d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67

Analysis

max time kernel
94s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe
Size

81KB
MD5

1c6c939a0f9dc785a99080a60d049c70
SHA1

a7ab4bdb9786c31b7e31ffb45d361837f7cc0aa2
SHA256

d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67
SHA512

dc8f14d00a4fc77d095833c46fe2c0618d6f88445e3c375f140d34fa8119a098061c65bb3d443d6a4c9f223be909567437952c8a6a4c52b5c77f8b52fcc3b04f
SSDEEP

1536:RoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaJPBJYYf7AuxI:LenkyfPAwiMq0RqRfbaJZJYYfkT

Score

8^/10

discovery persistence

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (ff67c576-076a-46e4-9b9a-c0a32b644029)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\M9L1Q555.AO6\\X8QNA98H.R3M\\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=instance-vphaes-relay.screenconnect.com&p=443&s=ff67c576-076a-46e4-9b9a-c0a32b644029&k=BgIAAACkAABSU0ExAAgAAAEAAQA5i2sSafvIdhY3n2kuwmk7nSbpmKZBhEDYuUDS06Czu5BQzRLiD%2blcrQ7LVruxmZLco2FaPLbU47JT9YMczxHH8YRpllowyNzpDECmgHhzuYVMju1egEVBlfr4RcD95%2f0XeMdYvMQH1pHgk6oVFE4p%2f%2blu4LkkI%2bOKGiKcdDfBEqaiF6TtbQM3KP7WJ%2bPjLu4oXRg0llStjPPBPp5g7GQI3tP9HQFgPHp2LwqXqaBgdAXFxf1mgkRKfTlXIOjP3yFEkkaay8vEvG8SybIrgEKzcHrAq6JMtslFuWSpDJYu6jHH3kjMDH9CeJx%2bSkmZKn2LwvVncBsDqNyGLEqoE47c&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA%2fTNZpUIEIEmB3LM44R38gQAAAAACAAAAAAAQZgAAAAEAACAAAAAzmlreZBPowsraSLJxTKVCGuL3ryjW1XgKVIaYQmhWOQAAAAAOgAAAAAIAACAAAACeS5bz%2b%2fsKtPxIXSk%2b%2bfsYfZ6YDxD54tpYgSb1mnD0X6AEAACZk15PCALTrdSr8CCpkinRQntDTCYCWiY0UxC9OolRv0mF188yOfBdSKIXQcqW1WiiwCUZi2%2f83qHoSTR%2fA%2b%2b2soy8VqE5BLyQRvOTk8Db%2fkl%2bKzasKcQywzLJKAFrY4IB0H%2bShzvvrQR8N09h2Rcy972wzqv6RXxqFS4yF9UCN9DddUsLGCwfY%2fl2NRSLPkPpXfnV89dDqt1xjVCNf3zL%2fGRkMB2JYnyEQJKG2hducMuEBYuJ4Ln8VwPW4vprU0%2feHI1U5qAFpq3Z0c63YQTB%2bbHkMsSWRpg0ruevZmtB49MlNf7fzo6MI4z%2b2IKHIvb7aKOvQAmPEea2YeRtN6zEibGq7thBPXIlm98PqK9tcHf8EFV75YiEJ9xhSxGbmwIJqNvGAQn0FY4uugbm4PGATeoZEjHZOMGV1QqJ8TjUAkW2xqbynrktF%2b5zYbdCqMq6IZn7OCAUkhYpLP9YXdqp3dg8bOMb6T6yUSd3vEsH%2bqy2lyg7SoXqvfgYp3PWcvbXZnPylIII5VTpUO%2fRBjjP0QtyQmy4YY4bN6dLTFbqnJXTCK5s3D0QWHe%2bSst2f1SR8K%2bo%2bJmoVozvtpdfwnyXJnyhH6QKvqOKbbfRD7jk0QWK%2bzDx%2fxgz53R%2fu5KaZ%2f64LcHdKN91xS%2bW7u8%2fb3bZoMrDqSnp%2bbkOeIUulyQsbH39MlktwRIDtUg%2fe%2fT2vzeUH6FpnaYeMkJD48ZSJltONzb%2bnBcGD7YTrB3HXV18Os9Yk5PixR0%2be09XD97qEEZ2yZYpAMvpoP2kOvsO9yaxy%2bjhtfUQU%2faz142E9zksh428hwrUzQ4DKPi4yulW%2fqJs9dkRKa4o%2f5n7Nz6HTcUpak8N0SnJD3sJKT3mflaKaQTOci0Jea1qrxuhqGhpSfLh7WNEbhxzeHAXPK4bCDE0hYsUXk3wA4eUqL%2femGoxmbka7BPHFWUeNz1209ddkYHlTGMC0hytxdL3IAyDaHiPa1x0NJvgNV7BqWeSU1rxKFYjFuO40Xme3vD3W8EdiNzSwOEk5EqMcna3yK8h92O9OgZ%2blM6IouKNG4uQGJPW4LdxZ%2fUy9C45MuyHPchMNHI4k5WYL5WIYYb3s0sL4NzG0DmlaugAQMkhuchKgcKWkPkeljpN8%2bRFeQ%2fCs%2bptLzQScP5vQJffeMG1MiBNWhxtmCn6D7BJgk94qCCP1lKrIT6J3%2bFUf%2b8LqNKPmtWY3XnYo8G4S1srTuIDM1%2b5IvvTBUJk0C%2fmZShqoFoQP0b7cilOv1uI6LBvvaAlSC4t6WLiwZq%2bK4dRoT3R0vECEDGd5pZZZWDC50HPCUYQUdjGOaKDoqTROMvJVhRbzqjkhBkPm3bKWwokVaikAysFSZtJVDPxbTK7crmV4PiK%2b20RKoeD3EuVJvzJJmN07qy2toVVpVFaG7LWbKAq8y0iI4ky985dcM%2b0f9fQ%2f%2f9ykdcvGhB4VxeatrqHAuxl01HmUElHTcOCOAiaTBiPbIgtKOR3rZbsRPhxTV%2fjNPuarxAmfIhcBE3VpYIQrged52q%2bGmTMPeLn3FWohZCqK0Ret9yoj3%2fTG9mtLbhPy%2ffOF%2bPLtUAAAABvQl4ehkxGRGSkglX5Rch9PvmJcZWEY4k6sw9FsqUEniVEr6ix%2b499q%2bCZfPW86DgonXbOW646RoopRKoCI2ii&r=&i=\" \"1\""	ScreenConnect.ClientService.exe

Downloads MZ/PE file

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe

Executes dropped EXE 5 IoCs

pid	Process
4152	ScreenConnect.WindowsClient.exe
1364	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
4512	ScreenConnect.WindowsClient.exe
1404	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
1364	ScreenConnect.ClientService.exe
1364	ScreenConnect.ClientService.exe
1364	ScreenConnect.ClientService.exe
1364	ScreenConnect.ClientService.exe
1364	ScreenConnect.ClientService.exe
1364	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1192	4760	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 460061006c00730065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 30003000300031002f00300031002f00300031002000300030003a00300030003a00300030000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a9d928595f17e9\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e322e31312e393032322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_54133ab4152a195d\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea28988624796f61\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_1865eaceeb9d0ddb\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a9d92859	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a9d928595f17e9\Files\ScreenConnect.WindowsClient.exe.config_f7f = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_588b129551782c8d\SizeOfStronglyNamedComponent = 4a621a0000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_54133ab4152a195d\Files\ScreenConnect.Core.dll_b96889d378047e27 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a9d928595f17e9\lock!010000009191570e640f0000fc1200000000000000000000 = 30303030306636342c30316462313631353234633066363466	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 68747470733a2f2f6d61676e657469736d656172636163686f6e2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31312e393032322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e322e31312e393032322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0566d2fcaae97cc8\DigestValue = 20d991da320bc644585f47f24e4ebfc274503b0c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_b55a13d7fe0dfc6a\SizeOfStronglyNamedComponent = e950090000000000	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "M9L1Q555AO6X8QNA98HR3MNO"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_b55a13d7fe0dfc6a\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742c2056657273696f6e3d32342e322e31312e393032322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399e12bebfdde1cc\SizeOfStronglyNamedComponent = 98eb020000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\scre..dows_4b14c015c87c1ad8_0018.0002_none_588b129551	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_54133ab4152a195d	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_54133ab4152a195d\DigestValue = 72c2a14461c9c3b87b95aaedc2bf4e15767cbfd7	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea28988624796f61\lock!060000000893570e38100000a00b00000000000000000000 = 30303030313033382c30316462313631353237373239366437	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a9d928595f17e9\lock!060000005d92570e640f0000fc1200000000000000000000 = 30303030306636342c30316462313631353234633066363466	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_76a06e38d788a684	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_1865eaceeb9d0ddb	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_588b129551782c8d\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_54133ab4152a195d\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32342e322e31312e393032322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "VZJYT4QBT5VOKWTNMG9V1AOL"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 54007200750065000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399e12bebfdde1cc\lock!020000000893570e38100000a00b00000000000000000000 = 30303030313033382c30316462313631353237373239366437	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\HasRunBefore = 01	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\lock!110000007c92570e640f0000fc1200000000000000000000fc307 = 30303030306636342c30316462313631353234633066363466	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a9d928595f17e9	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea28988624796f61\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e322e31312e393032322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0002_none_0566d2fcaae97cc8\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32342e322e31312e393032322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399e12bebfdde1cc\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_186 = 68747470733a2f2f6d61676e657469736d656172636163686f6e2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31312e393032322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a9d928595f17e9	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0566d2fcaae97cc8	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0002_none_588b129551782c8d	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea28988624796f61\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399e12bebfdde1cc\lock!040000005d92570e640f0000fc1200000000000000000000 = 30303030306636342c30316462313631353234633066363466	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0002_none_0566d2fcaae97cc8	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399e12bebfdde1cc\lock!100000001893570e38100000a00b00000000000000000000 = 30303030313033382c30316462313631353237373239366437	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399e12bebfdde1cc\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31312e393032322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\scre..core_4b14c015c87c1ad8_0018.0002_none_54133ab415	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_1865eaceeb9d0ddb\appid = 68747470733a2f2f6d61676e657469736d656172636163686f6e2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31312e393032322c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\scre..vice_4b14c015c87c1ad8_0018.0002_none_0566d2fcaa = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\scre..dows_4b14c015c87c1ad8_0018.0002_none_588b129551 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_54133ab4152a195d\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea28988624796f61\DigestValue = 74b5f2fa770089028672186c3724cc40dbd72cb6	dfsvc.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe
3448	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	dfsvc.exe
Token: SeDebugPrivilege	3448	ScreenConnect.ClientService.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe
4512	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3940	4760	d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe	82
PID 4760 wrote to memory of 3940	4760	d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe	82
PID 3940 wrote to memory of 4152	3940	dfsvc.exe	83
PID 3940 wrote to memory of 4152	3940	dfsvc.exe	83
PID 3940 wrote to memory of 4152	3940	dfsvc.exe	83
PID 4152 wrote to memory of 1364	4152	ScreenConnect.WindowsClient.exe	84
PID 4152 wrote to memory of 1364	4152	ScreenConnect.WindowsClient.exe	84
PID 4152 wrote to memory of 1364	4152	ScreenConnect.WindowsClient.exe	84
PID 3448 wrote to memory of 4512	3448	ScreenConnect.ClientService.exe	86
PID 3448 wrote to memory of 4512	3448	ScreenConnect.ClientService.exe	86
PID 3448 wrote to memory of 4512	3448	ScreenConnect.ClientService.exe	86
PID 3448 wrote to memory of 1404	3448	ScreenConnect.ClientService.exe	91
PID 3448 wrote to memory of 1404	3448	ScreenConnect.ClientService.exe	91
PID 3448 wrote to memory of 1404	3448	ScreenConnect.ClientService.exe	91

C:\Users\Admin\AppData\Local\Temp\d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe
"C:\Users\Admin\AppData\Local\Temp\d76f13f9c96d975726d7753daca79dd08bb0644082705d90ed8b52dcabbe6f67N.exe"
1⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-vphaes-relay.screenconnect.com&p=443&s=ff67c576-076a-46e4-9b9a-c0a32b644029&k=BgIAAACkAABSU0ExAAgAAAEAAQA5i2sSafvIdhY3n2kuwmk7nSbpmKZBhEDYuUDS06Czu5BQzRLiD%2blcrQ7LVruxmZLco2FaPLbU47JT9YMczxHH8YRpllowyNzpDECmgHhzuYVMju1egEVBlfr4RcD95%2f0XeMdYvMQH1pHgk6oVFE4p%2f%2blu4LkkI%2bOKGiKcdDfBEqaiF6TtbQM3KP7WJ%2bPjLu4oXRg0llStjPPBPp5g7GQI3tP9HQFgPHp2LwqXqaBgdAXFxf1mgkRKfTlXIOjP3yFEkkaay8vEvG8SybIrgEKzcHrAq6JMtslFuWSpDJYu6jHH3kjMDH9CeJx%2bSkmZKn2LwvVncBsDqNyGLEqoE47c&r=&i=" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 324
  2⤵
  - Program crash
  PID:1192

C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-vphaes-relay.screenconnect.com&p=443&s=ff67c576-076a-46e4-9b9a-c0a32b644029&k=BgIAAACkAABSU0ExAAgAAAEAAQA5i2sSafvIdhY3n2kuwmk7nSbpmKZBhEDYuUDS06Czu5BQzRLiD%2blcrQ7LVruxmZLco2FaPLbU47JT9YMczxHH8YRpllowyNzpDECmgHhzuYVMju1egEVBlfr4RcD95%2f0XeMdYvMQH1pHgk6oVFE4p%2f%2blu4LkkI%2bOKGiKcdDfBEqaiF6TtbQM3KP7WJ%2bPjLu4oXRg0llStjPPBPp5g7GQI3tP9HQFgPHp2LwqXqaBgdAXFxf1mgkRKfTlXIOjP3yFEkkaay8vEvG8SybIrgEKzcHrAq6JMtslFuWSpDJYu6jHH3kjMDH9CeJx%2bSkmZKn2LwvVncBsDqNyGLEqoE47c&r=&i=" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\ScreenConnect.WindowsClient.exe" "RunRole" "930c9708-a697-4ebb-aa5c-8014e6d5c2c3" "User"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4512
- C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\ScreenConnect.WindowsClient.exe" "RunRole" "d6d6888f-8f33-43aa-aeb4-fb104ad2895f" "System"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4760 -ip 4760
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a9d928595f17e9.cdf-ms

Filesize
24KB

MD5
79efdc3b1f70e3f24caca36c92e7f5c5

SHA1
6710c07002eaebfa11424808306a04f6fd1633c0

SHA256
ed06a9bb123fba1b78c0bf7cd4fa4c8d049b55b40936dada1000d7c347ddba7c

SHA512
226f85acf201b26d4ac8111071b9f2330a7ebfc44ddb50017df2346b59aa745b946dac355c02ec977e84cc382a38fc610a9ab36461609fc30db0ebe7688b4c6e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_54133ab4152a195d.cdf-ms

Filesize
3KB

MD5
792c3cf75d9f87e83063a66e9f9ef6e3

SHA1
52d51cc4e2ebfc6002bcd77a0e5aaf13e5291ce1

SHA256
be2716b61a3d272b98baddfd7ec86f5163285fa0f9dc3de387e1815ed6220c67

SHA512
c98df589acbacd6a82e6e214ecc9bdcad9a4fd259298320dd7162977ec63c7119f739470564d92bb6fae9e8acbe556fe04b07cfec334c2c0b764eb1774f72ced

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_588b129551782c8d.cdf-ms

Filesize
5KB

MD5
8478d45b54e18b72097813ef33327ec5

SHA1
2fce636245bf076195039a002cd7a630ebc1aa8b

SHA256
ce1104927532fa2f14a405dc027452b47514453cd6482297813a1977db10b97c

SHA512
10e549f7e6bac20c3a8b39731dead8e5a3754adda7bdf1c9c3e39e043a04253f9d393a28e736c290912450dec95fd9b84bfb05d82d5c8c545d08999ea8d373e7

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b55a13d7fe0dfc6a.cdf-ms

Filesize
6KB

MD5
ce4b62de51b5110ff91d904b2bf5f0a0

SHA1
2cf8ec378c5459764413284defea7267d57e63f3

SHA256
8fe2f4e3eb745d1e0e16a2d00e690ee3b8d73c1a4cf885dce1a0ceb891f681b8

SHA512
571d812d4554bbae6d586af395a322c4022a5e09ec72acd01aadcbbf9d9a59f77528f35739680a1d33602fdb06b9ce5c8f457e56bfbca15ac2074227031093d1

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea28988624796f61.cdf-ms

Filesize
2KB

MD5
a905a6a00a4e03394d5d364b3b87917f

SHA1
f5dc256e7a812504fa813e0b1e47caf175b2adb6

SHA256
209a3cbd6a80b2d431ef484eb293721ba090111a4ca4a8ce3a1d26cb4327b8c1

SHA512
6c1fe51c547a0b98edf016bdd9d3f2137829e7e6c85aeb6560c490ebe8443a9af488b813b9cadd731dd7808239ab3cca9ac26706b899e0a06499ff1a840d60f8

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399e12bebfdde1cc.cdf-ms

Filesize
14KB

MD5
7fb925c0e0fdd01a21a91f0b227da4a4

SHA1
54ca39ed91a91bbc84a44776a2e57e7b4b303507

SHA256
5bc82b04bc4f71f6b0bb5d923d24c7cf46576ed554e30e4806a82964afd58d58

SHA512
1e1363e199ab6560b6322bf1d8a4c0b21750e940bf73151874e6643677be2766854ffc9c32b46cad1ea08579602f0319b6bca84d22c716db698ed5d6d831d004

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0566d2fcaae97cc8.cdf-ms

Filesize
4KB

MD5
02df29ae548c19a1bf7a8f5c73a265d5

SHA1
7142234d62e129742451a6892335858d9b342bcd

SHA256
70552043dc7ee9ed2c05b3ddd83913642b329bdedffb577b00f9cae38231a279

SHA512
c450c3135ffeb63ab9bb130e7f0149fc4971da96f0629fbf9f13f9d3702ce942c9f3078796cb05b1a386b1b4ff0b18e1751cea0ec2aa8c38e9e585b22fbaf57d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a9d928595f17e9\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
6d4b28a4fc5969668e472e0ffe5af3f7

SHA1
cebf23dea6e4ac9428b0042100b9346f7597b733

SHA256
05ce4e1f120eb7854b28854896e6908707775750f2b5c4cb80a02f04dc80d760

SHA512
d4a2c2aa284fedd74a03d10ca441b3fb40e11f1cc67e69f61bc7025abb27869b9ac7d4938da805cd2c6093e5adfb987890baa57528ac17ffb5eff8c2e1a8e832

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\Client.en-US.resources

Filesize
48KB

MD5
d524e8e6fd04b097f0401b2b668db303

SHA1
9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

SHA256
07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

SHA512
e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\Client.fr-FR.resources

Filesize
45KB

MD5
cbcd812e3b342bb634c6917f0943965b

SHA1
f918d7f6f0bfcbe641ac5a02db873eda75231ea9

SHA256
182e6523208dfab4e9fa14a233d404cecd3c8a3dcf5bc246ed40c349d468ddc3

SHA512
22442a73bd44028c4fb4ec63856b916bb47b0c195223c15830e44358160211663a61c544cf9e857a4a62bead4865f7e5e00e8d413df961246a392646df6070e0

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\M9L1Q555.AO6\X8QNA98H.R3M\scre..tion_25b0fbb6ef7eb094_0018.0002_883648aab9f81aca\user.config

Filesize
588B

MD5
64c85711e399ad457147ee6bdfe00a92

SHA1
e943f747df22b210646e73e01264182cdfed015a

SHA256
0988fb549e5f57871f188e37b0535140a5a9aa36267b7d8f02794ae591308bdc

SHA512
46cfc1b3fd461cd50dd5bbae442e9e60a77bd0900b89941a747e58b962db59315452f2e9834cd288aeae2110a5a8f1029a3d246a0fabfc6197d68e02bb8f0313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.Client.dll

Filesize
192KB

MD5
c03ea68db07ea809aba03b7e988494a0

SHA1
74b5f2fa770089028672186c3724cc40dbd72cb6

SHA256
c41321bd3d193e8f64bbfc68b13a3f25b535ed78eb5fc4bfe9512ea0b3eaf826

SHA512
ceb1456914dbc7c7ead241467c4cc81bc0b47ccc9ea653b82987f5cd080d97149b0656a4685c959dd0614ea27784bafa4abd44395d17a764a9a2e1a64ab5fe9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
9cc6ac11685d8bb8331fec645239df22

SHA1
c81fa771651680b90c6886edbbafa7c4cbdc75db

SHA256
155e2915d33b985a8559b784d26ded61cd90f0f18380b3abd559b9bbc86540c3

SHA512
4a181135401e951296c6cba53b55ebcd691628048c19078e7b4dfe26a4fdf1e50496527fa3b4dc6921c666763e329c605ecc82f691f0c2776ad4e99aac3e9b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
104de73efa546825580037f7f3b7ced8

SHA1
20d991da320bc644585f47f24e4ebfc274503b0c

SHA256
75e7c892842d3022d0f37c1ce9778dbff47ca014cca816665cc1bc5525e541af

SHA512
4088d851dacbae34cf56e1f86a1937a4254d8379f501c2eade800c6f8279b77d71b5df722729a869294f807d477e5673fb7ace12207f5a2a0db4015c29d2400c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
479b769348a4725fe3ec0ccb27a55c05

SHA1
967a799cd1adcaad979da791d0a55de8e0b04896

SHA256
6e7cd93070197d58599f6ec2e897456292454b86f704e5c2f4554fcdbd5fb68e

SHA512
b3ecda192d3a2629419a48b2364085ca94596e2ae1b7a1ca9b3289c48bd7d1884d3cb2896e6ab93015863a31e3e1ba5d0c957d5117cb23f53a3e7ff1f7fe8295

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.Core.dll

Filesize
536KB

MD5
20867062ab50fa3ffea8d3bc9a88a7b9

SHA1
72c2a14461c9c3b87b95aaedc2bf4e15767cbfd7

SHA256
0efbace19282f63d62de8b31fb3d3e6ba09eda73bfe8bda04a70b53ebd83977e

SHA512
bafa31e8d5ee9de7caeec996932570a571ee8a266ecbdbea75cd34a66ddbaa84915ab0d773ccfbcaecb7d83e1fc3448cc45e6803c49af1b43951f0aa4fee7839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
c30d4f287812fd0839fcdc67816e7460

SHA1
bac47dc8a26a4737c5b1e709bbef33b8f065fec0

SHA256
e65471cd2ae20156b7f143448635e32754b058d2f397c6b28fed756eb82ca05b

SHA512
bf02e4ef214daf985209a07b7a6790840709181139afc50a4d725b4db47f8317b426f6606373da4596f4f828a4b45e34b54e8a6de3d681ec832fa810ef7f5b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
fb73802ad88ea10dd22d34cf73c874e2

SHA1
82f75d4185b1ff1625fe622b5bff8fea083a3c64

SHA256
d159c14254f16ef7fb5d14d6846ef19f2f9ff95213061f5dd694fe729df5ee7e

SHA512
1ec4c0a927e430c91593e54f7c3af750d7ab741602c40047fa4fe46e5965fcd3acce525f03a65c0c7132c5c9a71664427dccfbc51d4590ce1fe8e23840fe0358

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
33314262c41f5cd4419e10c194a198e9

SHA1
df70939ff5f11ba191ed41699b00a96037edff33

SHA256
47983de853ba3799fd50c0e51c54b94696f557ef2996bef5cd85e6bac835114a

SHA512
ca42dc798c26719ffe043663a4676c3e56391afb29985c3f81e28d3521a8c57988e66d5149ffdaf2ed83c1cfcc1e8af56c265791dd39396c75321f5f70a37ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
4ca25a8745e8acbf87c68473bf920112

SHA1
c8263dc169582fb92fadddb1ca67123a8be5f018

SHA256
9f602959f97b8ebb783ff48fd40ecec893e2c0ef92613382f5f4200dbb65db5b

SHA512
3affb85d7dceb771a04b8eaed95a0385f19bb60c369a9c9f3703ab162ab4ab6c4a0a14596e860aef5c90d103a4b6113d7b2414a4e54c9ad856365fccb109ae08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.WindowsClient.exe

Filesize
587KB

MD5
2ad87eae66af1f34b27c0c8d1d5a5fbf

SHA1
264179ed1bedbe4f561afb810aac3d161f20c464

SHA256
1b32a493ca750fdad3cc20c976268da8224948b80aeed01b73613ad0c15457e6

SHA512
29929f57a996ab743c0c2153113e6b7515632046966753790885787c2863c927b2dc96426bffadccf9ebe188158c15584769a174b3d736706c3817732b6bced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
ab280bf4de38c8e7323147ec32972609

SHA1
86549fecb02bda35c437d4f2c2519eaeaf1058d5

SHA256
b864a15db74403e1b92797aa5e11f404ccd3ac477b404596abbcf7fba877b43d

SHA512
b45f9ad67fb4973ead7e04ac6c230b0c57bf8389c46514791913dcc500e7d04b28f8931aca300839001296ec7097fb2014dd093aaab27c5b3206f7c9dbb7f030

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
bfa7872442a6fdd270e62f9cd36619ae

SHA1
066e48386db90c0478d1d88c60de1cba6dff4a15

SHA256
2622e6f3041536abd3e1592da73cb07e0e623db09b6ef423d5d5ae463c73b7e0

SHA512
5bf103a5ca30cdd88b0cca0d3009086b393ae0e2f483f4979dc9e44975f4840d7d703ff136bcc32d2d2bf02ce5aff52cbd40cfc17130299ffc91a938031e17dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BH0LTWNR.GVD\9OJXMHEE.1BH\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
046557e0c7ffe80e2584164220700336

SHA1
39713ba21a481e7fc70c82313f68be83b89ec799

SHA256
c05462cefea31d0748c2e91c70071184c1b6df957c9c79ff8cc71cdc4af4a419

SHA512
9c71570c71732099e1ec729f04125a86a9b958b97b0ced6cb53a75bfb542ebb5c96e32d57a96a1663de180afd668479e2cf899a3bfed788b9eeb0235d9ef2969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\RK4GEA94.LO7\WCDPPNNO.39R.application

Filesize
172KB

MD5
699b6f64eda577f7ff31857ec907aa18

SHA1
579fddf810c147e157bba5594aec06930f84d681

SHA256
e8853d257e978338116d2bec3c1f333a35df8f8b9244eb3966ba64fb4885c151

SHA512
f53c523f809353b541cb5fca0169043ee05a936707fcd41ab4a521b2e81468045e51f9c213ac8644863fb88a9c6a093f036d8b1e5fa2015c7477fa73e0faf96b

Download Submit
memory/1364-376-0x0000000004A60000-0x0000000004AEC000-memory.dmp

Filesize
560KB

Download
memory/1364-371-0x0000000004930000-0x0000000004948000-memory.dmp

Filesize
96KB

Download
memory/3448-394-0x0000000003CE0000-0x0000000003D72000-memory.dmp

Filesize
584KB

Download
memory/3448-393-0x0000000003A20000-0x0000000003A56000-memory.dmp

Filesize
216KB

Download
memory/3448-390-0x00000000039D0000-0x0000000003A20000-memory.dmp

Filesize
320KB

Download
memory/3448-389-0x0000000004290000-0x0000000004834000-memory.dmp

Filesize
5.6MB

Download
memory/3448-387-0x0000000003B30000-0x0000000003CDA000-memory.dmp

Filesize
1.7MB

Download
memory/3940-27-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

Filesize
10.8MB

Download
memory/3940-55-0x00000251EA640000-0x00000251EA6CC000-memory.dmp

Filesize
560KB

Download
memory/3940-0-0x00007FFBCA443000-0x00007FFBCA445000-memory.dmp

Filesize
8KB

Download
memory/3940-61-0x00000251EA5B0000-0x00000251EA5E6000-memory.dmp

Filesize
216KB

Download
memory/3940-37-0x00000251E9E40000-0x00000251E9E58000-memory.dmp

Filesize
96KB

Download
memory/3940-43-0x00000251EA910000-0x00000251EAABA000-memory.dmp

Filesize
1.7MB

Download
memory/3940-49-0x00000251EA650000-0x00000251EA6E6000-memory.dmp

Filesize
600KB

Download
memory/3940-1-0x00000251CC850000-0x00000251CC858000-memory.dmp

Filesize
32KB

Download
memory/3940-7-0x00000251EA0C0000-0x00000251EA110000-memory.dmp

Filesize
320KB

Download
memory/3940-4-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

Filesize
10.8MB

Download
memory/3940-3-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

Filesize
10.8MB

Download
memory/3940-2-0x00000251E6E10000-0x00000251E6F96000-memory.dmp

Filesize
1.5MB

Download
memory/3940-402-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

Filesize
10.8MB

Download
memory/3940-401-0x00007FFBCA443000-0x00007FFBCA445000-memory.dmp

Filesize
8KB

Download
memory/4152-345-0x0000000000890000-0x0000000000926000-memory.dmp

Filesize
600KB

Download
memory/4512-400-0x00000000024F0000-0x0000000002508000-memory.dmp

Filesize
96KB

Download