File name:

ScreenConnect.Client(1).exe

Full analysis: https://app.any.run/tasks/e4c78082-cc02-47b3-81a7-cd438d770125
Verdict: Malicious activity
Analysis date: November 08, 2024, 17:17:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
screenconnect
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

46B0F7B6112D714F41B9F72BC96EA89F

SHA1:

6C772F0562ED8F3F8B8B9D274EBAAF3FA8635454

SHA256:

44096C837BDEAD6E147DB22DE41823214031126A988633159BE5F8A38C8C55AE

SSDEEP:

1536:ohNeDLHPUVkKo2cgigKIhTnH2QjCdqQsWQcdUkBbfqNNKYe:vDLHcVkKo2cZgKIhTH2U+lU2bfq1e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SCREENCONNECT has been detected (SURICATA)

      • ScreenConnect.ClientService.exe (PID: 4228)
      • ScreenConnect.ClientService.exe (PID: 3028)

  • SUSPICIOUS

    • Adds/modifies Windows certificates

      • ScreenConnect.Client(1).exe (PID: 5100)

    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 6812)

    • Checks Windows Trust Settings

      • dfsvc.exe (PID: 6812)

    • Reads Internet Explorer settings

      • dfsvc.exe (PID: 6812)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 6812)
      • rundll32.exe (PID: 6596)
      • ScreenConnect.ClientService.exe (PID: 3028)

    • Executes as Windows Service

      • ScreenConnect.ClientService.exe (PID: 3028)
      • ScreenConnect.ClientService.exe (PID: 4228)

    • Potential Corporate Privacy Violation

      • ScreenConnect.ClientService.exe (PID: 3028)
      • ScreenConnect.ClientService.exe (PID: 4228)

    • There is functionality for taking screenshot (YARA)

      • ScreenConnect.ClientService.exe (PID: 3028)
      • ScreenConnect.WindowsClient.exe (PID: 3832)
      • ScreenConnect.ClientService.exe (PID: 4228)
      • ScreenConnect.WindowsClient.exe (PID: 6320)

    • Executes application which crashes

      • ScreenConnect.Client(1).exe (PID: 5100)

  • INFO

    • Reads the machine GUID from the registry

      • ScreenConnect.Client(1).exe (PID: 5100)
      • dfsvc.exe (PID: 6812)

    • Reads the computer name

      • ScreenConnect.Client(1).exe (PID: 5100)
      • dfsvc.exe (PID: 6812)

    • Checks supported languages

      • dfsvc.exe (PID: 6812)
      • ScreenConnect.Client(1).exe (PID: 5100)

    • Disables trace logs

      • dfsvc.exe (PID: 6812)

    • Reads Environment values

      • dfsvc.exe (PID: 6812)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 6812)

    • Checks proxy server information

      • dfsvc.exe (PID: 6812)

    • Create files in a temporary directory

      • dfsvc.exe (PID: 6812)

    • The process uses the downloaded file

      • dfsvc.exe (PID: 6812)

    • Reads the software policy settings

      • dfsvc.exe (PID: 6812)

    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 6812)

    • Sends debugging messages

      • dfsvc.exe (PID: 6812)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:28 17:41:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 40448
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x1489
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
16
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start screenconnect.client(1).exe dfsvc.exe screenconnect.windowsclient.exe no specs screenconnect.clientservice.exe #SCREENCONNECT screenconnect.clientservice.exe THREAT screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs screenconnect.clientsetup.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs rundll32.exe #SCREENCONNECT screenconnect.clientservice.exe THREAT screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
864C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1568"C:\Windows\System32\msiexec.exe" /i "C:\WINDOWS\SystemTemp\ScreenConnect\24.3.7.9067\c820d45997ef23a7\ScreenConnect.ClientSetup.msi"C:\Windows\SysWOW64\msiexec.exeScreenConnect.ClientSetup.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2236"C:\WINDOWS\SystemTemp\ScreenConnect\24.3.7.9067\ScreenConnect.ClientSetup.exe" C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\ScreenConnect.ClientSetup.exeScreenConnect.ClientService.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\systemtemp\screenconnect\24.3.7.9067\screenconnect.clientsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2928"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.WindowsClient.exe" C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.WindowsClient.exedfsvc.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
ScreenConnect Client
Exit code:
0
Version:
24.3.7.9067
Modules
Images
c:\users\admin\appdata\local\apps\2.0\xq19c9cx.tj0\m9lxvwaz.0bt\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3028"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-pug58j-relay.screenconnect.com&p=443&s=aa716831-0035-4d6e-bc59-3362d4c96ee0&k=BgIAAACkAABSU0ExAAgAAAEAAQB1XlRYhbRf19EGIBKsJskawWERd%2bx5Lbl7J6v1wK7OEQiGuFqOt8djAnC%2f4ptpybBumJY%2b%2bRxkN4%2fZC89VuI3Q3qgp129fqJ30dnBerSZnVxVFWLgJIYVXSHOhjaoFi2IMA%2bp%2bM6YrdCiCDIGRto%2bXBkzE2yo3kBYLgV2mc%2bQJSpiuy1oGKPRmK78vY7Kf6T%2foPglQ5tKny7lYYeS4XAyeyE8yWHRr0pUqm3IhfZNTnyxGBhtqk8bZPWKzF1i2YXXV8SHBJszn%2b3g%2fk2OTarPDHVVgBFqErCO%2fkjCKSU%2fhVolz9y6gt2PguyNwO7imppIGfN2k53%2fbve813iw95p7s&r=&i=" "1"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.ClientService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Version:
24.3.7.9067
Modules
Images
c:\users\admin\appdata\local\apps\2.0\xq19c9cx.tj0\m9lxvwaz.0bt\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
3832"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.WindowsClient.exe" "RunRole" "0cdf5a79-f7a6-4b0f-b77f-b271693e24b4" "User"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.WindowsClient.exe
ScreenConnect.ClientService.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
ScreenConnect Client
Version:
24.3.7.9067
Modules
Images
c:\users\admin\appdata\local\apps\2.0\xq19c9cx.tj0\m9lxvwaz.0bt\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4128"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-pug58j-relay.screenconnect.com&p=443&s=aa716831-0035-4d6e-bc59-3362d4c96ee0&k=BgIAAACkAABSU0ExAAgAAAEAAQB1XlRYhbRf19EGIBKsJskawWERd%2bx5Lbl7J6v1wK7OEQiGuFqOt8djAnC%2f4ptpybBumJY%2b%2bRxkN4%2fZC89VuI3Q3qgp129fqJ30dnBerSZnVxVFWLgJIYVXSHOhjaoFi2IMA%2bp%2bM6YrdCiCDIGRto%2bXBkzE2yo3kBYLgV2mc%2bQJSpiuy1oGKPRmK78vY7Kf6T%2foPglQ5tKny7lYYeS4XAyeyE8yWHRr0pUqm3IhfZNTnyxGBhtqk8bZPWKzF1i2YXXV8SHBJszn%2b3g%2fk2OTarPDHVVgBFqErCO%2fkjCKSU%2fhVolz9y6gt2PguyNwO7imppIGfN2k53%2fbve813iw95p7s&r=&i=" "1"C:\Users\admin\AppData\Local\Apps\2.0\XQ19C9CX.TJ0\M9LXVWAZ.0BT\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\ScreenConnect.ClientService.exe
ScreenConnect.WindowsClient.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
24.3.7.9067
Modules
Images
c:\users\admin\appdata\local\apps\2.0\xq19c9cx.tj0\m9lxvwaz.0bt\scre..tion_25b0fbb6ef7eb094_0018.0003_f176f7bb80e259ce\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
4228"C:\Program Files (x86)\ScreenConnect Client (c820d45997ef23a7)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-pug58j-relay.screenconnect.com&p=443&s=81edea00-7526-4242-a404-a2e3a42f35dd&k=BgIAAACkAABSU0ExAAgAAAEAAQB1XlRYhbRf19EGIBKsJskawWERd%2bx5Lbl7J6v1wK7OEQiGuFqOt8djAnC%2f4ptpybBumJY%2b%2bRxkN4%2fZC89VuI3Q3qgp129fqJ30dnBerSZnVxVFWLgJIYVXSHOhjaoFi2IMA%2bp%2bM6YrdCiCDIGRto%2bXBkzE2yo3kBYLgV2mc%2bQJSpiuy1oGKPRmK78vY7Kf6T%2foPglQ5tKny7lYYeS4XAyeyE8yWHRr0pUqm3IhfZNTnyxGBhtqk8bZPWKzF1i2YXXV8SHBJszn%2b3g%2fk2OTarPDHVVgBFqErCO%2fkjCKSU%2fhVolz9y6gt2PguyNwO7imppIGfN2k53%2fbve813iw95p7s&c=transfaire&c=&c=&c=&c=&c=&c=&c="C:\Program Files (x86)\ScreenConnect Client (c820d45997ef23a7)\ScreenConnect.ClientService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Version:
24.3.7.9067
Modules
Images
c:\program files (x86)\screenconnect client (c820d45997ef23a7)\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
5100"C:\Users\admin\AppData\Local\Temp\ScreenConnect.Client(1).exe" C:\Users\admin\AppData\Local\Temp\ScreenConnect.Client(1).exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\screenconnect.client(1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
5508C:\Windows\syswow64\MsiExec.exe -Embedding D2E65AC4AB615475B94ACFD8B6CA4301 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
15 684
Read events
15 386
Write events
260
Delete events
38

Modification events

(PID) Process:(5100) ScreenConnect.Client(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:7B0F360B775F76C94A12CA48445AA2D2A875701C
Value:
(PID) Process:(5100) ScreenConnect.Client(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
Operation:writeName:Blob
Value:
0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E
(PID) Process:(5100) ScreenConnect.Client(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Value:
(PID) Process:(5100) ScreenConnect.Client(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Operation:writeName:Blob
Value:
0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054
(PID) Process:(6812) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
BT95YO4XCXHWBC3YRE2OW4KX
(PID) Process:(6812) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
BT95YO4XCXHWBC3YRE2OW4KX
(PID) Process:(6812) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(6812) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
XQ19C9CXTJ0M9LXVWAZ0BTPP
(PID) Process:(6812) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
8CMCGKL4CM9MNE8ZETA4T287
(PID) Process:(6812) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
37
Suspicious files
38
Text files
37
Unknown types
4

Dropped files

PID
Process
Filename
Type
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\YO6QYLCC.QA6\RLYPLMX8.MG1.applicationxml
MD5:BC281F0B97EE2315A80D167E42CA43DB
SHA256:37B36A7BA73E399036803AC649D0B53A96E0D178A08F2B4A7A2879824496EA2F
6812dfsvc.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\932a2db58c237abd381d22df4c63a04a_bb926e54-e3ca-40fd-ae90-2764341e7792dbf
MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
SHA256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
6812dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:EB9A1D98CC4B6AC3D674A6621DF5A758
SHA256:20D856D68DBA3E2246EBB62A5EAEDCEFDA221ACCFA1B9362B33AFAD33B6E48C7
6812dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42Bbinary
MD5:4D91EA788B90EF63D3BDCA07C2D7D769
SHA256:B0E3FA054DE6A774CD46A659F0C34935448C340767AF68F69FA38B8E53249E5D
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\VZNKBR6N.R8T\42XY54M7.WWL\ScreenConnect.WindowsClient.exe.manifestxml
MD5:7F68A01C2FEA1C80A75E287BB36D6B43
SHA256:2E0E46F395D5A6440F179B61C4008ABF3D72CFCDA705A543C8EE18B41D37B025
6812dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:ED6C446CE2E504FEA6E7049020611261
SHA256:EE0EFE11CA2078389696E97FDCC2C17ED04E411DCE8D796A9B2B6790ABE9AED3
6812dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42Bder
MD5:7E22C029E0E43A47D92BB67565916BB4
SHA256:741DFF29D4FDD0E816FB811E9A837DE01C0D1991E6D527275AEAF3E51E741F43
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\VZNKBR6N.R8T\42XY54M7.WWL\ScreenConnect.WindowsBackstageShell.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\VZNKBR6N.R8T\42XY54M7.WWL\ScreenConnect.WindowsFileManager.exeexecutable
MD5:1AEE526DC110E24D1399AFFCCD452AB3
SHA256:EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
6812dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\VZNKBR6N.R8T\42XY54M7.WWL\ScreenConnect.WindowsClient.exeexecutable
MD5:1778204A8C3BC2B8E5E4194EDBAF7135
SHA256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
46
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7172
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6812
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
2076
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6812
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6812
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
7172
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5588
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4360
SearchApp.exe
104.126.37.185:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6812
dfsvc.exe
145.40.113.102:443
hadermapner.screenconnect.com
PACKET
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.185
  • 104.126.37.171
  • 104.126.37.123
  • 104.126.37.162
  • 104.126.37.170
  • 104.126.37.155
  • 104.126.37.176
  • 104.126.37.128
  • 104.126.37.178
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.145
  • 23.48.23.164
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
google.com
  • 142.250.185.238
whitelisted
hadermapner.screenconnect.com
  • 145.40.113.102
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.76
  • 20.190.160.20
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.134
whitelisted
th.bing.com
  • 104.126.37.154
  • 104.126.37.145
  • 104.126.37.161
  • 104.126.37.163
  • 104.126.37.171
  • 104.126.37.146
  • 104.126.37.169
  • 104.126.37.160
  • 104.126.37.170
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Misc activity
ET INFO Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain
2172
svchost.exe
Misc activity
ET INFO Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain
3028
ScreenConnect.ClientService.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
4228
ScreenConnect.ClientService.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ScreenConnect.Client(1).exe