| File name: | ScreenConnect.ClientSetup.msi |
| Full analysis: | https://app.any.run/tasks/f81983af-59b1-4ba9-8b50-f600f64292a7 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | March 20, 2026, 00:20:07 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {BD7FA8A2-B0A9-9606-6BC6-13D78CA8F823}, Create Time/Date: Wed Mar 11 16:28:48 2026, Last Saved Time/Date: Wed Mar 11 16:28:48 2026, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2 |
| MD5: | BDF725FC7CC6943CDE3C34D1B408AD1C |
| SHA1: | 769E746D7308A08DDE4EDDAC584926132DF18B0A |
| SHA256: | 7A245D94B323481C6341ABB580289E93B70EF56E7A9F73B1B96C6394662AD9B4 |
| SSDEEP: | 196608:Y1VEqKVJu8LM1VEqKVU1VEqKVw1VEqKV81VEqKV:Pu8L |
MALICIOUS
SCREENCONNECT has been detected
- rundll32.exe (PID: 7340)
- rundll32.exe (PID: 7920)
- rundll32.exe (PID: 3612)
- msiexec.exe (PID: 4332)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 7248)
- ScreenConnect.ClientService.exe (PID: 2436)
SCREENCONNECT mutex has been found
- ScreenConnect.ClientService.exe (PID: 2436)
Creates or modifies Windows services
- ScreenConnect.ClientService.exe (PID: 2436)
Screenconnect has been detected
- ScreenConnect.ClientService.exe (PID: 2436)
- ScreenConnect.ClientService.exe (PID: 2436)
Detects ScreenConnect RAT (YARA)
- ScreenConnect.ClientService.exe (PID: 2436)
INFO
An automatically generated document
- msiexec.exe (PID: 4396)
Creates files or folders in the user directory
- msiexec.exe (PID: 4396)
Reads the computer name
- msiexec.exe (PID: 4332)
- msiexec.exe (PID: 7300)
- msiexec.exe (PID: 2576)
- ScreenConnect.ClientService.exe (PID: 2436)
- ScreenConnect.WindowsClient.exe (PID: 5400)
- msiexec.exe (PID: 7804)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 4396)
- ScreenConnect.ClientService.exe (PID: 2436)
- ScreenConnect.WindowsClient.exe (PID: 5400)
Checks supported languages
- msiexec.exe (PID: 7300)
- msiexec.exe (PID: 4332)
- msiexec.exe (PID: 2576)
- msiexec.exe (PID: 7804)
- ScreenConnect.ClientService.exe (PID: 2436)
- ScreenConnect.WindowsClient.exe (PID: 5400)
Create files in a temporary directory
- rundll32.exe (PID: 7340)
- rundll32.exe (PID: 7920)
- rundll32.exe (PID: 3612)
Disables trace logs
- rundll32.exe (PID: 7920)
CONNECTWISE has been detected
- msiexec.exe (PID: 4396)
- ScreenConnect.ClientService.exe (PID: 2436)
- ScreenConnect.WindowsClient.exe (PID: 5400)
Manages system restore points
- SrTasks.exe (PID: 2880)
Executable content was dropped or overwritten
- msiexec.exe (PID: 4332)
SCREENCONNECT has been detected
- ScreenConnect.ClientService.exe (PID: 2436)
Reads the machine GUID from the registry
- ScreenConnect.ClientService.exe (PID: 2436)
- ScreenConnect.WindowsClient.exe (PID: 5400)
There is functionality for taking screenshot (YARA)
- ScreenConnect.ClientService.exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Installer (100) |
|---|
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | Default |
| Author: | ScreenConnect Software |
| Keywords: | Default |
| Comments: | Default |
| Template: | Intel;1033 |
| RevisionNumber: | {BD7FA8A2-B0A9-9606-6BC6-13D78CA8F823} |
| CreateDate: | 2026:03:11 16:28:48 |
| ModifyDate: | 2026:03:11 16:28:48 |
| Pages: | 200 |
| Words: | 2 |
| Software: | Windows Installer XML Toolset (3.11.0.1701) |
| Security: | Read-only recommended |
Total processes
143
Monitored processes
13
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2436 | "C:\Program Files (x86)\ScreenConnect Client (7e18f1bc4391269b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-gkibn4-relay.screenconnect.com&p=443&s=4f59db43-2dc2-45f4-ac6c-31f9a5d2a316&k=BgIAAACkAABSU0ExAAgAAAEAAQDlTSJg7x0sGmNOfjdsRMj8Ft4ULvVUjGZZX%2bI0SkllhhhZ7jwDmgRyGVh8x6YVp%2bLBZo2Zh%2fRitrFjeuG3qwyRfRE%2bh5TM8uIRclAweMhFmJs69%2bWHteN%2fBjx5FvgyQuPUpaouiZE9E7qj2Y229k58g2iYHKyHWRNoaNsd%2f%2flpzmrvkEjuJ6pshi%2fKsnNVI%2bHMnP6ffW5bora80DW32DgrvuBMk6hBH7tMKDJWZZxTj3dHJ1IFXkzRUzjOcJGHuDd28%2f8bpbETKAOQJNmWC23spo7nfReFoOjpniVXTO3h%2fwo8ctV4qAfsl%2fh8qNkc9Td2vGT3aQ%2f9a0HpnJKh1HTe" | C:\Program Files (x86)\ScreenConnect Client (7e18f1bc4391269b)\ScreenConnect.ClientService.exe | services.exe | ||||||||||||
User: SYSTEM Integrity Level: SYSTEM Version: 26.1.18.9566 Modules
| |||||||||||||||
| 2576 | C:\Windows\syswow64\MsiExec.exe -Embedding 076B934CE64546EEF9D6AF2DB6663DD5 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2880 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:15 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3612 | rundll32.exe "C:\Users\admin\AppData\Local\Temp\MSI1DA7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_925109 17 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.CheckMsiFileName | C:\Windows\SysWOW64\rundll32.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4332 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4396 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\ScreenConnect.ClientSetup.msi | C:\Windows\System32\msiexec.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5400 | "C:\Program Files (x86)\ScreenConnect Client (7e18f1bc4391269b)\ScreenConnect.WindowsClient.exe" "RunRole" "f21c5c45-9a33-47c7-a728-32ff95329c59" "User" | C:\Program Files (x86)\ScreenConnect Client (7e18f1bc4391269b)\ScreenConnect.WindowsClient.exe | — | ScreenConnect.ClientService.exe | |||||||||||
User: admin Company: ScreenConnect Software Integrity Level: MEDIUM Description: ScreenConnect Client Version: 26.1.18.9566 Modules
| |||||||||||||||
| 7248 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7300 | C:\Windows\syswow64\MsiExec.exe -Embedding 126CA9A5FCBED2F624EDA13991CAFC44 C | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7340 | rundll32.exe "C:\Users\admin\AppData\Local\Temp\MSI14DB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_922921 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments | C:\Windows\SysWOW64\rundll32.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
14 594
Read events
14 421
Write events
164
Delete events
9
Modification events
| (PID) Process: | (7920) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7920) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7920) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (7920) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (7920) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (7920) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (7920) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (7920) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7920) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7920) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
Executable files
10
Suspicious files
6
Text files
5
Unknown types
53
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4396 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_59E89BCE9615F2B61F2F2C691688F111 | binary | |
MD5:750E094BC0D5DC995309AA330CFEC04B | SHA256:EB48A34FB2DF7CF2F2E822FC3AE12A75C4DB3AE285E2BD64E9A045A92410C183 | |||
| 7340 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSI14DB.tmp-\Microsoft.Deployment.WindowsInstaller.dll | binary | |
MD5:5EF88919012E4A3D8A1E2955DC8C8D81 | SHA256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D | |||
| 7340 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSI14DB.tmp-\ScreenConnect.Windows.dll | binary | |
MD5:0E7A185162AFAAE9E8B9E088D97A0887 | SHA256:D61EA81371332C01BE9969D359DF8412B7E1B0F5803C08DFC480C0421DCE8A44 | |||
| 4396 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | binary | |
MD5:628790A7A7A5D4851138B2696D6BC529 | SHA256:56E6EF916FDB973773BF7D3964546C348A7A27D219E9D0E0CC237BFCEE0C2B5F | |||
| 4396 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | binary | |
MD5:9E1461EF180DF26DA7B3D6CFC20016C9 | SHA256:AAD5220BE350DED69D657B31F929D5D0C383F7AE03AC7681E3BF8822DA2078A5 | |||
| 7340 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSI14DB.tmp-\ScreenConnect.InstallerActions.dll | binary | |
MD5:0C94BBD2593BB06F7E96A3F19DE39EF0 | SHA256:54ED2A3200E96D8CF603E594F148F2832340FA23A6CE0140A16B666966CD5D3B | |||
| 4396 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_59E89BCE9615F2B61F2F2C691688F111 | binary | |
MD5:425037083F99F1F0193264ED62078FC6 | SHA256:99FC53CB63011BCB30F5F45416CD0989377D669CC78AAA9BB300A911CC7EAB3F | |||
| 4396 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI14DB.tmp | binary | |
MD5:3DA27D0C256A14BB017F21F3A486D136 | SHA256:AC1B1AFB6C8E73E6A476DE1C2EF07E8D31888468BA705B9AC548A0E860017363 | |||
| 7340 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSI14DB.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll | binary | |
MD5:A921A2B83B98F02D003D9139FA6BA3D8 | SHA256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1 | |||
| 7340 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSI14DB.tmp-\ScreenConnect.WindowsInstaller.dll | binary | |
MD5:32BC6332F1C75908D862CDD7DF4E981D | SHA256:0DFB99E851541CEF064ABC98270922CA8F9380635B58F43219557E828634F3BE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
57
TCP/UDP connections
53
DNS requests
20
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6576 | SIHClient.exe | GET | 304 | 135.233.95.144:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
— | — | POST | 200 | 107.21.141.65:443 | https://check.screenconnect.com/InstallerOriginInfo.axd | US | — | — | unknown |
7920 | rundll32.exe | POST | — | 35.172.252.168:443 | https://check.screenconnect.com/InstallerOriginInfo.axd | US | — | — | unknown |
7556 | svchost.exe | POST | 403 | 88.221.169.205:443 | https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409 | US | — | 384 b | whitelisted |
— | — | POST | 403 | 23.59.18.102:443 | https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409 | US | binary | 384 b | whitelisted |
— | — | POST | 403 | 23.59.18.102:443 | https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409 | US | binary | 384 b | whitelisted |
7556 | svchost.exe | POST | 403 | 88.221.169.205:443 | https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409 | US | — | 384 b | whitelisted |
— | — | POST | 403 | 23.59.18.102:443 | https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409 | US | binary | 384 b | whitelisted |
— | — | POST | 403 | 23.59.18.102:443 | https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409 | US | binary | 384 b | whitelisted |
6576 | SIHClient.exe | GET | 200 | 74.178.240.51:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | US | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
— | — | 48.192.1.65:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 2.16.241.201:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
4396 | msiexec.exe | 23.11.41.157:80 | ocsp.digicert.com | AKAMAI-AMS | NL | whitelisted |
3428 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7920 | rundll32.exe | 35.172.252.168:443 | check.screenconnect.com | AMAZON-AES | US | whitelisted |
7556 | svchost.exe | 88.221.169.205:443 | go.microsoft.com | AKAMAI-AS | US | whitelisted |
2436 | ScreenConnect.ClientService.exe | 15.204.135.40:443 | instance-gkibn4-relay.screenconnect.com | OVH | FR | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
check.screenconnect.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
instance-gkibn4-relay.screenconnect.com |
| unknown |
slscr.update.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2232 | svchost.exe | Misc activity | ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain |
2232 | svchost.exe | Misc activity | ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain |
— | — | Misc activity | ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain |