1a7788ccb3bf8bfdb822b1a955c3b64e6ff49956340eac63321be3f7a4f89b26

Resubmissions

22-05-2024 22:30

240522-2e8gesbe22 8

22-05-2024 22:27

240522-2c5mrabc3z 8

Analysis

max time kernel
88s
max time network
104s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Support.Client.exe
Size

84KB
MD5

77d5598838a91a3b31773f0203a5f430
SHA1

95ce1a451278b3a6f9a7f4d7c5b1a091e33125ef
SHA256

1a7788ccb3bf8bfdb822b1a955c3b64e6ff49956340eac63321be3f7a4f89b26
SHA512

3f439bc8bc64fbbb706260fa55ffcbc406400fae855975de144afeff140a58c09320ec38456e78c03f5babfaa6d571ea059cc44323f36d63d82bc9ebe2280b40
SSDEEP

1536:+azWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYYS7Q8x5:yFNpo6rIKlUE8fbkqRfbaQlaYYS5

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

Support.Client.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	Support.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	Support.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	Support.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	Support.Client.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ScreenConnect.ClientService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (e3f41579-5201-4842-a55e-fbee470be1e0)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\97NWT833.CNA\\5A19POZ3.0JE\\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=37.221.67.32&p=8041&s=e3f41579-5201-4842-a55e-fbee470be1e0&k=BgIAAACkAABSU0ExAAgAAAEAAQBtRcOmkrgNYslRocOkTkuTyihOpi8jiGU066NYR9jBDXkHxmSQ2YVUm3s8%2fooJYnEhSV7fUNG1B5eE%2bEBaTsdMjuSy6wM5sWHiNov0I%2fCi2R8idtf7h0sRNyUXYU5mv3W%2f%2bAAUF5FVSqznlNh79hYpQ5ibv2AEsvG1v7zIzpVIe9GJKEaCyiMYnNwSkNrJyk7EHRdZqqtnkfYNP7V5qS%2f5EGwD4G1QOOnZh31YJbjAYbQ8GP%2b16XpkKKcCdOuQgGXJcCyDfk7uTR3jzS8ZKuveOcMCrYggcWYA0u%2bjDf3hxmbOoHDVTNrhlpt3R6xZaEcGEohbZJ69mglDgpaukS6e&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAelrFv5mkNUWK1UAkxbENPgAAAAACAAAAAAAQZgAAAAEAACAAAADhxAEcfhxVkDTs29A%2bsHoWlAd%2bkhOKCbC4VAaiXM2sYwAAAAAOgAAAAAIAACAAAABEYKx%2bjvzNkUFtv%2bTC1jAyL8JFgXIAJ6MBxEvpdnr1Q6AEAAAx6WKWDedWqcsAWCye7oYb%2bPnKrEjF0WYaVcIoaE9eX9aCxyzvG8DFY%2bn3nw2gV8WUdNv%2fUSxY4w4UPzSdjRmvzuApGx2Rwyo3t69vtikSPJAozQKnJPquxxg9pwzJ4Q3O0VRwhc5rUMwDmtUNAGpiOA8Qp2ZJzVDG5jnlGAsI7hyamYYPIMFyqrxXISyQSv5tgy4FWqXZx2qlKSiULU5rTTnosVLnP23JePnRYTdVkSfYGaPXBOuLGgiNmsekmNn2CuqbfLTIv5QGYmnjYqrOsZ3ZL3BZEpHUErsLSGenIPnjcvhoM%2bwZthPcvqj4lLpaQv%2bMHYBqYYkGGV%2bDvh9ToAPbXmTKHwrb1A%2b9uSWgW6tGnyjsuybnZJgP%2f4g2GKrL4qt8CnSrO02NDWoZe4jwbFx%2b1XTsnourQLbYH59bdtSpu7VNuWE4CiUbfbFoWsjtM0hqFfwsBkUDSyIbhdppfcxrYKdnwr8mRqzrCZdwBP9Oh9WGz9gXByA0GQMklBwCD6EXdyr2z%2bY8c2WCcXR8j67FAan%2bcUIFTbSqFCXX3JrK6W5iaPB1miELdImtv%2f2juhNUgwEYp9VHh%2fA9hFdQRf1CjFekC%2fatWiRO2UXTH4CFDrhWKTnG9wo3Q%2b0UMGqDxKlRIVn6NXX6PZYrwaM9gS4K32IDYpDiCNWKx63VVWTRAPAdLvfxJ6jcVjPtBrG1M7oo%2fLDKfsGJq7v5XrJ%2fFvPpPldIfZqrXUw06zEBo3QtJTM%2fWpWoKXa1azQVGOQtkelEq9rcxxzC9kiBsVud4wHP%2bpXNFtdyObNhEfthstmDvnAkAiNoGdVqAqECuY6H7q4Ulo9teeltEAae%2bk8qBgnbv96y%2bwJKvjql%2fflqD6RAAJ%2ffvlT5yywZSAnAZsRP%2bbgUkq%2fv4wbcMSbv%2fAPxF5HLHbtutL6LmO5udOKNdoIqsHkX60dLIzvGzpQnzOQQq1%2bIhkFAyy9vu3dTGk7k7Tgpe%2bTNM4upbSlfXkETRnREifXtSDAAd8V3ln31rSmpXWU%2bUjfvMbi0aXprDMxiCmopwln9n6PZtaKOzXpDzaAjq9lPJPEWnX993%2fwCv%2bFrbvb6Iw%2fkqRCdo8kqxM0zg8rNvYFX08g4TY0%2bUbwnGz%2f%2bLmlzRHc0RjTeY67WwRYfK5vvsxTwZ%2fOvTwxke8bYZgycDNctux1edzE9r%2f%2bDRBkaQRu9TuXBBJ4pGBiPsH4QPAA%2byW%2bTrxtYLJEXmmNmNM%2fYcPyctdj32Z%2b8hHZ1VU4Ay1khVyTDNjVyrr6RhLFa9JUJsM0WGVN0Z0EB0etWnT35feqqbZneuZFQmTTdN14OEH3ewq21t5wiDFGbM16bUlSs61t7ppUTENooD7UaqIuRL4uC4%2f%2bv2MmdVbyP4FqTWQEbhtX2wcNdQH29Wnc81ZvH23EvDdlc5TZxlX4YoE1YAJIfcsTbm6kwi6lOg69Sp6kSpNAFUPRW5nuM3Ii%2f63Ng81zuO8NVBBx%2bYVOlSFbiEJ6OXs629tSHtE2plFIMxo2KfXqMaBRjKYLD0Z1C6panMt6syO7iZ5HJEYLSyePDd8pJULwo%2fePUxtKjhkAAAADvPXdselR0myCijfP%2b60XzY5b4oNNxrrrdv3IBjkWS5ItRr1KnqYMKsyQtvOB9HXJ5hEfoMEAQjmRYp%2b905Y2x&r=&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe

Executes dropped EXE 4 IoCs

Processes:

ScreenConnect.WindowsClient.exeScreenConnect.ClientService.exeScreenConnect.ClientService.exeScreenConnect.WindowsClient.exe

pid	process
2628	ScreenConnect.WindowsClient.exe
1712	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe
2528	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

Processes:

ScreenConnect.ClientService.exeScreenConnect.ClientService.exe

pid	process
1712	ScreenConnect.ClientService.exe
1712	ScreenConnect.ClientService.exe
1712	ScreenConnect.ClientService.exe
1712	ScreenConnect.ClientService.exe
1712	ScreenConnect.ClientService.exe
1712	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe

Drops file in System32 directory 2 IoCs

Processes:

ScreenConnect.WindowsClient.exe

description	ioc	process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

ScreenConnect.ClientService.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

Processes:

dfsvc.exeScreenConnect.WindowsClient.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\lock!040000008b6e760f440a0000b00a0000000000000000000 = 30303030306134342c30316461616339373439323436346530	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\DigestValue = cc57bfd02228be76c6e08bde16996fa992ff0e54	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\implication!scre..tion_25b0fbb6ef7eb094_0017.0009_84 = 68747470733a2f2f7a65722d676a6839352e7362732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\implication!scre..tion_25b0fbb6ef7eb094_0017.0009_84 = 68747470733a2f2f7a65722d676a6839352e7362732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\SizeOfStronglyNamedComponent = a8ff010000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\Files\ScreenConnect.Client.dll_fc1d7bd48553fcab = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 460061006c00730065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\SizeOfStronglyNamedComponent = e04f040000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_849dae1522b06566\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c3	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\SizeOfStronglyNamedComponent = 3c2e080000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\lock!110000001e6e760f24010000d808000000000000000000008003 = 30303030303132342c30316461616339373364313034616330	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\Files\ScreenConnect.WindowsClient.exe_6492277df = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\lock!040000001e6e760f24010000d8080000000000000000000 = 30303030303132342c30316461616339373364313034616330	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 680074007400700073003a002f002f007a00650072002d0067006a006800390035002e007300620073002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e003f0065003d0053007500700070006f0072007400260079003d0047007500650073007400260068003d00330037002e003200320031002e00360037002e0033003200260070003d003800300034003100260073003d00650033006600340031003500370039002d0035003200300031002d0034003800340032002d0061003500350065002d0066006200650065003400370030006200650031006500300026006b003d0042006700490041004100410043006b0041004100420053005500300045007800410041006700410041004100450041004100510042007400520063004f006d006b00720067004e00590073006c0052006f0063004f006b0054006b00750054007900690068004f007000690038006a006900470055003000360036004e005900520039006a004200440058006b00480078006d005300510032005900560055006d003300730038002500320066006f006f004a0059006e0045006800530056003700660055004e004700310042003500650045002500320062004500420061005400730064004d006a00750053007900360077004d00350073005700480069004e006f00760030004900250032006600430069003200520038006900640074006600370068003000730052004e007900550058005900550035006d007600330057002500320066002500320062004100410055004600350046005600530071007a006e006c004e00680037003900680059007000510035006900620076003200410045007300760047003100760037007a0049007a007000560049006500390047004a004b00450061004300790069004d0059006e004e00770053006b004e0072004a0079006b00370045004800520064005a007100710074006e006b00660059004e005000370056003500710053002500320066003500450047007700440034004700310051004f004f006e005a0068003300310059004a0062006a00410059006200510038004700500025003200620031003600580070006b004b004b006300430064004f00750051006700470058004a00630043007900440066006b00370075005400520033006a007a00530038005a004b007500760065004f0063004d00430072005900670067006300570059004100300075002500320062006a00440066003300680078006d0062004f006f0048004400560054004e00720068006c007000740033005200360078005a00610045006300470045006f00680062005a004a00360039006d0067006c00440067007000610075006b00530036006500260072003d00260069003d0055006e007400690074006c0065006400250032003000530065007300730069006f006e000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb = 68747470733a2f2f7a65722d676a6839352e7362732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Files\ScreenConnect.WindowsFileManager.exe_0e21 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 680074007400700073003a002f002f007a00650072002d0067006a006800390035002e007300620073002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006d0061006e00690066006500730074000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 32003000320034002f00300035002f00320032002000320032003a00320037003a00350032000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_849dae1522b06566\appid = 68747470733a2f2f7a65722d676a6839352e7362732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\implication!scre..tion_25b0fbb6ef7eb094_0017.0009_84 = 68747470733a2f2f7a65722d676a6839352e7362732f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 30000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_5c31eb4377b5736b	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\lock!180000008b6e760f440a0000b00a0000000000000000000 = 30303030306134342c30316461616339373439323436346530	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_849dae1522b06566\pin!S_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Files\ScreenConnect.WindowsBackstageShell.exe_8 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\DigestValue = b12197a877fb7e33b1cb5ba11b0da5ca706581ba	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445	ScreenConnect.WindowsClient.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Support.Client.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	Support.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	Support.Client.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	Support.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	Support.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	Support.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	Support.Client.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

ScreenConnect.WindowsClient.exe

pid process

2528 ScreenConnect.WindowsClient.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ScreenConnect.ClientService.exe

pid process

1248 ScreenConnect.ClientService.exe
1248 ScreenConnect.ClientService.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dfsvc.exeScreenConnect.ClientService.exe

description pid process

Token: SeDebugPrivilege 292 dfsvc.exe
Token: SeDebugPrivilege 1248 ScreenConnect.ClientService.exe

pid	process
2528	ScreenConnect.WindowsClient.exe

pid	process
1248	ScreenConnect.ClientService.exe
1248	ScreenConnect.ClientService.exe

description	pid	process
Token: SeDebugPrivilege	292	dfsvc.exe
Token: SeDebugPrivilege	1248	ScreenConnect.ClientService.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Support.Client.exedfsvc.exeScreenConnect.WindowsClient.exeScreenConnect.ClientService.exe

description	pid	process	target process
PID 3048 wrote to memory of 292	3048	Support.Client.exe	dfsvc.exe
PID 3048 wrote to memory of 292	3048	Support.Client.exe	dfsvc.exe
PID 3048 wrote to memory of 292	3048	Support.Client.exe	dfsvc.exe
PID 3048 wrote to memory of 292	3048	Support.Client.exe	dfsvc.exe
PID 292 wrote to memory of 2628	292	dfsvc.exe	ScreenConnect.WindowsClient.exe
PID 292 wrote to memory of 2628	292	dfsvc.exe	ScreenConnect.WindowsClient.exe
PID 292 wrote to memory of 2628	292	dfsvc.exe	ScreenConnect.WindowsClient.exe
PID 292 wrote to memory of 2628	292	dfsvc.exe	ScreenConnect.WindowsClient.exe
PID 2628 wrote to memory of 1712	2628	ScreenConnect.WindowsClient.exe	ScreenConnect.ClientService.exe
PID 2628 wrote to memory of 1712	2628	ScreenConnect.WindowsClient.exe	ScreenConnect.ClientService.exe
PID 2628 wrote to memory of 1712	2628	ScreenConnect.WindowsClient.exe	ScreenConnect.ClientService.exe
PID 2628 wrote to memory of 1712	2628	ScreenConnect.WindowsClient.exe	ScreenConnect.ClientService.exe
PID 1248 wrote to memory of 2528	1248	ScreenConnect.ClientService.exe	ScreenConnect.WindowsClient.exe
PID 1248 wrote to memory of 2528	1248	ScreenConnect.ClientService.exe	ScreenConnect.WindowsClient.exe
PID 1248 wrote to memory of 2528	1248	ScreenConnect.ClientService.exe	ScreenConnect.WindowsClient.exe
PID 1248 wrote to memory of 2528	1248	ScreenConnect.ClientService.exe	ScreenConnect.WindowsClient.exe
PID 1248 wrote to memory of 2528	1248	ScreenConnect.ClientService.exe	ScreenConnect.WindowsClient.exe

C:\Users\Admin\AppData\Local\Temp\Support.Client.exe
"C:\Users\Admin\AppData\Local\Temp\Support.Client.exe"
1⤵
- Manipulates Digital Signatures
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:292
- - C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=37.221.67.32&p=8041&s=e3f41579-5201-4842-a55e-fbee470be1e0&k=BgIAAACkAABSU0ExAAgAAAEAAQBtRcOmkrgNYslRocOkTkuTyihOpi8jiGU066NYR9jBDXkHxmSQ2YVUm3s8%2fooJYnEhSV7fUNG1B5eE%2bEBaTsdMjuSy6wM5sWHiNov0I%2fCi2R8idtf7h0sRNyUXYU5mv3W%2f%2bAAUF5FVSqznlNh79hYpQ5ibv2AEsvG1v7zIzpVIe9GJKEaCyiMYnNwSkNrJyk7EHRdZqqtnkfYNP7V5qS%2f5EGwD4G1QOOnZh31YJbjAYbQ8GP%2b16XpkKKcCdOuQgGXJcCyDfk7uTR3jzS8ZKuveOcMCrYggcWYA0u%2bjDf3hxmbOoHDVTNrhlpt3R6xZaEcGEohbZJ69mglDgpaukS6e&r=&i=Untitled%20Session" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1712

C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=37.221.67.32&p=8041&s=e3f41579-5201-4842-a55e-fbee470be1e0&k=BgIAAACkAABSU0ExAAgAAAEAAQBtRcOmkrgNYslRocOkTkuTyihOpi8jiGU066NYR9jBDXkHxmSQ2YVUm3s8%2fooJYnEhSV7fUNG1B5eE%2bEBaTsdMjuSy6wM5sWHiNov0I%2fCi2R8idtf7h0sRNyUXYU5mv3W%2f%2bAAUF5FVSqznlNh79hYpQ5ibv2AEsvG1v7zIzpVIe9GJKEaCyiMYnNwSkNrJyk7EHRdZqqtnkfYNP7V5qS%2f5EGwD4G1QOOnZh31YJbjAYbQ8GP%2b16XpkKKcCdOuQgGXJcCyDfk7uTR3jzS8ZKuveOcMCrYggcWYA0u%2bjDf3hxmbOoHDVTNrhlpt3R6xZaEcGEohbZJ69mglDgpaukS6e&r=&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\ScreenConnect.WindowsClient.exe" "RunRole" "2ba14351-f06a-41a0-9233-69a8d622193e" "User"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: AddClipboardFormatListener
  PID:2528

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\manifests\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445.cdf-ms

Filesize
24KB

MD5
d9f5224cb19e7a4f3631a91ab49abd03

SHA1
9411cbc029190f4cd14b05a2ff278bbbdf9c6253

SHA256
756c8e0400743c46bba1fa6c7dbed3c717c39ea3d408c385635cf43f463ee3a9

SHA512
44e600858bb6d7c1d94dc98ce4d1a8e05f765b0b69bae991afa7daa04d2859cd8306a0918f879117a3207c3b9ae41ee2bcc2cacc3518af0edac9506bcae22c80

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\manifests\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9.cdf-ms

Filesize
3KB

MD5
f9ad7573793c82a8cdfcaac821ff3179

SHA1
e3be910e22be02267a53ad8ca5a83e577a44d13f

SHA256
5b70af3e3d3c212ca113de8715e33aaa0073156b7379600812bbd1915bed6ef9

SHA512
92e5f3f4eaec2682e15b135d2628fbfacc2823ec18bda07107ddf454c09543c1706a0f301f93fbd10644cb84c0caf39d6969da0acdc24401ce6e66f9591996bc

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\manifests\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9.cdf-ms

Filesize
5KB

MD5
a2e4a44fdebff3e0901534d5d4a4f239

SHA1
bad8db0ca6d246ea526426cb8130ba7cfe8f22c6

SHA256
6d46d25b5834db1129b3c837c59b32df287eb872c3af00b63a445bcfa4360e2a

SHA512
457aad2e1a6b135251ac18c278fb218d6ec692a9c6744099d3604119a6825bb18a04689cd3f7e506bf2c61020eacfc82d6d5425df02c93804ace80c53bb5f05e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6.cdf-ms

Filesize
6KB

MD5
9e287a3971786f4c473bb3cd947ad4fa

SHA1
2fee2a48de5b7b956deeb15560387b47b7084ebd

SHA256
6550b1aecee1136db631beaf4525a45b01e4dc9a9c3814b552accd40525471ab

SHA512
c47dd677698c5fc45bcb4fa282ad57c1764b9b68d6930026522388ea74e9973e315c21c8a161891231227fd12be74ed9b3d6749b2d07a59e55549dac854207f1

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd.cdf-ms

Filesize
2KB

MD5
eb2eb2333f9cccf9759cea90fc5b4b67

SHA1
d231032a460d34e5d41889b455f39c91bf220fb1

SHA256
f4e933a28d89ba9358f0a0c0d2261dee2750bdb32c7f735bb4c96b7aebb89d46

SHA512
b57c0c3647f7b8523c7328feb7faff7943e196fe88628078bb58acf1c973945cf374df3ab92542bbcae4ad502701946edd69c854c9fe040480410224df198915

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\manifests\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28.cdf-ms

Filesize
14KB

MD5
80539ed2eec2bc14f074bc399397f2a1

SHA1
89c64a8d87008783fd2dbd3e74a0595fa70fb414

SHA256
f3c6b3fc0a4493ea137326fed840dcc3c73adbfbd23ab10e31744b2ac57fabeb

SHA512
0bae031bb9ea3a3cff8ef95c3acae0c77c83045fb066b45753145db8ddd2697f6c1174af4f66feca8a9554c72dfa7ff778d6e3e6403150ab470e95543b70236e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\manifests\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924.cdf-ms

Filesize
4KB

MD5
fc3a5695477949b335c42e8d2849fdd8

SHA1
d79e370bcaced780a92aab1d087d6dc24dc24a19

SHA256
fe6409a19a2746e0bcd157a5e2d630636c829c899bf95821a939ab59f34cc8bc

SHA512
593d204003272e9c9c8bd745f2da4ef043567f93d006af2acfcd1f965bca0462b054f0b4586bcaaaafd31cfd7cea78a8091ec79d13489cb22da9211893789265

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
dc615e9d8ec81cbf2e2452516373e5a0

SHA1
ec83d37a4f45caeb07b1605324d0315f959452e9

SHA256
e9ab064ed381c29a3930f75ca3e05605c6ee07f30a69c043f576a5461de3bafc

SHA512
82fe00447fb9785264dfb8032399adf6d33d91d71058212d252742c9e5fd54f5a52f6baf4fb05e95f9a4055057c60a33a7c1c642f18a6a4e045b49be88fa5d9f

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
10dba57f22a6ab4039330000570f39f8

SHA1
b8b5c65a89256177da802c4c9cbd11b013221730

SHA256
9bd8d15759f83d99edd1f2617d59a94e1c2bb4bd7c4977958f5d5f22c5a7c469

SHA512
38230b63a4630145608f619d75ca3115c05ab0338fb57566e012df1bd157123a670a37ae0fea92351ab7352319a5af29f9db3f8bb14962f3f0de3a4f5a5b754c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
c333d3a6eeb74e4d76c3b9e0f6bfd04c

SHA1
a39e2643e8dbd2097829e0b08938726557cb8e36

SHA256
998d7a0cd6b1a837489e55e99cb992088b9fde220a1025346a461849e1f50d22

SHA512
58cc7741ebe1aada93fd82a3e0a571a9a1aa3e400c46e7cdddef876d74f4fbbcbae4293ac556b3823e8dc977e7ce72337a16c2d48eab0aa52b736412ae43c634

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\Client.Override.en-US.resources

Filesize
267B

MD5
792096f4ccaefe1c116fb86160be5d24

SHA1
01552786d38d10cf6cd806e436e45837f835fcac

SHA256
71568a2c4e87b465322ef2820151a76af3ac188524d6197cc1d39f256da6d9ef

SHA512
a4e5cbf40326f2aca956e89700a1d59e085179d1104d6ccaf66b7c427d2a84cff6928bdcdd41ed9c0e4a83a3a109d4213e3c68c46ca0acaa1e8fe8944f32e5eb

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\Client.Override.resources

Filesize
256B

MD5
36b2b875649f27ac6cddde306e9b3b57

SHA1
0a88910eeeb9cf725b52e90f4c3c113e61c7c0c7

SHA256
ce99d2022eb57129b951fbe6dfb9f3ac6bc9f9c41055ef577693a17bd0df6674

SHA512
cabbfcb4e516feafda44660add41c1284b86be2b778985717c27301f1ff81075ae423470b87e1fdf8b2589a9f54c8e2227e116e3f2581dd66ec9bcf6a6251f69

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\Client.en-US.resources

Filesize
47KB

MD5
3e83a3aa62c5ff54ed98e27b3fbecf90

SHA1
96d8927c870a74a478864240b3ace94ad543dfb8

SHA256
2d88b97d28be01abca4544c6381a4370c1a1ce05142c176742f13b44889ddf90

SHA512
ea9d05a4aa1ee5cccc61c4f5e8994efba9efff0549b69577bef1f2a22cce908739124eff1e0db5cfdd69e077ad2d7cdb1307de92d79673c9309ee621cb139956

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\app.config

Filesize
1KB

MD5
cde6c7b679f1e6b9d9122e682001b667

SHA1
8a398446bf3ad915ad65ee5246f36c566933f8f2

SHA256
ea29f6f1d993b86b04f54f169108731478c35ffe0719129cd2bd94ef182bc9db

SHA512
0fbf319e9b86c3ec69a2e4e7c78c2c0f6aab70e02f63aaa3d5c8c98b72b94bf3d18403d7ccf0a64515313361335ed3866fc1c9c914f24969a136383aa8a44e11

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\97NWT833.CNA\5A19POZ3.0JE\scre..tion_25b0fbb6ef7eb094_0017.0009_5d94eb819e6b90b1\user.config

Filesize
560B

MD5
79e49a1370283c2a2c7479d67299fd5c

SHA1
836da09044697270a3fbcb834a1176c5c8c588b4

SHA256
57f6ba28815354b8fae4d9a60c763b4bea6345ecebdd8aa45778dbbc346982a0

SHA512
151150e147558feb0ee32244e4bc91a9dd650d178d9d765db97211697978f44d0defafd36f91192677f580f2475e28aa40bb00d5e81444327fd473f7d56a9281

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.Client.dll

Filesize
188KB

MD5
6bc9611d5b6cee698149a18d986547a8

SHA1
f36ab74e4e502fdaf81e101836b94c91d80cb8ea

SHA256
17377a52eeae11e8ee01eb629d6a60c10015ad2bb8bc9768e5c8e4b6500a15ed

SHA512
3f23670d0ba150de19a805db6beb6eed8538bbad6fbe3cc21d17d738a43cf411c679a23cea11549e69be0321e672f740791d40e92498aef9d1f8650743ee85ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
9ce092e164085ce2566f654314bf99dc

SHA1
acef36091ec262a4c42aa5a5b394c71b13b4767e

SHA256
6b36ddce4021fd15c29cf63c7102e60edfe2627d1b00ef97d0b4de3051737439

SHA512
95bd7f9315dc181de529d940e697b652651bc9e954e96fbc059998909259a719af062548c533d24350c25a159cb113f568eb7c622ae3069ce25fb9224ebf02a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.ClientService.dll

Filesize
60KB

MD5
22af3a23bd30484514cdacf67c5b3810

SHA1
e92a4eaee9d896964de541ce2f01c2404b638258

SHA256
7c5442121dba2a30ab9579ec08e111ded372cf9cf90fb3256f273980b975afa9

SHA512
95e40b27e90fce7ca85e76afbbc16eb62b4bb977664702b987de2eb2294e6fe9e6df5610ec7b2362c2c68493313f30fbbcbd3446dbe8ae2fa47b89407f5d5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
f94d041a8128be81c4347caf6a3c47bf

SHA1
3285f9acf70c0e4d34f888c28bd3f693e3df5909

SHA256
91a65bacad5f7f70bddc6209ed65dd5c375cef9f3c289eab83fd90d622adf46b

SHA512
90199543207caf9b4501be7e9509dc9526dafcd5602aaed700314763021c8f3ed06d93a31a90a34cb19d4fb7184aa7d154b197f9e535657aeb9eb872da377a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.Core.dll

Filesize
519KB

MD5
b319407e807be1a49e366f7f8ea7ee2a

SHA1
b12197a877fb7e33b1cb5ba11b0da5ca706581ba

SHA256
761b7e50baa229e8afcd9a50990d7f776ddb5ed1ea5fbb131c802e57cf918742

SHA512
dc497643790dc608dece9c8fe7264efedd13724bd24c9bf28a60d848b405fddefb8337a60f3f32bb91518910e02c7a2aaf29fc32f86a464dfcafa365526bdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
6da6dc34636435e9c2bd1b5ff79091b5

SHA1
61b6d8c16330fe9063f041bcc025c10de82d876b

SHA256
98d4edaa86468540d2d17ef17a9bcd7224b128099a51a8f92a65a88950dcb44c

SHA512
0bb929107ecfa257dfb2ff7b37955d8c2402287e989c015632a6292362858667a398ad0563103c1324a29585a8177aaa4bce3c57d867735e40d2cc5c996bd5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
29454a0cb83f28c24805e9a70e53444a

SHA1
334202965b07ab69f08b16fed0ee6c7274463556

SHA256
998cc3f9af5bd41ccf0f9be86192bbe20cdec08a6ff73c1199e1364195a83e14

SHA512
62790920974a2f1b018d466ae3e3b5100006a3c8013f43bdb04af7074cfe5d992caaeb610de2b1b72ff0e4acf8762db1513a4a0cf331f9a340ae0ce53c3be895

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
1fb3a39063c9fbbc9252d1224cf8c89d

SHA1
0f0622eb6205f515651e055c17d0067a94308721

SHA256
199c3f5089b07f1fb6cb343180620b2094bcdda9e1f6a3f41269c56402d98439

SHA512
8c70ff2fe2f1935454aa6bb4ce0998da1adcbfe7219f1eaee4688ee86bbc730de30347f39b9b1413cbd345d1bf786491ed2f79142d9333dba3a7f0edc9f48e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.WindowsClient.exe

Filesize
573KB

MD5
5dec65c4047de914c78816b8663e3602

SHA1
8807695ee8345e37efec43cbc0874277ed9b0a66

SHA256
71602f6b0b27c8b7d8ad624248e6126970939effde785ec913ace19052e9960e

SHA512
27b5dcb5b0aeadf246b91a173d06e5e8d6cf2cd19d86ca358e0a85b84cd9d8f2b26372ef34c3d427f57803d90f2e97cf59692c80c268a71865f08fc0e7ce42d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
efa59a7f55af829c3974a02f30ebe80c

SHA1
0faba6763d910d5ee104e3457045c63ccc5bf79b

SHA256
3e2d5cc7867afa23663d5894127ce6e2880d3075773a249b37576eda5088875a

SHA512
72262b09c21dc4a2b2701a5b32c149349fa3107035d5a115eac4335e3961dcf12a7a867aeff595c13aa618ea955b604538c0f4e529cb6a76fff0cb75927cc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\653Q9DHV.ZO1\8Z278YJJ.QL4\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
f4b84e283123b025a90bbde33e2080fd

SHA1
cc57bfd02228be76c6e08bde16996fa992ff0e54

SHA256
93f9eb492b6952d8c7aa1ef1ee5a901234ba1fd2d5ef58d24e1faef597ea8e02

SHA512
abc92965bf97c37a614b556d2219d06e63687777d79df5ffb4b5d447dd138c160e5a45cab76a2353d758ad62960f2e58745f0523881ff6c0ea4ccbcd7ed40002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\B1JA7654.652\T4ELJDHW.CT8.application

Filesize
113KB

MD5
de1955a1753529bbd726c911f34f284d

SHA1
b3535b60c52072e52417588dd0420fd379bf093c

SHA256
c923e7e27ff75129e9b6e24dd21fa8807b71d8aabc7eef22fb77071bfdcdc884

SHA512
474dcec89a7228e0f11b08d89983db836b2cd7b678a47bda3ebb75fe97afe7b77c260d528c02bf171e23261d8d7228101ca106754fdaa196364d964196edb7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3200.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/292-2-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download
memory/292-143-0x000000001C4B0000-0x000000001C538000-memory.dmp

Filesize
544KB

Download
memory/292-137-0x0000000020550000-0x00000000206FA000-memory.dmp

Filesize
1.7MB

Download
memory/292-125-0x000000001C8D0000-0x000000001C964000-memory.dmp

Filesize
592KB

Download
memory/292-0-0x000007FEF5913000-0x000007FEF5914000-memory.dmp

Filesize
4KB

Download
memory/292-105-0x0000000002240000-0x0000000002256000-memory.dmp

Filesize
88KB

Download
memory/292-98-0x000000001B2D0000-0x000000001B306000-memory.dmp

Filesize
216KB

Download
memory/292-451-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

Filesize
9.9MB

Download
memory/292-1-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/292-156-0x0000000002240000-0x0000000002256000-memory.dmp

Filesize
88KB

Download
memory/292-149-0x000000001B2D0000-0x000000001B306000-memory.dmp

Filesize
216KB

Download
memory/292-80-0x000000001C8D0000-0x000000001C964000-memory.dmp

Filesize
592KB

Download
memory/292-86-0x0000000020550000-0x00000000206FA000-memory.dmp

Filesize
1.7MB

Download
memory/292-422-0x000007FEF5913000-0x000007FEF5914000-memory.dmp

Filesize
4KB

Download
memory/292-92-0x000000001C4B0000-0x000000001C538000-memory.dmp

Filesize
544KB

Download
memory/1248-433-0x0000000003BA0000-0x0000000003D4A000-memory.dmp

Filesize
1.7MB

Download
memory/1248-436-0x0000000000CB0000-0x0000000000CE6000-memory.dmp

Filesize
216KB

Download
memory/1712-421-0x0000000000D10000-0x0000000000D98000-memory.dmp

Filesize
544KB

Download
memory/1712-418-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/1712-415-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/2528-444-0x000000001B480000-0x000000001B62A000-memory.dmp

Filesize
1.7MB

Download
memory/2528-443-0x0000000000240000-0x0000000000276000-memory.dmp

Filesize
216KB

Download
memory/2528-442-0x00000000009A0000-0x0000000000A34000-memory.dmp

Filesize
592KB

Download
memory/2528-447-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/2528-448-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/2628-386-0x000000001B920000-0x000000001BACA000-memory.dmp

Filesize
1.7MB

Download
memory/2628-384-0x0000000000870000-0x00000000008F8000-memory.dmp

Filesize
544KB

Download
memory/2628-381-0x0000000000910000-0x00000000009A4000-memory.dmp

Filesize
592KB

Download