File name:

support.Client.exe

Full analysis: https://app.any.run/tasks/cfe7edd8-9560-4e50-8aa8-4c1a3d24144d
Verdict: Malicious activity
Analysis date: October 19, 2023, 15:35:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

43E15305F57D44C337E312151640478E

SHA1:

9CB16B2898A0C89DF6EC3A277110D2E2006D31A2

SHA256:

83D41C1B4BAA1D4BFBF9D7A5CAEBA6761CB7890D6421BA0E0CAB1CFA90C89E2F

SSDEEP:

1536:lejLH3MVw8licIgWQog5Mzg+MoCdqQsWQcd69jPVfq7NKEI:8jLHcVw8licpWQog5Ms+f+l6xPVfqnI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • dfsvc.exe (PID: 292)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • dfsvc.exe (PID: 292)

    • Reads the Internet Settings

      • dfsvc.exe (PID: 292)

    • Checks Windows Trust Settings

      • dfsvc.exe (PID: 292)

    • The process creates files with name similar to system file names

      • dfsvc.exe (PID: 292)

    • Reads Internet Explorer settings

      • dfsvc.exe (PID: 292)

  • INFO

    • Reads the computer name

      • support.Client.exe (PID: 1764)
      • dfsvc.exe (PID: 292)

    • Checks supported languages

      • support.Client.exe (PID: 1764)
      • dfsvc.exe (PID: 292)

    • Reads the machine GUID from the registry

      • support.Client.exe (PID: 1764)
      • dfsvc.exe (PID: 292)

    • Create files in a temporary directory

      • dfsvc.exe (PID: 292)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 292)

    • Checks proxy server information

      • dfsvc.exe (PID: 292)

    • Reads Environment values

      • dfsvc.exe (PID: 292)

    • Process checks are UAC notifies on

      • dfsvc.exe (PID: 292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:11:18 20:55:37+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 40448
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x14ba
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start support.client.exe no specs dfsvc.exe

Process information

PID
CMD
Path
Indicators
Parent process
292"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
support.Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\dfsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1764"C:\Users\admin\AppData\Local\Temp\support.Client.exe" C:\Users\admin\AppData\Local\Temp\support.Client.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\support.client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\rpcrt4.dll
Total events
3 812
Read events
3 774
Write events
36
Delete events
2

Modification events

(PID) Process:(1764) support.Client.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(292) dfsvc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(292) dfsvc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(292) dfsvc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(292) dfsvc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(292) dfsvc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(292) dfsvc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000056010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(292) dfsvc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(292) dfsvc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(292) dfsvc.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
2
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
292dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1binary
MD5:9B222451447ED60DA67203643936B20D
SHA256:81AB119DD3F1B2E6AF0F79C11B31A78C585FB73453CA598B053700CD442C75CB
292dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\C7L3ATNA.A2H\T6C4Q94D.ETA\ScreenConnect.WindowsClient.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
292dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\C7L3ATNA.A2H\T6C4Q94D.ETA\ScreenConnect.ClientService.exeexecutable
MD5:256081D2D140ED2727C1957317627136
SHA256:72B206D8C2EA0378F096C5E7C13022F67A0A0F670A10C1534B6F7A1BA95E8BE6
292dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1binary
MD5:D91299E84355CD8D5A86795A0118B6E9
SHA256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
292dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\DM2PTMK4.0TB\W7WPOMEH.DVK.applicationxml
MD5:515F738985EC6645F0C04221A90885D4
SHA256:3694756CF7FE96F35AC9A819B605A8CAE403AB4F2B63909CB6A7717914D790BB
292dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\C7L3ATNA.A2H\T6C4Q94D.ETA\ScreenConnect.WindowsBackstageShell.exeexecutable
MD5:DD9D8572AC8B91F6844E9E8A28684577
SHA256:A2409879344F21A45175A17F857B4C027087200F4892810994715A189F2A6280
292dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\C7L3ATNA.A2H\T6C4Q94D.ETA\ScreenConnect.WindowsBackstageShell.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
292dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\C7L3ATNA.A2H\T6C4Q94D.ETA\ScreenConnect.WindowsClient.exe.manifestxml
MD5:9165412EE08839B9702BD4971864A133
SHA256:6BB1C1AA5663AD33EDA2256037DA8E7439502C206D4C0047270A2FD1F006BB50
292dfsvc.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\932a2db58c237abd381d22df4c63a04a_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
SHA256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
292
dfsvc.exe
GET
200
192.229.221.95:80
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
unknown
binary
1.68 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
292
dfsvc.exe
146.19.213.114:443
s4.catreenpr.is
Alexhost Srl
US
unknown
292
dfsvc.exe
192.229.221.95:80
cacerts.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
s4.catreenpr.is
  • 146.19.213.114
unknown
cacerts.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
support.Client.exe