39156e1941907ebbab838be00fdba1182523cac9936f6f9aca75bd74e740d418

Analysis

max time kernel
141s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ScreenConnect.Client.exe
Size

84KB
MD5

ac240ad9c84804db38f1cbaaff05cf88
SHA1

0d1aa33617e5c6a6fd0eb7751f7926daa30989f7
SHA256

39156e1941907ebbab838be00fdba1182523cac9936f6f9aca75bd74e740d418
SHA512

82bfe925ef0092557fba026c5223c6ee4313f22dc724d972aa5263694141246cbcfdcc2f77e93c4b96e408859480392d2cf93214ec2b79bbfd6e2f1bdb4f8660
SSDEEP

1536:0azWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYYm78ExmwY:AFNpo6rIKlUE8fbkqRfbaQlaYYmw

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	ScreenConnect.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	ScreenConnect.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	ScreenConnect.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	ScreenConnect.Client.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (72b8ded0-1a16-455a-889b-78209951237e)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\0X7TR72Z.ROA\\RVXY1ZWV.NAN\\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=instance-muyb51-relay.screenconnect.com&p=443&s=72b8ded0-1a16-455a-889b-78209951237e&k=BgIAAACkAABSU0ExAAgAAAEAAQAtROnJiEUrlw8dNQZ4T%2bbavl4Eq7lSxpCNTqmIT2i19vujhsrKFcI0f98LsIPQByieYuVMe3TDpzRJvOJz%2fuKwcV%2fEC90GvXJ9aivvTnj01ofUyjaduT%2fQAN9qlGZ1lGeO5Pp%2b11WAe0MUJ9Ar%2fbCMdJGhd6LaPSYZBcS5vaBm7AsBguuN0BXMhn1%2b0tnqRIPdqY8baq%2fe0JCVnzQezeytApzakHhRW7DLPtBuow5VNauIbpSfMIZObnZVnX5HvW1YHmdVNYCea0bHnFDg%2fEdw3FkXTrapR5d%2biZcNtTaUdu9fD1bVrCYQPAK56YXWUO37Endd1NUjfDXFIi4nbwrj&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAeC8vF5jdNE6BKOxjvF427wAAAAACAAAAAAAQZgAAAAEAACAAAACg%2brJ02QbsrsEvHi21tmNP9y%2bPSFiOJUx3ZqatQZ852AAAAAAOgAAAAAIAACAAAAAd6I4FGdUXQZMCWvvW4StfX0G1ailsLzHpnUoat7uhQ6AEAAB4z8CaRSfDeDZnW7LJNUgl1Sd8nHnZOI%2fIdqLxk3Efea%2bTtW%2biF80i9v%2fhqL6d%2fq4jUeIcfwpM%2f6ghOXwCmRewv%2bJQBFbfUJ%2bc339%2flxDhPSBoZYJ9HgD1uDu6oy%2f2D4co6AndCCNmvLRddYMyQUcn2WbeW%2fo4nFbM4cDgoqFzqF6uZ2oftXcIbU%2fzrJHBGDsdlKBpKn9aKvFnjVoKlT45iSYtgJ9RjHO%2buZVT2F4rCPEF038XaLhE8SuWGb2vkUjKWC2Tb3qj%2bB%2f8AASYM%2fESkOWy9d2EVb0cDUWglp3YPH1%2blFokyCX32EzyKRl4P7E3%2brxm1GTNQdmw7GUrN37Vpix0pDGIh3DYfRKP0MPBhq4MGOqcm1CYhnb60IrkixPpKgOINR8W%2bu%2bM5pKfG%2fxs%2f8BJTIldN3DP01bsYcTTVuH%2fhJbcK6M7wI05JhiGUQ8osKtpVuMTM%2bT5GnjiGLLDjKL3vTHocvjycNey2ROedn8apLGIrGHwIQZ%2fPvoVCuXqSCaiEzE9%2bOySCnmT6g%2bUrchGcAOfVSpOUmfPMPAqM3%2fpos9k3r%2fbEsm9lUOy5Pbjuc%2fIX760%2f2dbSSoBge0CVuV7TDxNU4cKdU1ttt%2blWOhxDtGS8xCVwa7JFS1dT22fMz3pPVi0tzNYz4G9NYLHhWCvaqD1pCj0kn80A4dilxboOH53bI%2fzYlIbC5PrGXGZrlKCl6BRdc3%2bnRbCV3lHBWZ%2bpwKQFadGvrKCRzdHWKQZZGyt8NYeu%2bicCYTzjAiP4xxuNbFS%2fZe7ZBd1%2fnzpE4DxvQSS2vAa%2bA%2b%2bCT88vFsZxoOblaury%2bBsUHasGlau3kfMBForsDMXqsZFsZD9gxv%2fO21YM0UQMDvy3b9kwKxPeJ%2fAq3jj%2fsWkuekKbdeMFckD3M5CdohKi1s9Mv895L%2f4tCNQ7hpyRtGct8k48lgVNVeuTWEs3vZKO%2bwrJVVBsoruwj4oEqionQFxMMV8Hwr9i2IyYnO0zwoe7NZN8c3cRrTiOLIKfd3CcPY5xHTbTABiwpp0CfHsNiirQx22InT9PwOscW4pA2Y%2bmpq2SI3e%2fHFXmimYR9At126%2f78tlpGjotUy3c7CQzQTUiZ34pVGZ36kUcumHYsVrWaBXTNr3jqCzRRm9vsLr2oVfIXsUtgroRcb1SOzsTwcQtTWhi7iXPv465Jv5k40wGACjKb0XGOlUFbVQzxoVLgehAx3Hx%2fA8SyXWpg8ftiHc6wk423Pgl32Jyfon6tB%2f%2bEu7AA3S6972yqLRSv72U1MxdO%2fYEkQRvW46CoVBb%2bVTSo9Kc0DoA9dqBajW%2beVaBW2CzfDTgOi3YafNHRrwNjKqNk%2fc7ezU8rjny%2fNdvK%2b0GXgDH3I7jRzwCW%2fxm9Y0foHhVYSB4wuUKsRa6hyJCvijKcO4P5rJ2coMtnyUjG1RC7C9JulVUjeJv09M8I1oBXPI51fSTO56w4sRFm6MR6jAKmYQM06%2b2RGdT7WKV9bzmp4s2dHJ6oDBvyPYEt2Db7YMg4WzoNTRJkrSapMozh3Yv3SC73eSIpH1nuBXuMxDGyZwCAdEH9EhfBGN7g4abwS9NEAAAADmG6UwWgkRQyH1snhbdpVgv5bPHEGCrPwVJSm%2fBywwMa4DxouBOronr7HHZCXFr1QOkauB0tz8Yfdc9Ujadf89&r=&i=\" \"1\""	ScreenConnect.ClientService.exe

Executes dropped EXE 5 IoCs

pid	Process
828	ScreenConnect.WindowsClient.exe
4680	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
1832	ScreenConnect.WindowsClient.exe
2948	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
4680	ScreenConnect.ClientService.exe
4680	ScreenConnect.ClientService.exe
4680	ScreenConnect.ClientService.exe
4680	ScreenConnect.ClientService.exe
4680	ScreenConnect.ClientService.exe
4680	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\DigestValue = 73a0ffb39b4193eb9db8b705b552019e91461d15	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_d460ff163f51e79c\LastRunVersion = 68747470733a2f2f61756d2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 680074007400700073003a002f002f00610075006d002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320034002e0031002e0037002e0038003800390032002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320034002e0031002e0037002e0038003800390032002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e00330032000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\Files\ScreenConnect.WindowsBackstageShell.exe_89 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\Files\ScreenConnect.WindowsClient.exe.config_f7f = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\lock!0e000000e6aa570ed80b0000680500000000000000000000 = 30303030306264382c30316461646334326361393166383133	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe94	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\Files\ScreenConnect.ClientService.dll_e781b1c636 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f\lock!0600000082ab570e3c0300008c0900000000000000000000 = 30303030303333632c30316461646334326431663935653235	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "XH5J03J8P3VH8XV31X8M49ZR"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\implication!scre..tion_25b0fbb6ef7eb094_0018.0001_057 = 68747470733a2f2f61756d2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\Files\ScreenConnect.WindowsFileManager.exe_0e21f = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973a = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\lock!1c00000092ab570e3c0300008c0900000000000000000000 = 30303030303333632c30316461646334326431663935653235	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "5G8MM6A7YJCEHCP3HT0L8PB2"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\Files\ScreenConnect.WindowsFileManager.exe.confi = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\lock!0c000000e6aa570ed80b0000680500000000000000000000 = 30303030306264382c30316461646334326361393166383133	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 680074007400700073003a002f002f00610075006d002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006d0061006e00690066006500730074000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 32003000320034002f00300037002f00320032002000310034003a00320034003a00310030000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\implication!scre..tion_25b0fbb6ef7eb094_0018.0001_057 = 68747470733a2f2f61756d2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\implication!scre..tion_25b0fbb6ef7eb094_0018.0001_057 = 68747470733a2f2f61756d2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\NonCanonicalData	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb0 = 68747470733a2f2f61756d2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\Files\ScreenConnect.Core.dll_b96889d378047e27 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "0X7TR72ZROARVXY1ZWVNANR9"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_05781f8a40e231f1\appid = 68747470733a2f2f61756d2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\implication!scre..tion_25b0fbb6ef7eb094_0018.0001_05781f8a = 68747470733a2f2f61756d2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_05781f8a40e231f1	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\DigestValue = 5241f5bec67a5e6ec2ee009c4f2e0f6f049841cb	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32342e312e372e383839322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\DigestValue = fc7e577dec034b680a80b51a6d188af3b429e2f4	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\SizeOfStronglyNamedComponent = ac21010000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\lock!06000000e6aa570ed80b0000680500000000000000000000 = 30303030306264382c30316461646334326361393166383133	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\DigestValue = cad0ecb9ac68694cc601a7c980f985d9c29afa88	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e\lock!1000000092ab570e3c0300008c0900000000000000000000 = 30303030303333632c30316461646334326431663935653235	ScreenConnect.WindowsClient.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	ScreenConnect.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	ScreenConnect.Client.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	ScreenConnect.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	ScreenConnect.Client.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	ScreenConnect.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	ScreenConnect.Client.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe
2604	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	dfsvc.exe
Token: SeDebugPrivilege	2604	ScreenConnect.ClientService.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1832	ScreenConnect.WindowsClient.exe
1832	ScreenConnect.WindowsClient.exe
1832	ScreenConnect.WindowsClient.exe
1832	ScreenConnect.WindowsClient.exe
1832	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1832	ScreenConnect.WindowsClient.exe
1832	ScreenConnect.WindowsClient.exe
1832	ScreenConnect.WindowsClient.exe
1832	ScreenConnect.WindowsClient.exe
1832	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 3032	1232	ScreenConnect.Client.exe	84
PID 1232 wrote to memory of 3032	1232	ScreenConnect.Client.exe	84
PID 3032 wrote to memory of 828	3032	dfsvc.exe	94
PID 3032 wrote to memory of 828	3032	dfsvc.exe	94
PID 3032 wrote to memory of 828	3032	dfsvc.exe	94
PID 828 wrote to memory of 4680	828	ScreenConnect.WindowsClient.exe	95
PID 828 wrote to memory of 4680	828	ScreenConnect.WindowsClient.exe	95
PID 828 wrote to memory of 4680	828	ScreenConnect.WindowsClient.exe	95
PID 2604 wrote to memory of 1832	2604	ScreenConnect.ClientService.exe	98
PID 2604 wrote to memory of 1832	2604	ScreenConnect.ClientService.exe	98
PID 2604 wrote to memory of 1832	2604	ScreenConnect.ClientService.exe	98
PID 2604 wrote to memory of 2948	2604	ScreenConnect.ClientService.exe	99
PID 2604 wrote to memory of 2948	2604	ScreenConnect.ClientService.exe	99
PID 2604 wrote to memory of 2948	2604	ScreenConnect.ClientService.exe	99

C:\Users\Admin\AppData\Local\Temp\ScreenConnect.Client.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenConnect.Client.exe"
1⤵
- Manipulates Digital Signatures
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-muyb51-relay.screenconnect.com&p=443&s=72b8ded0-1a16-455a-889b-78209951237e&k=BgIAAACkAABSU0ExAAgAAAEAAQAtROnJiEUrlw8dNQZ4T%2bbavl4Eq7lSxpCNTqmIT2i19vujhsrKFcI0f98LsIPQByieYuVMe3TDpzRJvOJz%2fuKwcV%2fEC90GvXJ9aivvTnj01ofUyjaduT%2fQAN9qlGZ1lGeO5Pp%2b11WAe0MUJ9Ar%2fbCMdJGhd6LaPSYZBcS5vaBm7AsBguuN0BXMhn1%2b0tnqRIPdqY8baq%2fe0JCVnzQezeytApzakHhRW7DLPtBuow5VNauIbpSfMIZObnZVnX5HvW1YHmdVNYCea0bHnFDg%2fEdw3FkXTrapR5d%2biZcNtTaUdu9fD1bVrCYQPAK56YXWUO37Endd1NUjfDXFIi4nbwrj&r=&i=" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4680

C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-muyb51-relay.screenconnect.com&p=443&s=72b8ded0-1a16-455a-889b-78209951237e&k=BgIAAACkAABSU0ExAAgAAAEAAQAtROnJiEUrlw8dNQZ4T%2bbavl4Eq7lSxpCNTqmIT2i19vujhsrKFcI0f98LsIPQByieYuVMe3TDpzRJvOJz%2fuKwcV%2fEC90GvXJ9aivvTnj01ofUyjaduT%2fQAN9qlGZ1lGeO5Pp%2b11WAe0MUJ9Ar%2fbCMdJGhd6LaPSYZBcS5vaBm7AsBguuN0BXMhn1%2b0tnqRIPdqY8baq%2fe0JCVnzQezeytApzakHhRW7DLPtBuow5VNauIbpSfMIZObnZVnX5HvW1YHmdVNYCea0bHnFDg%2fEdw3FkXTrapR5d%2biZcNtTaUdu9fD1bVrCYQPAK56YXWUO37Endd1NUjfDXFIi4nbwrj&r=&i=" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\ScreenConnect.WindowsClient.exe" "RunRole" "b943e96a-4817-4432-9b40-72fd5823cd92" "User"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1832
- C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\ScreenConnect.WindowsClient.exe" "RunRole" "cf71eceb-371d-4430-b1ca-f0fa584c7362" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\manifests\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b.cdf-ms

Filesize
24KB

MD5
1311094be6b76af244a288b140dfe6bc

SHA1
863023546ac56dc62d6fd139d4888cea12c34727

SHA256
8bb775c03212967d0cd45646a980235556039c642a84ea008bcb5079c6b3571f

SHA512
12d89a1a3a71f5e377480ca3a5b7c2a753cfd121d45b9374dce4eaa5cdef35015113e7e0c70ac725a4e5b4ecd02d1a850523c2d2d1350afcec08f58b7ce544a3

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\manifests\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df.cdf-ms

Filesize
3KB

MD5
5c766bce3e355fe02195c54716378f92

SHA1
b8c3cdb0089e2e6d8a5053dd52bb061f54de2bca

SHA256
76d98481e3ac7b0275d510c42644cb1120864f4979da8b1fde76b5878687373e

SHA512
8e453f0a336ca632cbf68b5c1cacd6b05a8822ddfa193bed59c7986c9312d74a8030d4c6c505b25a32aca8b763967219a4be81c2bebbea5cca291d072f5262a4

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\manifests\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f.cdf-ms

Filesize
5KB

MD5
c49b949b99f679b291a9c219f1eb8a90

SHA1
0820d208cf5f1d9b6f8915f67704c332ae9ba576

SHA256
8b85febc40ced686149b13784b20cd3a53a2b5ffc3cb652692990c601114b738

SHA512
34e22f03c45652c4bf5485855a65d2b8141c101037b3c95bd2f8a3376b4b21e76460284a7f85ce4b122997c66d28cf59018f2be41afbdd5678ae3ab0fab9cb9a

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\manifests\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec.cdf-ms

Filesize
6KB

MD5
79ab830d0d85bfd17184bbdbe9043e02

SHA1
568748e5f2dd0a901c2d1c43f227e6c01be9558a

SHA256
26d2486adfbc4695cc158b31bf44d22ffa79d3835e1f50229ee7b2ac77d51289

SHA512
2ab00d0116e4988a9c63c349b322640cfa4b25caa05abf0a6bc281b1ee2dc3cb15ef26142c08e39356f13f3afd57c71b50acdbc69422e20b3855a08b1a7cb61d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\manifests\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3.cdf-ms

Filesize
2KB

MD5
853de5cf2b7d81908a7ec85be4b82f9d

SHA1
56c3e82abc3b86e75bbba05976d838e3de4018f3

SHA256
6619780cb813776a6af3f7260b3c480e338fe585d388c43f5785c8ee537f5fb5

SHA512
a565a25cb2a2e348f63e53d76f962ac5bcae6a5a8f7af9e8b5b0e63c7e40704ff9451768c57afa9a0785b3f62cfb195542a86caa1a9e67edd85b5de6fbe0e6e9

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\manifests\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e.cdf-ms

Filesize
14KB

MD5
16d4807e4bc19d674c6068640ed90fd2

SHA1
11db9d31fd1afb051318e427cc8dbdf0b4ed89f3

SHA256
9ba2b21f4ca581183eef00fbe2283e5072700731461f1d3ffa9d13114c2495c2

SHA512
837451c2c23a7908d5319c969bd6498545a5ddc362adac4cfdb2e72acc574453bad128d337f5ed1a85050ba93b9c93a1b8d654e5854c44f9a0c66b4ba71339ad

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\manifests\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a.cdf-ms

Filesize
4KB

MD5
18fe3b63f26d10f6afaa3476a00bc953

SHA1
307e01d2e2fe03fcc437db698a3dd130a7e29a46

SHA256
5cd914bb566762ede42e5c1ff25549f691467b40bccb36b8c73171a924522a21

SHA512
56cc304d100cf4a7ab6650ff06bbc81cb903ee65e10876705094fc503343351dd379f09e4119ae38d76e39eddb35a1fd8530c43b20d42bc79d5023cedce36d9d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
1b8110b335e144860e91f5e68ccdc8b3

SHA1
4f1662c9f914776e22616d2619d6cd99dc4333a7

SHA256
dc326e95e7f778aa53f67b420c3f7621ed078ee33ef9beb62d4907e90f55a389

SHA512
dbd21613450f61be471bd4406847773cd96b3355b70bcb1ca74043d0ff102c0e782abd185f9dbcfb6a07fb71f490f3d500aea32056f2978cfbb106f4badb373a

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\Client.en-US.resources

Filesize
48KB

MD5
511202ed0ba32d7f09eab394c917d067

SHA1
dbd611720fd1730198f72dec09e8e23e6d6488f8

SHA256
f8398a235b29af6569f2b116e0299b95512d042f5a4cd38c98c79729a5fbdb9d

SHA512
f04b08938f3ebf8cfa1a1157a94da3ae4699494bdce566619afa5b13a8f6ebe556d522c064e5ea02e343b59a489343f77e3ea2bb2ea390aae35a626f41cadc77

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\0X7TR72Z.ROA\RVXY1ZWV.NAN\scre..tion_25b0fbb6ef7eb094_0018.0001_5e3dbe7f63b81b62\user.config

Filesize
588B

MD5
413706a8cb867cc38d2a76ebbed12539

SHA1
1bd4bc52e37ae9330cf373b49f03e0291c4d8a12

SHA256
7ef543fbee1c848d87e5487a44d368c48aa1f9383f4c90b7b83dbd36d2dbb133

SHA512
382cc36350734c70d4eec97d375a8e74ddfcb1cb61536948b5844f363746052f5ba961abf1f804fbe0779098c507ed88e5ac8cf9437e4bf980121b93795deb47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.Client.dll

Filesize
192KB

MD5
bddfba6105b88f0df924d41e20a43efb

SHA1
73a0ffb39b4193eb9db8b705b552019e91461d15

SHA256
a0faff6017e061386a7a161f6d97cca3e935ecf1733d2cb999d1400e60e5eaf2

SHA512
4493de052e1daeccf8ec4661ccfc5c369014121eb730fb8aa4cec789c5bb65b1ae74bb4928f6ea4fcc9d3359c52584b8e9c0fcd90994af493a2a48ebf5bb71fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
24af083471952e5073014b7269b94d1d

SHA1
3aa11476b34b771738dbd42f61fbd3fe16139064

SHA256
6fdb3834f278d039f8f36f875c1a842be8143df0547e9db04aaf54b655dc2b3d

SHA512
c2a6ff6ba4c67a6f676e1be4a639aa07f43d7848faf0d24c04a4097d14c9bf371b15fe5e60b7e9fb747dd07ff2637a303c52a59ba9885317ceb66a97b2e56732

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
d8ec66efb7ce863d68931685039c9775

SHA1
852c5332e22cfd720a0ea42cf69e602d397fa6a7

SHA256
de8d8e97fb59c4f8e5cd936e566ec9d9423d270556ce5f005bfff89ae2f45a45

SHA512
d1f2c8dee56f26f6a2e7ad1075cd5e23a3e6a048a4b420fc9ffe06829dee3bc677cf11098dbf1f1124b4413816728245095da68ea63bf8909ca0c0b5c3aa94c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
7d3bb8d33e0013b9bc19259d35631000

SHA1
a274018bef6f3bff0cae63d0706cbe94d5005362

SHA256
3e9c02c807ac20bd6c80a586bdc4c61beb69f5d8576d7a1a34db9681ccd92756

SHA512
d77a68be6fe5755e4091694902a431f008241b4ac0ba0550e3e781bebc1dc221a1ea507c363ec3d2edddd4631a18a82b0be4ab10ddc5979677c85b725fbe7718

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.Core.dll

Filesize
533KB

MD5
5c259da933c9261944afb6aa9a7e858b

SHA1
cad0ecb9ac68694cc601a7c980f985d9c29afa88

SHA256
0d04ef4b196e5ce3412e58474ff5303ccbdc0a2f32487946b382b0b672615833

SHA512
f7e6c778943771fa1830805021dc7e64e47a30895ab9d5bf3708d82abd2bfccaba58ca86cfed8d38c879df9e41999054838abd6b55e7dd400daec84480dc5041

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
9e3fd8a2790f7d451f4d9b853edb19cb

SHA1
c4f26162b4666cf98da7467f819140d6063565e2

SHA256
6244a07cf52244e257ac5e2ca1eb619ce9434b3ed0aef6c93c9cfb258aed7aeb

SHA512
64a9a9fa4b45eba7334444d87aa8b4a808ff5bbd3bc71cb205193bc9de2b623d15e5ff6e3ce9d2acf445aca738749398a1c5249aff09af8eaeed6f465389010c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
ab11c92301bd6b916f51eb3c6ba1f348

SHA1
edbcea68f4d7b06aef28a9e631fa0a5cfbb7889f

SHA256
ea86c15300b8cc311de257456ea8b281ab7b5f231a4fcbcff07e6f300e9ade14

SHA512
9a42a8f6a71f55e8f85ff97593ffa2d3935ff80142ce6a57a9a104ee6d97043cf20c29f386007929da31496e270ea9d5c0c7766d687d36d0e5523391e1b68e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
4ac5d03b56acf6ec0969d4017745df3a

SHA1
585fb53cb3b99848572813a5dfe13f9f9a56866b

SHA256
a4d063c3ba3b9d1572db0193c55eb23c2c4d500987d600a7641b82076f1a5e8f

SHA512
ed5ef6055a4efee57eb43306e1929f55eeeb2afb8ea12d69bf1f575b0626f46e0eeec8a16c48249639aca5d2a6c0b8d1421b543888f09953d12b0c1b46baf85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
993c201d63c86c889385d0f50560ed77

SHA1
e032e82c325bc00b4ba03e27c872307c41575a2e

SHA256
7596c3b6dfdc06320d31d2f7622766e66f3845bf11c75acb3e356db9cd530af9

SHA512
798d94954d3e3796d860015ca99e5435259bb0ffa1e63c8ce00129a7ab9be78e40b171b718d34345dbaf4743a576530f4db159cf74cb832cccca834395d2c787

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.WindowsClient.exe

Filesize
584KB

MD5
dbd7c0d2cf1bf5cec608648f14dc8309

SHA1
5241f5bec67a5e6ec2ee009c4f2e0f6f049841cb

SHA256
1145fac110c18d2cd228a545ec4fcb7d3aedd3c072b19c559d6e7067f7cf3f5f

SHA512
cc14bd533c63791f885dec7aeb75d4e0bc5b51299e8f09f98ccb2a03ee7877daa42768585e0b824a842a2df8e09f86ac483f970c17d6ae2d4bb4a28670a7c99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
f9b14df497b4c59141dd68827e7d6c2e

SHA1
eb415a7b5a7784694458b4d8ba6cb30bf38c81fe

SHA256
0cad8868b6947f86137e592308ec8ba46e318898dc338557b4fdce0d056a5d9c

SHA512
5e0f9f2d89dca27b9f89cc25c040b7c8e5f5a27230c1e1ea91ffd6e1b51ebd0c3e739c2f917fbcc63e125cf819e71fdf3dd27b47b03ec51a6d34cc7aa6f14ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
f07208902a10a9cddf338f6256fe6b11

SHA1
fc7e577dec034b680a80b51a6d188af3b429e2f4

SHA256
add65d10a544d74ce772d5130ea11c1827b8521ea7b06b1fae7251bd852c46e4

SHA512
a9dee634eb94d01cc25ffe6e793e41cd7b49814b3a4ba4515719bad15602bfe34be2a7029accaee123330d34ce39736fae4f4f80bcd3f3fae822653419733435

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\85RHLC0L.Q82\MDEKPPP5.AQ6\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
d7ac4220c10c1474730546d15edd1810

SHA1
bb87e80b2132e0ce8591f772091e79ec640e8d16

SHA256
24138fe20aa06390f09fd8bd6ed78e35f6c33d60c0ccf66759100986c1607be6

SHA512
dd5112b9bf4845d42e2d7f06dc7a053b3b78d7a2ae498a7c2da445df23e4d854a12bf4d6c215fab885307477c0a431d6b1bfc54c01bb368f81229fee56bb9e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\99KANNO6.B5B\5MHNKGO6.T49.application

Filesize
111KB

MD5
47f7d98edd55862c28bb274ff020eaf6

SHA1
f5ef99f625176e14366231660005980fa0f673a7

SHA256
4ee61cac8bb144416f0b9a9f7d7bcffb5c9ae4a98beda6d022c1a919eb2f51ff

SHA512
abab4849d4db771f90be226a98703fb04813273a2309654fca9bfae797fe64da8ca0114809285a586f4b45e8594c039522ca897ea513266986b82215eb8fe1ba

Download Submit
memory/828-346-0x0000000000F80000-0x0000000001016000-memory.dmp

Filesize
600KB

Download
memory/1832-400-0x0000000000A50000-0x0000000000A68000-memory.dmp

Filesize
96KB

Download
memory/2604-388-0x0000000004370000-0x0000000004914000-memory.dmp

Filesize
5.6MB

Download
memory/2604-386-0x0000000003C10000-0x0000000003DBA000-memory.dmp

Filesize
1.7MB

Download
memory/2604-393-0x0000000003DC0000-0x0000000003E52000-memory.dmp

Filesize
584KB

Download
memory/2604-392-0x0000000003B00000-0x0000000003B36000-memory.dmp

Filesize
216KB

Download
memory/2604-389-0x0000000003AB0000-0x0000000003B00000-memory.dmp

Filesize
320KB

Download
memory/3032-0-0x000001D1D4B30000-0x000001D1D4B38000-memory.dmp

Filesize
32KB

Download
memory/3032-56-0x000001D1F0240000-0x000001D1F0258000-memory.dmp

Filesize
96KB

Download
memory/3032-27-0x00007FFD077A0000-0x00007FFD08261000-memory.dmp

Filesize
10.8MB

Download
memory/3032-409-0x00007FFD077A0000-0x00007FFD08261000-memory.dmp

Filesize
10.8MB

Download
memory/3032-408-0x00007FFD077A3000-0x00007FFD077A5000-memory.dmp

Filesize
8KB

Download
memory/3032-38-0x000001D1F2A70000-0x000001D1F2C1A000-memory.dmp

Filesize
1.7MB

Download
memory/3032-62-0x000001D1F27B0000-0x000001D1F2846000-memory.dmp

Filesize
600KB

Download
memory/3032-44-0x000001D1F27A0000-0x000001D1F282C000-memory.dmp

Filesize
560KB

Download
memory/3032-50-0x000001D1F0280000-0x000001D1F02B6000-memory.dmp

Filesize
216KB

Download
memory/3032-34-0x000001D1EF3B0000-0x000001D1EF538000-memory.dmp

Filesize
1.5MB

Download
memory/3032-7-0x000001D1EF9D0000-0x000001D1EFA20000-memory.dmp

Filesize
320KB

Download
memory/3032-4-0x00007FFD077A0000-0x00007FFD08261000-memory.dmp

Filesize
10.8MB

Download
memory/3032-3-0x00007FFD077A0000-0x00007FFD08261000-memory.dmp

Filesize
10.8MB

Download
memory/3032-2-0x000001D1EF120000-0x000001D1EF2A6000-memory.dmp

Filesize
1.5MB

Download
memory/3032-1-0x00007FFD077A3000-0x00007FFD077A5000-memory.dmp

Filesize
8KB

Download
memory/3032-407-0x000001D1EF3B0000-0x000001D1EF538000-memory.dmp

Filesize
1.5MB

Download
memory/4680-375-0x0000000005810000-0x000000000589C000-memory.dmp

Filesize
560KB

Download
memory/4680-370-0x0000000003200000-0x0000000003218000-memory.dmp

Filesize
96KB

Download