| File name: | 029e7aef706667b7525eb38bf67ca680.exe |
| Full analysis: | https://app.any.run/tasks/d8da015d-5581-4780-afd1-24c17f98b70c |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 17, 2024, 21:13:49 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 029E7AEF706667B7525EB38BF67CA680 |
| SHA1: | 01809C1F431FA5D5AAF895C0458254A8C85BEAC4 |
| SHA256: | 17DC9DFE0D2F1A23B38B15DEC93EFBE7A48936E674E81DE51B61313F6D398009 |
| SSDEEP: | 1536:VejLH3MVw8licIgWQog5Mzg+MoCdqQsWQcd69jPVfqFNKgsN:MjLHcVw8licpWQog5Ms+f+l6xPVfqRsN |
MALICIOUS
Drops the executable file immediately after the start
- powershell.exe (PID: 6300)
- dfsvc.exe (PID: 6740)
SUSPICIOUS
Adds/modifies Windows certificates
- 029e7aef706667b7525eb38bf67ca680.exe (PID: 6688)
Checks Windows Trust Settings
- dfsvc.exe (PID: 6740)
Reads security settings of Internet Explorer
- dfsvc.exe (PID: 6740)
- ScreenConnect.ClientService.exe (PID: 1752)
- ScreenConnect.ClientService.exe (PID: 1428)
- ScreenConnect.WindowsClient.exe (PID: 400)
Reads Internet Explorer settings
- dfsvc.exe (PID: 6740)
Executable content was dropped or overwritten
- dfsvc.exe (PID: 6740)
The process creates files with name similar to system file names
- dfsvc.exe (PID: 6740)
Reads the date of Windows installation
- dfsvc.exe (PID: 6740)
Executes as Windows Service
- ScreenConnect.ClientService.exe (PID: 1428)
Creates or modifies Windows services
- ScreenConnect.ClientService.exe (PID: 1428)
Process requests binary or script from the Internet
- dfsvc.exe (PID: 6740)
INFO
The executable file from the user directory is run by the Powershell process
- 029e7aef706667b7525eb38bf67ca680.exe (PID: 6688)
Checks supported languages
- 029e7aef706667b7525eb38bf67ca680.exe (PID: 6688)
- ScreenConnect.WindowsClient.exe (PID: 2392)
- ScreenConnect.ClientService.exe (PID: 1752)
- ScreenConnect.ClientService.exe (PID: 1428)
- ScreenConnect.WindowsClient.exe (PID: 400)
- dfsvc.exe (PID: 6740)
Reads the computer name
- 029e7aef706667b7525eb38bf67ca680.exe (PID: 6688)
- dfsvc.exe (PID: 6740)
- ScreenConnect.WindowsClient.exe (PID: 2392)
- ScreenConnect.ClientService.exe (PID: 1428)
- ScreenConnect.ClientService.exe (PID: 1752)
- ScreenConnect.WindowsClient.exe (PID: 400)
Reads the machine GUID from the registry
- 029e7aef706667b7525eb38bf67ca680.exe (PID: 6688)
- dfsvc.exe (PID: 6740)
- ScreenConnect.WindowsClient.exe (PID: 2392)
- ScreenConnect.ClientService.exe (PID: 1752)
- ScreenConnect.ClientService.exe (PID: 1428)
- ScreenConnect.WindowsClient.exe (PID: 400)
Reads Environment values
- dfsvc.exe (PID: 6740)
Creates files or folders in the user directory
- dfsvc.exe (PID: 6740)
- ScreenConnect.WindowsClient.exe (PID: 2392)
- ScreenConnect.ClientService.exe (PID: 1428)
The process uses the downloaded file
- dfsvc.exe (PID: 6740)
Process checks computer location settings
- dfsvc.exe (PID: 6740)
Process checks whether UAC notifications are on
- dfsvc.exe (PID: 6740)
Disables trace logs
- dfsvc.exe (PID: 6740)
Checks proxy server information
- dfsvc.exe (PID: 6740)
Create files in a temporary directory
- dfsvc.exe (PID: 6740)
Reads the software policy settings
- dfsvc.exe (PID: 6740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:11:18 19:55:37+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.33 |
| CodeSize: | 40448 |
| InitializedDataSize: | 32768 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x14ba |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
124
Monitored processes
9
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 400 | "C:\Users\admin\AppData\Local\Apps\2.0\HW1AT03M.OKX\ZG7HKM6K.RLK\scre..tion_25b0fbb6ef7eb094_0018.0001_b6d018850e89ed06\ScreenConnect.WindowsClient.exe" "RunRole" "190e5489-199c-4365-a33e-863aa0166985" "User" | C:\Users\admin\AppData\Local\Apps\2.0\HW1AT03M.OKX\ZG7HKM6K.RLK\scre..tion_25b0fbb6ef7eb094_0018.0001_b6d018850e89ed06\ScreenConnect.WindowsClient.exe | — | ScreenConnect.ClientService.exe | |||||||||||
User: admin Company: ScreenConnect Software Integrity Level: MEDIUM Description: ScreenConnect Client Version: 24.1.7.8892 Modules
| |||||||||||||||
| 1428 | "C:\Users\admin\AppData\Local\Apps\2.0\HW1AT03M.OKX\ZG7HKM6K.RLK\scre..tion_25b0fbb6ef7eb094_0018.0001_b6d018850e89ed06\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-td2ipg-relay.screenconnect.com&p=443&s=aa79370a-c7db-4c0b-9690-8ca77bac8579&k=BgIAAACkAABSU0ExAAgAAAEAAQAdmY1rknhM0hviTZrH7bAypGKGFRBZiUcFMDCRdoO1rsAQdunoqoHoKdNcgDhKtlOzCT7wtRbh6wP2KxsI3KberEOZvaOzy270BqAElKjIdJ9CY1uoodWtpOLyvqiFabqCtLEO7o6ja8fe47jmMb72aqhXP93TbAmgePMyUxt648POqH5Y7li4sPp0ImIymD6%2fmdH2%2f0KcaUU%2bOfggitthgUYKcRAVmRqM4GW3rSkGIxfOsQeoWTbJI6tWwr4CEHvIHtgMdQLs76lhHEblM%2fqLuw2BrojauWNJVXaQa3oTUDEoXzidpbtF%2bErePs2fCpmkoEQ3vU6pnYSz4DsSW%2ffG&r=&i=Untitled%20Session" "1" | C:\Users\admin\AppData\Local\Apps\2.0\HW1AT03M.OKX\ZG7HKM6K.RLK\scre..tion_25b0fbb6ef7eb094_0018.0001_b6d018850e89ed06\ScreenConnect.ClientService.exe | services.exe | ||||||||||||
User: SYSTEM Integrity Level: SYSTEM Version: 24.1.7.8892 Modules
| |||||||||||||||
| 1752 | "C:\Users\admin\AppData\Local\Apps\2.0\HW1AT03M.OKX\ZG7HKM6K.RLK\scre..tion_25b0fbb6ef7eb094_0018.0001_b6d018850e89ed06\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-td2ipg-relay.screenconnect.com&p=443&s=aa79370a-c7db-4c0b-9690-8ca77bac8579&k=BgIAAACkAABSU0ExAAgAAAEAAQAdmY1rknhM0hviTZrH7bAypGKGFRBZiUcFMDCRdoO1rsAQdunoqoHoKdNcgDhKtlOzCT7wtRbh6wP2KxsI3KberEOZvaOzy270BqAElKjIdJ9CY1uoodWtpOLyvqiFabqCtLEO7o6ja8fe47jmMb72aqhXP93TbAmgePMyUxt648POqH5Y7li4sPp0ImIymD6%2fmdH2%2f0KcaUU%2bOfggitthgUYKcRAVmRqM4GW3rSkGIxfOsQeoWTbJI6tWwr4CEHvIHtgMdQLs76lhHEblM%2fqLuw2BrojauWNJVXaQa3oTUDEoXzidpbtF%2bErePs2fCpmkoEQ3vU6pnYSz4DsSW%2ffG&r=&i=Untitled%20Session" "1" | C:\Users\admin\AppData\Local\Apps\2.0\HW1AT03M.OKX\ZG7HKM6K.RLK\scre..tion_25b0fbb6ef7eb094_0018.0001_b6d018850e89ed06\ScreenConnect.ClientService.exe | — | ScreenConnect.WindowsClient.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 24.1.7.8892 Modules
| |||||||||||||||
| 2392 | "C:\Users\admin\AppData\Local\Apps\2.0\HW1AT03M.OKX\ZG7HKM6K.RLK\scre..tion_25b0fbb6ef7eb094_0018.0001_b6d018850e89ed06\ScreenConnect.WindowsClient.exe" | C:\Users\admin\AppData\Local\Apps\2.0\HW1AT03M.OKX\ZG7HKM6K.RLK\scre..tion_25b0fbb6ef7eb094_0018.0001_b6d018850e89ed06\ScreenConnect.WindowsClient.exe | — | dfsvc.exe | |||||||||||
User: admin Company: ScreenConnect Software Integrity Level: HIGH Description: ScreenConnect Client Exit code: 0 Version: 24.1.7.8892 Modules
| |||||||||||||||
| 6300 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\AppData\Local\Temp\029e7aef706667b7525eb38bf67ca680.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6308 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6688 | "C:\Users\admin\AppData\Local\Temp\029e7aef706667b7525eb38bf67ca680.exe" | C:\Users\admin\AppData\Local\Temp\029e7aef706667b7525eb38bf67ca680.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 6740 | "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe | 029e7aef706667b7525eb38bf67ca680.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: ClickOnce Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 7068 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
Total events
20 557
Read events
20 321
Write events
206
Delete events
30
Modification events
| (PID) Process: | (6300) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6300) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6300) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6300) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (6688) 029e7aef706667b7525eb38bf67ca680.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates |
| Operation: | delete value | Name: | 7B0F360B775F76C94A12CA48445AA2D2A875701C |
Value: | |||
| (PID) Process: | (6688) 029e7aef706667b7525eb38bf67ca680.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C |
| Operation: | write | Name: | Blob |
Value: 0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E | |||
| (PID) Process: | (6688) 029e7aef706667b7525eb38bf67ca680.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates |
| Operation: | delete value | Name: | 4C2272FBA7A7380F55E2A424E9E624AEE1C14579 |
Value: | |||
| (PID) Process: | (6688) 029e7aef706667b7525eb38bf67ca680.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579 |
| Operation: | write | Name: | Blob |
Value: 0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054 | |||
| (PID) Process: | (6740) dfsvc.exe | Key: | HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0 |
| Operation: | write | Name: | ComponentStore_RandomString |
Value: 2W1LA9NB8W9M134EZHXPR0X1 | |||
| (PID) Process: | (6740) dfsvc.exe | Key: | HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0 |
| Operation: | delete value | Name: | ComponentStore_RandomString |
Value: 2W1LA9NB8W9M134EZHXPR0X1 | |||
Executable files
16
Suspicious files
22
Text files
27
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6300 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | — | |
MD5:— | SHA256:— | |||
| 6300 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u443okcd.u12.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6300 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF114d23.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 6300 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U1H9ASAT69D2K4ZKMKXP.temp | binary | |
MD5:57F991DB5299C09EEBC7033C786C4EC5 | SHA256:947A6EDA467522BA5CABD1542F676501460CD97E8FB50673296AC46B1E419148 | |||
| 6740 | dfsvc.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | binary | |
MD5:C2B9FEF52194828614EC9B9AE0926E83 | SHA256:F1D0443DC90237BED2136B3A8369B161C2AA300BEE2570C84AEAEB1625F4EADB | |||
| 6300 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fc2ucb25.jax.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6740 | dfsvc.exe | C:\Users\admin\AppData\Local\Temp\Deployment\YD0M6JMC.CJT\408PZW95.CGL\ScreenConnect.WindowsClient.exe.manifest | xml | |
MD5:F07208902A10A9CDDF338F6256FE6B11 | SHA256:ADD65D10A544D74CE772D5130EA11C1827B8521EA7B06B1FAE7251BD852C46E4 | |||
| 6740 | dfsvc.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | der | |
MD5:292B36CE2576C6786A1DF3846F1F39BC | SHA256:5EE0C6E8B09CFAFA8D625888BFCE4FF562A7E4ED46D648367BE1EC52D9B7C12A | |||
| 6740 | dfsvc.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\932a2db58c237abd381d22df4c63a04a_bb926e54-e3ca-40fd-ae90-2764341e7792 | dbf | |
MD5:D2DED43CE07BFCE4D1C101DFCAA178C8 | SHA256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050 | |||
| 6300 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:46F1C18DEDF3466B48A1935EF92F5C82 | SHA256:F38ED9A9AFB746B119F6B583A82C6291F6820A9647B7D5B5076EB77A4807C38E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
23
DNS requests
8
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5140 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5896 | RUXIMICS.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5896 | RUXIMICS.exe | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
6740 | dfsvc.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D | unknown | — | — | unknown |
6740 | dfsvc.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | unknown | — | — | unknown |
6740 | dfsvc.exe | GET | 200 | 145.40.105.98:443 | https://boston.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config | unknown | — | — | — |
6740 | dfsvc.exe | GET | 200 | 145.40.105.98:443 | https://boston.screenconnect.com/Bin/ScreenConnect.ClientService.exe | unknown | executable | 93.2 Kb | — |
6740 | dfsvc.exe | GET | 200 | 145.40.105.98:443 | https://boston.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe | unknown | — | — | — |
6740 | dfsvc.exe | GET | 200 | 145.40.105.98:443 | https://boston.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.config | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5608 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5896 | RUXIMICS.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5140 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5140 | MoUsoCoreWorker.exe | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
5896 | RUXIMICS.exe | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
5140 | MoUsoCoreWorker.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5896 | RUXIMICS.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5140 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5608 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5456 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
boston.screenconnect.com |
| unknown |
ocsp.digicert.com |
| whitelisted |
instance-td2ipg-relay.screenconnect.com |
| unknown |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2184 | svchost.exe | Misc activity | ET INFO Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain |
2184 | svchost.exe | Misc activity | ET INFO Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain |
Process | Message |
|---|---|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741772
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
|
dfsvc.exe |
*** Status originated: -1073741772
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
|
dfsvc.exe |
*** Status originated: -1073741811
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
|