c1357d4d9799bccf04985249403bad8d451384b41888

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe

Filesize
559KB

MD5
bb0c17757097f078181ecafedf8ccc38

SHA1
67fafb862dd43a928585ea6f06561b7e8bdbabbe

SHA256
a7c624c71889f0df5d4b8959122fa26d917e53984f2af2fcdb199cad27ec03d3

SHA512
0b7c12ba8c04d2dd0744429c896cf0048c6b9451822b533b850c5a8e77367b5b6a419d8bbd2011301094c1357d4d9799bccf04985249403bad8d451384b41888

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe

Filesize
559KB

MD5
bb0c17757097f078181ecafedf8ccc38

SHA1
67fafb862dd43a928585ea6f06561b7e8bdbabbe

SHA256
a7c624c71889f0df5d4b8959122fa26d917e53984f2af2fcdb199cad27ec03d3

SHA512
0b7c12ba8c04d2dd0744429c896cf0048c6b9451822b533b850c5a8e77367b5b6a419d8bbd2011301094c1357d4d9799bccf04985249403bad8d451384b41888

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe

Filesize
559KB

MD5
bb0c17757097f078181ecafedf8ccc38

SHA1
67fafb862dd43a928585ea6f06561b7e8bdbabbe

SHA256
a7c624c71889f0df5d4b8959122fa26d917e53984f2af2fcdb199cad27ec03d3

SHA512
0b7c12ba8c04d2dd0744429c896cf0048c6b9451822b533b850c5a8e77367b5b6a419d8bbd2011301094c1357d4d9799bccf04985249403bad8d451384b41888

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.exe.manifest

Filesize
13KB

MD5
5ec02b5216241aba809c9d5b097fbd1b

SHA1
e7e6458904b6162ae2c64d8e8bb1f63e11e0bc9b

SHA256
7d5a01c1971cbe03374c1d5bef35cf2058c11ff3157f4924b9783213cce41d02

SHA512
246fb37ad94b03c63ec0edfffecbcc628ce9b5c0a8a45ba951294f909442759da60640f3ac82393885573851fb669eb1b349745910a4462766e1ec88695046fe

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\ScreenConnect.WindowsClient.manifest

Filesize
2KB

MD5
51df39870acbc9b977a7244ca9d7ab2c

SHA1
0ad0c680bc43f629e34abfa428eeaf16a0bd8373

SHA256
47716c8cdbc1129ab0d6225766c61bde3e07f3af69108284cba7ccba910afcb6

SHA512
0a1d59f0e12bab82375d9481fc05b1e9f7655a2c1ceaccc51054a13c4b3082dd33a8e647b57c37c06813c8d0600cba4e045fa5624f7c923f01c9f15664c8bf44

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\YZ461A3V.25Q\653ET9K3.EA2\scre..tion_b15b0581876c57b7_0016.0003_ec1e1b403c033ca6\app.config

Filesize
2KB

MD5
7fbfafe14fcfe93351dd077a4d6fc6e1

SHA1
dfe8926226bf080bdc6761bc40f1625c07c1d4aa

SHA256
e3996a71eae9d5135e01c7c6a2d2c06741786f879ec11f5fa658157cea245ecd

SHA512
e33cf278f87741bbb6214cd48adb2a357ad52331e987946488eeff3c4fb72bc2d82b2c5b032e88e964dd06b66cc9ee8f7ea80ae2f3c5cee76f1bf83d1899ba6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
c93d0375c24bbf706fd12a6567818f1a

SHA1
f53d64277a31981b44a67f0b620a2b5eae13734e

SHA256
30842f1706019fae134146c73ac040af72915e746c642be165b14a35a841443c

SHA512
5c45a1ff434b4b46de079406a8fe1fce22641300eddc6e657bc139c78309645d2c64056454a096cf35de2ebaf23d564e13479465dc7c96788adfdf7b2f182777

Download Submit
memory/2076-180-0x00000000053C0000-0x0000000005434000-memory.dmp

Filesize
464KB

Download
memory/2076-177-0x0000000005300000-0x0000000005334000-memory.dmp

Filesize
208KB

Download
memory/2076-172-0x0000000002D20000-0x0000000002D2E000-memory.dmp

Filesize
56KB

Download
memory/2160-190-0x00007FFD412F0000-0x00007FFD41DB1000-memory.dmp

Filesize
10.8MB

Download
memory/2160-153-0x0000000000950000-0x00000000009E0000-memory.dmp

Filesize
576KB

Download
memory/2160-156-0x00007FFD412F0000-0x00007FFD41DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3220-201-0x0000000003E80000-0x0000000004006000-memory.dmp

Filesize
1.5MB

Download
memory/3220-193-0x0000000003B50000-0x0000000003CE8000-memory.dmp

Filesize
1.6MB

Download
memory/3220-196-0x0000000003A40000-0x0000000003AD0000-memory.dmp

Filesize
576KB

Download
memory/3220-203-0x0000000004260000-0x00000000042B0000-memory.dmp

Filesize
320KB

Download
memory/3432-207-0x00007FFD412F0000-0x00007FFD41DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3432-209-0x00007FFD412F0000-0x00007FFD41DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-134-0x00000211EFA20000-0x00000211EFBA6000-memory.dmp

Filesize
1.5MB

Download
memory/4916-135-0x00007FFD412F0000-0x00007FFD41DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-136-0x00000211F13B0000-0x00000211F1400000-memory.dmp

Filesize
320KB

Download
memory/4916-137-0x00000211F11E0000-0x00000211F11EE000-memory.dmp

Filesize
56KB

Download
memory/4916-138-0x00000211F51D0000-0x00000211F5368000-memory.dmp

Filesize
1.6MB

Download
memory/4916-139-0x00000211F2BA0000-0x00000211F2C14000-memory.dmp

Filesize
464KB

Download
memory/4916-140-0x00000211F1400000-0x00000211F1434000-memory.dmp

Filesize
208KB

Download
memory/4916-141-0x00000211F2BA0000-0x00000211F2C30000-memory.dmp

Filesize
576KB

Download
memory/4916-133-0x00000211D53E0000-0x00000211D53E8000-memory.dmp

Filesize
32KB

Download
memory/4916-169-0x00007FFD412F0000-0x00007FFD41DB1000-memory.dmp

Filesize
10.8MB

Download