6b83bbe4cce4c786466668f993552b11b8ff1ac1a119c242d3463c6e058c5cba

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
Size

84KB
MD5

57de29d9191eeaab3247c3733e5010e8
SHA1

ed060ed784e1b6e316b6932b10532ade97007025
SHA256

9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1
SHA512

69ce89e315efb902aeb28bb46afc6827176ffdbd711002fd1f1a340411c47135e4ddffbe80e3b6570006852e960ae8a8bcabbd0a851ff74b78b7911bf9d4de51
SSDEEP

1536:0azWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYYS7QYxrp:AFNpo6rIKlUE8fbkqRfbaQlaYYS5

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (35ccad11-d68b-4ebe-bee1-01cd060da88d)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\XJOCKMCC.LM9\\KBZN78T1.OT0\\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=instance-xvhd3k-relay.screenconnect.com&p=443&s=35ccad11-d68b-4ebe-bee1-01cd060da88d&k=BgIAAACkAABSU0ExAAgAAAEAAQBpfb7QjKuA9X3MCcsURMe973hton4y3Sf6f%2bLe9%2flHdWhDmJgeBGv9WpW6a69tuZMpsA%2fY9czVzG9vYYMyhJM8vu5DtXdtMxk43oM21PSSG8nVcZXMlcwPn4hzqCdUUjnHtyXXrwQ7cfsjdeJ6NP%2bHtvZKOYyHOf7lLuAsFCwpz1t8E9%2b2oVIO3oCE8tt%2fd2uHttzRfDGTAcm6v3xWaBxQbgBk9HxIoL3rJu7fpLXhlqugWTlJy%2fYvsJX6F3jvSCTz0x0OX8%2b5CsHxWLmW8y1zedBpY6M8mUqoUW%2feoFKhqTSg1FS8agMXikgaRkdli93ZqRPURacFDys9adXl8PPZ&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA%2fab%2b2VEYJEOsf%2fNi9OLIlQAAAAACAAAAAAAQZgAAAAEAACAAAACWTJ0ViZXuHbqAREwHy%2f6eOQjPY6yalY4UqlpNS%2fr%2b8AAAAAAOgAAAAAIAACAAAAAP7BUwV%2bK9yx4gz%2fh%2f3xS82fg%2b3fAQWy1UhTXITE8ci6AEAADYFgX9KtXb7ZtW8Kcf9i7KIblepGTmv39Z9r9EK%2b86NiwZUOT64o2eyfa9F0M9yTjsEcoLZwJQgtsvVzL0yOX4QWsqIYdfWIbg17fPnT4UX8JFetq9o%2b6HAJCDflvYPnddAxw5Xji%2bER2oLPPllgzKwLDF3Wn7fNMreoLtnzYH7md4AAX64G%2blylO8g4Mac1rrcn3wIB8NHvHzr3fjOkHNgKv%2fMJUGIzORPYaoBBvKVbhYgjeyoU3Zukl3895jvInBEZtwPShBS%2bqx6M2iugrPjV%2bBtk7zAYQ1aTtFb87mda1TS7JmCyLJGt0fYpL6AlUlKWfrbRqxPg9kh5fxX3uzwfJoTBiUJ92wrv9rl1HGaWuYcsLzA%2f2W5ZyU9yx2R7BoCPyfs0snDvHesltOH8eK1hrotIRS4OFvKFfXfD4j3Xzb6PHnz8NG7WoIEchK%2b8CBbRMW6oWJBu56cKNoRNbZfnHD0hSJUDQ35OHIc%2fQWKMn1sttw%2bHxe3Reh5TM5GikIYEFx6V4HpoymBRWq3cnr3O4FQfqdVbxdIMflPoZFlDUyNnfPj7sKeQgA2dF3ifklwiBNO%2fXXckcrcQX6m9VVQqB34T58BOIHvBQkQOJe0MhWs%2frfeB28XDMXgtwCfPONW0oOB5aX%2fn%2fEkMN13vh6wXb1LREwLPl5FoYbYhqJLVRHtX%2bjwso6J0XjKWquM9pE67qUHSio839tnjeFvRbXZ63yXTvtiVmSAN2dQnPxw0nK5a8CWHOMHE%2b46CHNCOz1JtOtFydJrHluJ%2fkxujbgROktU3zxcJke8d8cji1tq0P8qcS85w8mHXL0pCm3ktBTLLYIwhoT8TAcZzybELn%2bhRYzAv33wvrjPwNffFNZyIWggjQrAGuSlroT0tGW948Kli91evddqCrE47emRs%2f21s3Q5WJtUsu8EDsblAT9rRmh5LDE1UyGW6Wt2sndZMmQEc7LOH0mExkZnnnSYlx6QMi2tOo1VcS%2bMUwPoyTI%2ftkBVySzjhXbyv8nZVyEmPIS%2bZScJDhq2ggUFb0SrfG8kEYrFOsADpKyoMpx1nnlm3MrYCW57hqrbpDxlPf3BJMcFLrlH%2byyfSokXoxAD81E0Az%2fap67UxhOPXLKnsT5OW38tulQkN7%2bLBoFBv1oKOT9WU14nhM%2f77XqDGii1i7DxX9fKyeR9QuBk3S42ZCMHCK0qCHEtXrsIEdq%2fxiaDU%2bHCSl54pC9OIt%2fsuDr%2fTCxsKpoTtw0MCL6%2fYLW7vUXRyasQ0kcPK1zHgXEC51d3WZbsDXnnBC3cFZsTGO41JRjO8zBCguAcwCAK0S60whEMwj4zDUbRqcjp3yTu5XmLM58zBdA5qhc6z3%2fvQe27JMNsOV0zgX5PnGHtlaF%2b4tEnWbCQC3lboVz94vd7xKkbqNs9XiXs4%2bJw8889JlhqjEAhsYEJCQuJ6qDLHg32E61GMoNgbrpUErUMBw5k3sJIPYIr6Jsqxpf%2bmRiZ5sD4nOMcUmRxto4bphGiDCesCTVDoa8fsdQbaDN03zd6K6UL97jwCdJQO6ptFXB8I9FS9gnGla7H41L0FiBbCJY%2byMjQ0AAAABfI4Jg3IYhh96ceuupSv0CoOZFt%2btmESthieohT4WOpoE5mlKBs25vJWz2LAM5NQzQ1D%2fINgQ8JpbfE10qn9z0&r=&i=\" \"1\""	ScreenConnect.ClientService.exe

Executes dropped EXE 5 IoCs

pid	Process
2620	ScreenConnect.WindowsClient.exe
740	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
2124	ScreenConnect.WindowsClient.exe
3404	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
740	ScreenConnect.ClientService.exe
740	ScreenConnect.ClientService.exe
740	ScreenConnect.ClientService.exe
740	ScreenConnect.ClientService.exe
740	ScreenConnect.ClientService.exe
740	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_9c825b914ff7abc0\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0001_none_5764c9eb3b7fcc71\DigestValue = bbd2c6a59229b3e4ec7c5742248f3f55a61dd216	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 54007200750065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_43f813ed7893acee\LastRunVersion = 68747470733a2f2f73746c75636961743130626c6173742e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_e9024fdc0e810f45\Files\ScreenConnect.Client.dll_fc1d7bd48553fcab = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0001_none_5764c9eb3b7fcc71\identity = 53637265656e436f6e6e6563742e57696e646f77732c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\lock!11000000a5ba570e28110000a40e00000000000000000000abb8 = 30303030313132382c30316461666637623864633336313264	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4366b7cd\SizeOfStronglyNamedComponent = d84f040000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0001_none_5764c9eb3b7fcc71\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0001_none_5764c9eb3b7fcc71\SizeOfStronglyNamedComponent = 44601a0000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_none_3877ca14a9e581b0\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_e9024fdc0e810f45\lock!1400000041bb570e3c0a00007c130000000000000000000 = 30303030306133632c30316461666637623932363333663361	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0001_none_5764c9eb3b7fcc71	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4366b7cd\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_none_3877ca14a9e581b0	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "0LQCHQ37RBKQ2YDE1TT8YYN8"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_none_3877ca14a9e581b0\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_43f813ed7893acee	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_b433cb2de8159c4e\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0001_none_5764c9eb3b7fcc71\lock!1600000041bb570e3c0a00007c130000000000000000000 = 30303030306133632c30316461666637623932363333663361	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4366b7cd	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_9c825b914ff7abc0\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4366b7cd\Files\ScreenConnect.WindowsBackstageShell.exe.c = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_e9024fdc0e810f45\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_e9024fdc0e810f45\lock!08000000a5ba570e28110000a40e0000000000000000000 = 30303030313132382c30316461666637623864633336313264	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\PreparedForExecution = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_52ecf209ff31b941\lock!0e00000041bb570e3c0a00007c130000000000000000000 = 30303030306133632c30316461666637623932363333663361	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 460061006c00730065000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\scre..core_4b14c015c87c1ad8_0018.0001_none_52ecf209f	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0001_none_52ecf209ff31b941\Files\ScreenConnect.Core.dll_b96889d378047e27 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_b433cb2de8159c4e\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\scre..ient_4b14c015c87c1ad8_0018.0001_none_b433cb2de	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4366b7cd	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_8bd2d6cf041eeb4d	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 32003000320034002f00300039002f00300035002000310030003a00300038003a00330035000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 30000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0001_none_5764c9eb3b7fcc71	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4366b7cd	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0001_none_04408a5294f11cac\lock!0a00000041bb570e3c0a00007c130000000000000000000 = 30303030306133632c30316461666637623932363333663361	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0001_none_04408a5294f11cac\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_e9024fdc0e810f45	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0001_none_52ecf209ff31b941\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4366b7cd\DigestValue = d1fc53bc44d76f865ff1c85e216ec94c963ee0e9	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0001_none_e9024fdc0e810f45\DigestValue = ceb586b3cf7b0ee86ea8242d9b3d8641c9444cd1	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_8bd2d6cf041eeb4d\LastRunVersion = 68747470733a2f2f73746c75636961743130626c6173742e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0001_9c825b914ff7abc0\pin!S_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0001_none_b433cb2de8159c4e\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742c2056657273696f6e3d32342e312e392e383931352c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe
4692	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	dfsvc.exe
Token: SeDebugPrivilege	4692	ScreenConnect.ClientService.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2124	ScreenConnect.WindowsClient.exe
2124	ScreenConnect.WindowsClient.exe
2124	ScreenConnect.WindowsClient.exe
2124	ScreenConnect.WindowsClient.exe
2124	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2124	ScreenConnect.WindowsClient.exe
2124	ScreenConnect.WindowsClient.exe
2124	ScreenConnect.WindowsClient.exe
2124	ScreenConnect.WindowsClient.exe
2124	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4392	3500	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe	83
PID 3500 wrote to memory of 4392	3500	9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe	83
PID 4392 wrote to memory of 2620	4392	dfsvc.exe	92
PID 4392 wrote to memory of 2620	4392	dfsvc.exe	92
PID 4392 wrote to memory of 2620	4392	dfsvc.exe	92
PID 2620 wrote to memory of 740	2620	ScreenConnect.WindowsClient.exe	93
PID 2620 wrote to memory of 740	2620	ScreenConnect.WindowsClient.exe	93
PID 2620 wrote to memory of 740	2620	ScreenConnect.WindowsClient.exe	93
PID 4692 wrote to memory of 2124	4692	ScreenConnect.ClientService.exe	97
PID 4692 wrote to memory of 2124	4692	ScreenConnect.ClientService.exe	97
PID 4692 wrote to memory of 2124	4692	ScreenConnect.ClientService.exe	97
PID 4692 wrote to memory of 3404	4692	ScreenConnect.ClientService.exe	98
PID 4692 wrote to memory of 3404	4692	ScreenConnect.ClientService.exe	98
PID 4692 wrote to memory of 3404	4692	ScreenConnect.ClientService.exe	98

C:\Users\Admin\AppData\Local\Temp\9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe
"C:\Users\Admin\AppData\Local\Temp\9b7cdf3c7c71ce90aeff29d38794856f65aa1196438fd19dca9d3c5fc05f34a1.exe"
1⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-xvhd3k-relay.screenconnect.com&p=443&s=35ccad11-d68b-4ebe-bee1-01cd060da88d&k=BgIAAACkAABSU0ExAAgAAAEAAQBpfb7QjKuA9X3MCcsURMe973hton4y3Sf6f%2bLe9%2flHdWhDmJgeBGv9WpW6a69tuZMpsA%2fY9czVzG9vYYMyhJM8vu5DtXdtMxk43oM21PSSG8nVcZXMlcwPn4hzqCdUUjnHtyXXrwQ7cfsjdeJ6NP%2bHtvZKOYyHOf7lLuAsFCwpz1t8E9%2b2oVIO3oCE8tt%2fd2uHttzRfDGTAcm6v3xWaBxQbgBk9HxIoL3rJu7fpLXhlqugWTlJy%2fYvsJX6F3jvSCTz0x0OX8%2b5CsHxWLmW8y1zedBpY6M8mUqoUW%2feoFKhqTSg1FS8agMXikgaRkdli93ZqRPURacFDys9adXl8PPZ&r=&i=" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:740

C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-xvhd3k-relay.screenconnect.com&p=443&s=35ccad11-d68b-4ebe-bee1-01cd060da88d&k=BgIAAACkAABSU0ExAAgAAAEAAQBpfb7QjKuA9X3MCcsURMe973hton4y3Sf6f%2bLe9%2flHdWhDmJgeBGv9WpW6a69tuZMpsA%2fY9czVzG9vYYMyhJM8vu5DtXdtMxk43oM21PSSG8nVcZXMlcwPn4hzqCdUUjnHtyXXrwQ7cfsjdeJ6NP%2bHtvZKOYyHOf7lLuAsFCwpz1t8E9%2b2oVIO3oCE8tt%2fd2uHttzRfDGTAcm6v3xWaBxQbgBk9HxIoL3rJu7fpLXhlqugWTlJy%2fYvsJX6F3jvSCTz0x0OX8%2b5CsHxWLmW8y1zedBpY6M8mUqoUW%2feoFKhqTSg1FS8agMXikgaRkdli93ZqRPURacFDys9adXl8PPZ&r=&i=" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\ScreenConnect.WindowsClient.exe" "RunRole" "e22dcf02-d9f2-4a03-92f5-1b5973e6a85f" "User"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2124
- C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\ScreenConnect.WindowsClient.exe" "RunRole" "739e8ea5-1c15-4c95-bf89-6ef31d92bc4e" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\manifests\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4366b7cd.cdf-ms

Filesize
24KB

MD5
dd24cc8f2cef61bd9327bae12cd2c380

SHA1
fc05e569b26f11ccfb699798582222cb65d6ab40

SHA256
04f4b2c70c5c07e4b8da1c1748cd473879bafa38d0845bd8d6d777c69b374be9

SHA512
cda0c4a3aee29473a9465f2e922bb5278de9b98999ab00e381d6c84884444b408201f639706e9bfc8d55a7d496dbc1352ebc39630eed63a780ab41f1982cd165

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\manifests\scre..core_4b14c015c87c1ad8_0018.0001_none_52ecf209ff31b941.cdf-ms

Filesize
3KB

MD5
ee5fe508cb64b4026d9dedd8497d9a5c

SHA1
77fd77f7919076fd99ada1889a94f3194cebb1bf

SHA256
b9df2d382ce28b251e4c7b49e25c4669157944552119949c4cf071f8735450b2

SHA512
4ef50edfa402122ac2723603385433af1fd2d15f352e60f5c7c5f44e897df2431f29b2a76f232c0f4806fcc983259e36678e596ab5e6bb772490c5d0617e34fb

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\manifests\scre..dows_4b14c015c87c1ad8_0018.0001_none_5764c9eb3b7fcc71.cdf-ms

Filesize
5KB

MD5
9574f069d31f6df245b641f14056e017

SHA1
fd032c3e6599bbcc26e3463d1b7e435eaf9a49dc

SHA256
f98bbbad95b02f7a2637b37a859a328ede7ff386f3c1f55b0f548ac4010fe013

SHA512
1cf42b18b42a8ba4d8af6e5e57e2769c6412350c241593cc8addb9c6029eca1eeeb0ac04c9666b5638a75b4ce75597ff09fd11be90a9774d863d713fef824efe

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\manifests\scre..ient_4b14c015c87c1ad8_0018.0001_none_b433cb2de8159c4e.cdf-ms

Filesize
6KB

MD5
5d6cdd95a78e0e62088e98e03e1d037f

SHA1
9a29f5c7531130b8cecb4f0b78ffddfd3fbe0552

SHA256
4789bc673f8eb537df33d7b33296c83eb9ad9c10c44f454a6a64ea864a446041

SHA512
d1fdd6557ccab8b470cf917635a141e79ca36f65fd2d997cde24ed4dcc5b4754dca7c7fa1220bd5c140bd0de1b10e771b429fc72313a21515460a79f1775995f

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\manifests\scre..ient_4b14c015c87c1ad8_0018.0001_none_e9024fdc0e810f45.cdf-ms

Filesize
2KB

MD5
ecb672c085bd3de9bd3941e33f8eb3bd

SHA1
541ef4751cccde7bcfbba14dd727997ebcfead98

SHA256
a9a130e2f5c8c9eec49f434ca1240b54409a858908379a3dfc2355aa6988cacd

SHA512
32c794b66eed163108712b8bc620c524ab5d6e9e9a9a4550e6bd0e3698e90b825d91434172da42860c225ba597edcda663d4d85258e5ece3299a939e50e0b018

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\manifests\scre..tion_25b0fbb6ef7eb094_0018.0001_none_3877ca14a9e581b0.cdf-ms

Filesize
14KB

MD5
840eb94cde4f5e522b8ebe7e700c02f6

SHA1
eb7168edf45ad7a98cf3e4042aa21f7473ca7972

SHA256
9beaf7f14630cb5091546a472cb103353efe6d29799f5c429a340c00bbffc711

SHA512
857ee63c3be7911765cdc4d481fb8d239832e906c2524848ed003b7bc6a5b12ed506abc7ce7827499e6058226a0fdf9d6e8e7012418a28a88acdd0caad4faf9d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\manifests\scre..vice_4b14c015c87c1ad8_0018.0001_none_04408a5294f11cac.cdf-ms

Filesize
4KB

MD5
7e61ac7993567837f0bf225032f8ca6e

SHA1
4b45a77c4959102a511cebdccb70676437b0a988

SHA256
7579485315dc36a8a887f4e551aba0b0b559bd47403890898b9b6aef734bd528

SHA512
4d14ba3097cd006a4a5af7041ddc9976ac95b8b01dcd792a4b0f085c9bd07ac00090411db15fe1aa8b9fc23668fff6788b24b119290220d1522ed9ebdea59ca1

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre...exe_25b0fbb6ef7eb094_0018.0001_none_9783907e4366b7cd\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
826314610d9e854477b08666330940b5

SHA1
65b601d60042cf6f263cd38ac2f63cd06a9de159

SHA256
e54963cb63c9e471e2d3d59e55e4c7aeedccafdd616b99c4b3af230608e4bcc9

SHA512
5c01d6de25d60eb6b1eb72b7fa6401b71153c2a740c41aeeb2bd302cc4e80f5c1a388b647ee16da196705ac8edbc60abda49b9a531517bb85959cc018fb5d1fb

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\Client.en-US.resources

Filesize
48KB

MD5
511202ed0ba32d7f09eab394c917d067

SHA1
dbd611720fd1730198f72dec09e8e23e6d6488f8

SHA256
f8398a235b29af6569f2b116e0299b95512d042f5a4cd38c98c79729a5fbdb9d

SHA512
f04b08938f3ebf8cfa1a1157a94da3ae4699494bdce566619afa5b13a8f6ebe556d522c064e5ea02e343b59a489343f77e3ea2bb2ea390aae35a626f41cadc77

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\XJOCKMCC.LM9\KBZN78T1.OT0\scre..tion_25b0fbb6ef7eb094_0018.0001_6016f41330c0a693\user.config

Filesize
587B

MD5
3e10208ff2eef9679d6e7db06b526691

SHA1
8b70c7ed7f7c730da1e050810062d4d054b13afd

SHA256
b210d67584d8f9c94bcd411fc1a32015e984cde1247f57527850490cc3abb4c4

SHA512
1d08ad1e75b4f82bb9cc63006cadb08f01d43d2e5d8ad03216320002bcadec15b3b49b69d2b66ae31726f0152f3efe245b0fe15c29014acc6f780b551a461465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.Client.dll

Filesize
192KB

MD5
f311a8217807f6c85817058522e234a2

SHA1
ceb586b3cf7b0ee86ea8242d9b3d8641c9444cd1

SHA256
032450cd037d9e0eec49e0b4ff44073d539775633fb4af6fd76d4cb19116aac9

SHA512
5ef1f6b595af9cc7f788680ac3f3e9b8b12baafe734a8e2f675baa57f5ef2c69806492911bda54f11c5a4b8cf3cced82cfc6e0ecf214e45083e9f9aa6a83d039

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
1d12540663f1fb2301012661bf6acd00

SHA1
4ba4abc78378f9bf0a31fc9bf35103137d3ec42d

SHA256
8f8c299ab74f38ddf6c041a37d56020e607b94a4ce6fa3b5e16f9c70e35c6798

SHA512
216f218785daff94173ab1448a1e4809075b6912b97608351c4048bee0df8ede12e520ecff7af1817fbe3d38ea075da6581226463fa3c58635797422b4e3fef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
3ff07c657068430ef677181d1f67066d

SHA1
37f7e9d2ccb65b4ea2733393015635ea1b43393e

SHA256
d17cf13612039f6a4ca17b56c32399ccbe279a499c8d2f8e910b1fd6f4fff2b1

SHA512
5552208b5649ceac2b32510ea12d409a85643d27e6a9c335e049195a507ae9211aee77574376fde059747998b60ae041e191635a67c3461585aba7f9b877b095

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
a7bfcd734995f2fe641c5ebd637c59ae

SHA1
92e7258a10bec08ff63385331a5d78f3459cfa64

SHA256
1ea7f246f1325ccf9898118f7b1eefca497ac4f7e1b6b1f90ebfe31ac6cc40f8

SHA512
981de1dd6fbd686303dfd2efb025a689d459b0f479c0abde9f8ff553e8c07349e95bf2632f96b2f50b0bc9148de806a5a6638e65206580f37a766efbd92f59d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.Core.dll

Filesize
533KB

MD5
3b1ba4bebefdc8a95b0f2f0b4e50c527

SHA1
15551d2e8bfb829f3a96d161b43de820c0d417ce

SHA256
a843b3a4549c43ef5bd8470cacf5d2f0f3b3c8110441fcc10079facc7db3de29

SHA512
f41595586cd5330537f5f02b392310b028e36f618e2583d125430ecd103ebbf6d2cf6befcfb1b32279eeb9fd7ef018f49131e3906fb61bc324da85d93a9a18c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
12963223cb801dd760d52e26bf1c06e3

SHA1
4fe312faea4edc5c53aadb85f7e976bf506e34a3

SHA256
df4cc32f0279bab39a5fb939227e1b30c5a237d461dd240168030b108143ca3b

SHA512
f3226d37872495aacb9749de550f422331f0c997e3b1ad169bd56948395d7894429783c5e59315371441822d0ebc4e403ac3d62f41dd53611582e17ee87b1544

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
d196174cf03f86c8776e717f07d5d19f

SHA1
bbd2c6a59229b3e4ec7c5742248f3f55a61dd216

SHA256
a1edd67a131505cc84d76601474c53874a56b5437b835838e4a866e20f6cd264

SHA512
cf4d159bcb42a1a7ea03f8877736cace109ae79998906b9178c74f7a9b63030cddc2bc94ef6c5f718e99c2d0039cf3589f8c4f2bf5b67db94b3b96d2c988b45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
85d7a5adb4c9afce8b3121e95ee9fe86

SHA1
2c671bccefc8269429f2a7fd69ae6054456058a8

SHA256
c7af60c3d92876b1949f5f2e5a038d9a06c26a00b39a4efa3a88ffeadb9218cf

SHA512
4353cfe464ca168c0c3889dea155d55dbc4b587eb5065d532921e7d7066db92e73da04fadf71e69aafcea50fd821ef513700180d646ae59d035b9236db583a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
c1f206b0c0058dc4cc7b9f3125f61e20

SHA1
541a1564799da24c48be188888f306381ef23728

SHA256
94e711fd79fc81084fb222ff927893669ddba9890c6622dd4981fb5766438a63

SHA512
6163a255daf2dc9ec14391f31ca09a466b7b33662f2215b9941add59b46cd1177e9240d2b1c42e41ea0ac9ae2efa03f6a2d3e80497d32f6e505b813ed66da2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.WindowsClient.exe

Filesize
584KB

MD5
ab5fa8d90645878d587f386d0e276c02

SHA1
a602a20735a1104851f293965f1fe4ab678bf627

SHA256
316bbf433f1f803d113adf060c528ccc636656cee26b90f5fea011c1c73c7d16

SHA512
a181e23c8fa01bc1d9f0f9f95a5ca6112e2b61f34f4c1da696d3ccabbbd942bcc81a3f4a60921328a6020d28aed8711c22be33761cb685921d50fea8b1d7b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
9213f10454e76c8ef6bed0f67743171d

SHA1
df15bae2396a52f7843bf39624e165f521ffd830

SHA256
d53f371ff1adec304daa458cb58f4e18bb75449150bf568aa2642d8684f3a550

SHA512
01af85e53e347843cbbd225b05b9667e54eed70e4cf2ca81904e8dadd6bc088059a5e8508003e86413dfa7435a5c17e59a954829c6ec0fc6491478ea03533680

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
c2fa5a6421a4cba85b0f0217b5903da4

SHA1
d1fc53bc44d76f865ff1c85e216ec94c963ee0e9

SHA256
71b54f811b26371d90514a0d8145075f8b6ea96682150f6f1fb6cf80e191d98d

SHA512
218d94966fe59d9c68164d515b9bd17d049b011a5f8e2b9fd375ef36df142954346200d229968cad6b5057d7af892ab31b9ec092fc4388d0a1c2ac8a32b9aa78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\20LWBRE8.WD4\7VH3E4AG.DH1\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
2c158a30f7274e1931860e434de808a2

SHA1
f649a56c9a598117d68cc6999627a937305db6c7

SHA256
b623e67bea356c1793f3c921c5838719ed8b879efcd966e97ee753498b1618b5

SHA512
14bd481bf183cacae210eb06aff04870c6d53d3e7f095ea7f96a7ea227167e6a38eb20c9ede9f36bf23d02c36182a463239b3a835d0bd28e8666c378f76fe64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BJE4HAO2.VLW\YGDBZZR9.72T.application

Filesize
111KB

MD5
63bde9bfd040bb26709d5841388f6bd7

SHA1
72e21ab0803409de6ae65d1dfd97bb46528ed91c

SHA256
a74a8522a051c423f87db3e783b6691c66651d9f14f69a3662ac1a1f6a6eaaf0

SHA512
a97ff8c70a592da75c65ef1fa5e2faefe813b49af7b13590105edc6f025d12d9a6e5d627f52d9b78c49155b0f118ea38e2dd12c3c982e21b130bc1ae1173dcd6

Download Submit
memory/740-370-0x0000000000BF0000-0x0000000000C08000-memory.dmp

Filesize
96KB

Download
memory/740-375-0x0000000004C00000-0x0000000004C8C000-memory.dmp

Filesize
560KB

Download
memory/2124-403-0x0000000002670000-0x0000000002688000-memory.dmp

Filesize
96KB

Download
memory/2124-413-0x000000001BE00000-0x000000001BFA9000-memory.dmp

Filesize
1.7MB

Download
memory/2620-346-0x0000000000B80000-0x0000000000C16000-memory.dmp

Filesize
600KB

Download
memory/3404-410-0x000000001C660000-0x000000001C809000-memory.dmp

Filesize
1.7MB

Download
memory/4392-54-0x000001DEFB770000-0x000001DEFB91A000-memory.dmp

Filesize
1.7MB

Download
memory/4392-7-0x000001DEFAD40000-0x000001DEFAD90000-memory.dmp

Filesize
320KB

Download
memory/4392-345-0x00007FF9C4900000-0x00007FF9C53C1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-60-0x000001DEFAD10000-0x000001DEFAD28000-memory.dmp

Filesize
96KB

Download
memory/4392-0-0x00007FF9C4903000-0x00007FF9C4905000-memory.dmp

Filesize
8KB

Download
memory/4392-48-0x000001DEFADD0000-0x000001DEFAE06000-memory.dmp

Filesize
216KB

Download
memory/4392-382-0x00007FF9C4900000-0x00007FF9C53C1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-1-0x000001DEF57F0000-0x000001DEF57F8000-memory.dmp

Filesize
32KB

Download
memory/4392-411-0x00007FF9C4900000-0x00007FF9C53C1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-2-0x000001DEF7D80000-0x000001DEF7F06000-memory.dmp

Filesize
1.5MB

Download
memory/4392-3-0x00007FF9C4900000-0x00007FF9C53C1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-4-0x00007FF9C4900000-0x00007FF9C53C1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-395-0x00007FF9C4900000-0x00007FF9C53C1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-396-0x000001DEF8100000-0x000001DEF82A9000-memory.dmp

Filesize
1.7MB

Download
memory/4392-42-0x000001DEFB4B0000-0x000001DEFB546000-memory.dmp

Filesize
600KB

Download
memory/4392-36-0x000001DEFB4A0000-0x000001DEFB52C000-memory.dmp

Filesize
560KB

Download
memory/4392-336-0x00007FF9C4903000-0x00007FF9C4905000-memory.dmp

Filesize
8KB

Download
memory/4692-394-0x0000000003C40000-0x0000000003CD2000-memory.dmp

Filesize
584KB

Download
memory/4692-393-0x00000000039B0000-0x00000000039E6000-memory.dmp

Filesize
216KB

Download
memory/4692-390-0x0000000003960000-0x00000000039B0000-memory.dmp

Filesize
320KB

Download
memory/4692-388-0x00000000041F0000-0x0000000004794000-memory.dmp

Filesize
5.6MB

Download
memory/4692-387-0x0000000003A90000-0x0000000003C3A000-memory.dmp

Filesize
1.7MB

Download