File name:

ScreenConnect.Client(1).exe

Full analysis: https://app.any.run/tasks/e4c78082-cc02-47b3-81a7-cd438d770125
Verdict: Malicious activity
Analysis date: November 08, 2024, 17:17:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
screenconnect
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

46B0F7B6112D714F41B9F72BC96EA89F

SHA1:

6C772F0562ED8F3F8B8B9D274EBAAF3FA8635454

SHA256:

44096C837BDEAD6E147DB22DE41823214031126A988633159BE5F8A38C8C55AE

SSDEEP:

1536:ohNeDLHPUVkKo2cgigKIhTnH2QjCdqQsWQcdUkBbfqNNKYe:vDLHcVkKo2cZgKIhTH2U+lU2bfq1e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SCREENCONNECT has been detected (SURICATA)

      • ScreenConnect.ClientService.exe (PID: 3028)
      • ScreenConnect.ClientService.exe (PID: 4228)

  • SUSPICIOUS

    • Adds/modifies Windows certificates

      • ScreenConnect.Client(1).exe (PID: 5100)

    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 6812)

    • Reads Internet Explorer settings

      • dfsvc.exe (PID: 6812)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 6812)
      • ScreenConnect.ClientService.exe (PID: 3028)
      • rundll32.exe (PID: 6596)

    • Checks Windows Trust Settings

      • dfsvc.exe (PID: 6812)

    • Potential Corporate Privacy Violation

      • ScreenConnect.ClientService.exe (PID: 4228)
      • ScreenConnect.ClientService.exe (PID: 3028)

    • Executes as Windows Service

      • ScreenConnect.ClientService.exe (PID: 4228)
      • ScreenConnect.ClientService.exe (PID: 3028)

    • There is functionality for taking screenshot (YARA)

      • ScreenConnect.WindowsClient.exe (PID: 3832)
      • ScreenConnect.ClientService.exe (PID: 4228)
      • ScreenConnect.ClientService.exe (PID: 3028)
      • ScreenConnect.WindowsClient.exe (PID: 6320)

    • Executes application which crashes

      • ScreenConnect.Client(1).exe (PID: 5100)

  • INFO

    • Checks supported languages

      • ScreenConnect.Client(1).exe (PID: 5100)
      • dfsvc.exe (PID: 6812)

    • Reads the machine GUID from the registry

      • ScreenConnect.Client(1).exe (PID: 5100)
      • dfsvc.exe (PID: 6812)

    • Reads the computer name

      • ScreenConnect.Client(1).exe (PID: 5100)
      • dfsvc.exe (PID: 6812)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 6812)

    • Disables trace logs

      • dfsvc.exe (PID: 6812)

    • Reads Environment values

      • dfsvc.exe (PID: 6812)

    • Create files in a temporary directory

      • dfsvc.exe (PID: 6812)

    • The process uses the downloaded file

      • dfsvc.exe (PID: 6812)

    • Reads the software policy settings

      • dfsvc.exe (PID: 6812)

    • Checks proxy server information

      • dfsvc.exe (PID: 6812)

    • Sends debugging messages

      • dfsvc.exe (PID: 6812)

    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 6812)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:28 17:41:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 40448
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x1489
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
16
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start screenconnect.client(1).exe dfsvc.exe screenconnect.windowsclient.exe no specs screenconnect.clientservice.exe #SCREENCONNECT screenconnect.clientservice.exe THREAT screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs screenconnect.clientsetup.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs rundll32.exe #SCREENCONNECT screenconnect.clientservice.exe THREAT screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
864C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1568"C:\Windows\System32\msiexec.exe" /i "C:\WINDOWS\SystemTemp\ScreenConnect\24.3.7.9067\c820d45997ef23a7\ScreenConnect.ClientSetup.msi"C:\Windows\SysWOW64\msiexec.exeScreenConnect.ClientSetup.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2236"C:\WINDOWS\SystemTemp\ScreenConnect\24.3.7.9067\ScreenConnect.ClientSetup.exe" C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\ScreenConnect.ClientSetup.exeScreenConnect.ClientService.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\systemtemp\screenconnect\24.3.7.9067\screenconnect.clientsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2928"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.WindowsClient.exe" C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.WindowsClient.exedfsvc.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
ScreenConnect Client
Exit code:
0
Version:
24.3.7.9067
Modules
Images
c:\users\admin\appdata\local\apps\2.0\xq19c9cx.tj0\m9lxvwaz.0bt\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3028"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-pug58j-relay.screenconnect.com&p=443&s=aa716831-0035-4d6e-bc59-3362d4c96ee0&k=BgIAAACkAABSU0ExAAgAAAEAAQB1XlRYhbRf19EGIBKsJskawWERd%2bx5Lbl7J6v1wK7OEQiGuFqOt8djAnC%2f4ptpybBumJY%2b%2bRxkN4%2fZC89VuI3Q3qgp129fqJ30dnBerSZnVxVFWLgJIYVXSHOhjaoFi2IMA%2bp%2bM6YrdCiCDIGRto%2bXBkzE2yo3kBYLgV2mc%2bQJSpiuy1oGKPRmK78vY7Kf6T%2foPglQ5tKny7lYYeS4XAyeyE8yWHRr0pUqm3IhfZNTnyxGBhtqk8bZPWKzF1i2YXXV8SHBJszn%2b3g%2fk2OTarPDHVVgBFqErCO%2fkjCKSU%2fhVolz9y6gt2PguyNwO7imppIGfN2k53%2fbve813iw95p7s&r=&i=" "1"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.ClientService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Version:
24.3.7.9067
Modules
Images
c:\users\admin\appdata\local\apps\2.0\xq19c9cx.tj0\m9lxvwaz.0bt\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
3832"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.WindowsClient.exe" "RunRole" "0cdf5a79-f7a6-4b0f-b77f-b271693e24b4" "User"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.WindowsClient.exe
ScreenConnect.ClientService.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
ScreenConnect Client
Version:
24.3.7.9067
Modules
Images
c:\users\admin\appdata\local\apps\2.0\xq19c9cx.tj0\m9lxvwaz.0bt\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4128"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-pug58j-relay.screenconnect.com&p=443&s=aa716831-0035-4d6e-bc59-3362d4c96ee0&k=BgIAAACkAABSU0ExAAgAAAEAAQB1XlRYhbRf19EGIBKsJskawWERd%2bx5Lbl7J6v1wK7OEQiGuFqOt8djAnC%2f4ptpybBumJY%2b%2bRxkN4%2fZC89VuI3Q3qgp129fqJ30dnBerSZnVxVFWLgJIYVXSHOhjaoFi2IMA%2bp%2bM6YrdCiCDIGRto%2bXBkzE2yo3kBYLgV2mc%2bQJSpiuy1oGKPRmK78vY7Kf6T%2foPglQ5tKny7lYYeS4XAyeyE8yWHRr0pUqm3IhfZNTnyxGBhtqk8bZPWKzF1i2YXXV8SHBJszn%2b3g%2fk2OTarPDHVVgBFqErCO%2fkjCKSU%2fhVolz9y6gt2PguyNwO7imppIGfN2k53%2fbve813iw95p7s&r=&i=" "1"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.ClientService.exe
ScreenConnect.WindowsClient.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
24.3.7.9067
Modules
Images
c:\users\admin\appdata\local\apps\2.0\xq19c9cx.tj0\m9lxvwaz.0bt\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
4228"C:\Program Files (x86)\ScreenConnect Client (c820d45997ef23a7)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-pug58j-relay.screenconnect.com&p=443&s=81edea00-7526-4242-a404-a2e3a42f35dd&k=BgIAAACkAABSU0ExAAgAAAEAAQB1XlRYhbRf19EGIBKsJskawWERd%2bx5Lbl7J6v1wK7OEQiGuFqOt8djAnC%2f4ptpybBumJY%2b%2bRxkN4%2fZC89VuI3Q3qgp129fqJ30dnBerSZnVxVFWLgJIYVXSHOhjaoFi2IMA%2bp%2bM6YrdCiCDIGRto%2bXBkzE2yo3kBYLgV2mc%2bQJSpiuy1oGKPRmK78vY7Kf6T%2foPglQ5tKny7lYYeS4XAyeyE8yWHRr0pUqm3IhfZNTnyxGBhtqk8bZPWKzF1i2YXXV8SHBJszn%2b3g%2fk2OTarPDHVVgBFqErCO%2fkjCKSU%2fhVolz9y6gt2PguyNwO7imppIGfN2k53%2fbve813iw95p7s&c=transfaire&c=&c=&c=&c=&c=&c=&c="C:\Program Files (x86)\ScreenConnect Client (c820d45997ef23a7)\ScreenConnect.ClientService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Version:
24.3.7.9067
Modules
Images
c:\program files (x86)\screenconnect client (c820d45997ef23a7)\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
5100"C:\Users\admin\AppData\Local\Temp\ScreenConnect.Client(1).exe" C:\Users\admin\AppData\Local\Temp\ScreenConnect.Client(1).exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\screenconnect.client(1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
5508C:\Windows\syswow64\MsiExec.exe -Embedding D2E65AC4AB615475B94ACFD8B6CA4301 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
15 684
Read events
15 386
Write events
260
Delete events
38

Modification events

(PID) Process:(5100) ScreenConnect.Client(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:7B0F360B775F76C94A12CA48445AA2D2A875701C
Value:
(PID) Process:(5100) ScreenConnect.Client(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
Operation:writeName:Blob
Value:
0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E
(PID) Process:(5100) ScreenConnect.Client(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Value:
(PID) Process:(5100) ScreenConnect.Client(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Operation:writeName:Blob
Value:
0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054
(PID) Process:(6812) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
BT95YO4XCXHWBC3YRE2OW4KX
(PID) Process:(6812) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
BT95YO4XCXHWBC3YRE2OW4KX
(PID) Process:(6812) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(6812) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
XQ19C9CXTJ0M9LXVWAZ0BTPP
(PID) Process:(6812) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
8CMCGKL4CM9MNE8ZETA4T287
(PID) Process:(6812) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
37
Suspicious files
38
Text files
37
Unknown types
4

Dropped files

PID
Process
Filename
Type
6812dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42Bbinary
MD5:4D91EA788B90EF63D3BDCA07C2D7D769
SHA256:B0E3FA054DE6A774CD46A659F0C34935448C340767AF68F69FA38B8E53249E5D
6812dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:ED6C446CE2E504FEA6E7049020611261
SHA256:EE0EFE11CA2078389696E97FDCC2C17ED04E411DCE8D796A9B2B6790ABE9AED3
6812dfsvc.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\932a2db58c237abd381d22df4c63a04a_bb926e54-e3ca-40fd-ae90-2764341e7792dbf
MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
SHA256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\VZNKBR6N.R8T\42XY54M7.WWL\ScreenConnect.WindowsClient.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\YO6QYLCC.QA6\RLYPLMX8.MG1.applicationxml
MD5:BC281F0B97EE2315A80D167E42CA43DB
SHA256:37B36A7BA73E399036803AC649D0B53A96E0D178A08F2B4A7A2879824496EA2F
6812dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:EB9A1D98CC4B6AC3D674A6621DF5A758
SHA256:20D856D68DBA3E2246EBB62A5EAEDCEFDA221ACCFA1B9362B33AFAD33B6E48C7
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\VZNKBR6N.R8T\42XY54M7.WWL\ScreenConnect.ClientService.dllexecutable
MD5:5DB908C12D6E768081BCED0E165E36F8
SHA256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\VZNKBR6N.R8T\42XY54M7.WWL\ScreenConnect.WindowsBackstageShell.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\VZNKBR6N.R8T\42XY54M7.WWL\ScreenConnect.WindowsBackstageShell.exeexecutable
MD5:AFA97CAF20F3608799E670E9D6253247
SHA256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\VZNKBR6N.R8T\42XY54M7.WWL\ScreenConnect.Windows.dllexecutable
MD5:9AD3964BA3AD24C42C567E47F88C82B2
SHA256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
46
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6812
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6812
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D
unknown
whitelisted
2076
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6812
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
7172
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5588
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7172
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
104.126.37.185:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6812
dfsvc.exe
145.40.113.102:443
hadermapner.screenconnect.com
PACKET
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.185
  • 104.126.37.171
  • 104.126.37.123
  • 104.126.37.162
  • 104.126.37.170
  • 104.126.37.155
  • 104.126.37.176
  • 104.126.37.128
  • 104.126.37.178
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.145
  • 23.48.23.164
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
google.com
  • 142.250.185.238
whitelisted
hadermapner.screenconnect.com
  • 145.40.113.102
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.76
  • 20.190.160.20
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.134
whitelisted
th.bing.com
  • 104.126.37.154
  • 104.126.37.145
  • 104.126.37.161
  • 104.126.37.163
  • 104.126.37.171
  • 104.126.37.146
  • 104.126.37.169
  • 104.126.37.160
  • 104.126.37.170
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Misc activity
ET INFO Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain
2172
svchost.exe
Misc activity
ET INFO Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain
3028
ScreenConnect.ClientService.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
4228
ScreenConnect.ClientService.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ScreenConnect.Client(1).exe