File name:

ScreenConnect.Client.exe

Full analysis: https://app.any.run/tasks/bea94961-81d0-43a2-b811-52c79e08e28f
Verdict: Malicious activity
Analysis date: August 28, 2024, 19:49:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
screenconnect
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B850277F4052716F0E663A4F60C20BB5

SHA1:

A0A71B1C1BB997B3733EA0908EAEFDA35BAE5786

SHA256:

9F0C430E8AFD72485F65FC004749579C2F7255D7633955930970B6562E0E9D6D

SSDEEP:

3072:UjLHcVw8licpWQog5Ms+f+l6xPVfq84FC:UfoocptD5QPVfqC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SCREENCONNECT has been detected (SURICATA)

      • ScreenConnect.ClientService.exe (PID: 7100)

    • Deletes the SafeBoot registry key

      • ScreenConnect.ClientService.exe (PID: 7100)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • ScreenConnect.Client.exe (PID: 6920)
      • dfsvc.exe (PID: 6860)

    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 6860)
      • ScreenConnect.WindowsClient.exe (PID: 6644)
      • ScreenConnect.ClientService.exe (PID: 4824)
      • ScreenConnect.WindowsClient.exe (PID: 2576)
      • ScreenConnect.ClientService.exe (PID: 7100)

    • Adds/modifies Windows certificates

      • ScreenConnect.Client.exe (PID: 6920)
      • dfsvc.exe (PID: 6860)

    • Checks Windows Trust Settings

      • dfsvc.exe (PID: 6860)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 6860)

    • Reads Internet Explorer settings

      • dfsvc.exe (PID: 6860)

    • Reads the date of Windows installation

      • dfsvc.exe (PID: 6860)
      • ScreenConnect.WindowsClient.exe (PID: 6644)

    • Executes as Windows Service

      • ScreenConnect.ClientService.exe (PID: 7100)

    • The process creates files with name similar to system file names

      • dfsvc.exe (PID: 6860)

    • Creates or modifies Windows services

      • ScreenConnect.ClientService.exe (PID: 7100)

    • Potential Corporate Privacy Violation

      • ScreenConnect.ClientService.exe (PID: 7100)

  • INFO

    • Checks supported languages

      • ScreenConnect.Client.exe (PID: 6920)
      • dfsvc.exe (PID: 6860)
      • ScreenConnect.WindowsClient.exe (PID: 6644)
      • ScreenConnect.ClientService.exe (PID: 4824)
      • ScreenConnect.ClientService.exe (PID: 7100)
      • ScreenConnect.WindowsClient.exe (PID: 2576)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 6860)
      • ScreenConnect.WindowsClient.exe (PID: 6644)
      • ScreenConnect.ClientService.exe (PID: 7100)

    • Disables trace logs

      • dfsvc.exe (PID: 6860)

    • Reads the machine GUID from the registry

      • ScreenConnect.Client.exe (PID: 6920)
      • dfsvc.exe (PID: 6860)
      • ScreenConnect.WindowsClient.exe (PID: 6644)
      • ScreenConnect.ClientService.exe (PID: 4824)
      • ScreenConnect.ClientService.exe (PID: 7100)
      • ScreenConnect.WindowsClient.exe (PID: 2576)

    • Reads the computer name

      • ScreenConnect.Client.exe (PID: 6920)
      • dfsvc.exe (PID: 6860)
      • ScreenConnect.WindowsClient.exe (PID: 6644)
      • ScreenConnect.ClientService.exe (PID: 4824)
      • ScreenConnect.ClientService.exe (PID: 7100)
      • ScreenConnect.WindowsClient.exe (PID: 2576)

    • Reads Environment values

      • dfsvc.exe (PID: 6860)

    • Checks proxy server information

      • dfsvc.exe (PID: 6860)

    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 6860)

    • Reads the software policy settings

      • dfsvc.exe (PID: 6860)

    • Create files in a temporary directory

      • dfsvc.exe (PID: 6860)

    • Process checks computer location settings

      • dfsvc.exe (PID: 6860)
      • ScreenConnect.WindowsClient.exe (PID: 6644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:11:18 19:55:37+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 40448
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x14ba
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start screenconnect.client.exe no specs dfsvc.exe sppextcomobj.exe no specs slui.exe no specs screenconnect.windowsclient.exe no specs screenconnect.clientservice.exe #SCREENCONNECT screenconnect.clientservice.exe screenconnect.windowsclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2384C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2576"C:\Users\admin\AppData\Local\Apps\2.0\WW58YX3V.N9O\EVN0M9YB.6Q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\ScreenConnect.WindowsClient.exe" "RunRole" "552221fb-4a4c-42e2-8018-041074e3b838" "User"C:\Users\admin\AppData\Local\Apps\2.0\WW58YX3V.N9O\EVN0M9YB.6Q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\ScreenConnect.WindowsClient.exeScreenConnect.ClientService.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
ScreenConnect Client
Exit code:
0
Version:
24.1.9.8915
Modules
Images
c:\users\admin\appdata\local\apps\2.0\ww58yx3v.n9o\evn0m9yb.6q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4824"C:\Users\admin\AppData\Local\Apps\2.0\WW58YX3V.N9O\EVN0M9YB.6Q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=screlay.honeywellcloud.com&p=443&s=0253ea6e-07b5-47c1-a781-e87b7290b50e&k=BgIAAACkAABSU0ExAAgAAAEAAQAj2ASeRAOdsLfwObXg3jgoM9%2f5OvKC9Uvi7ypgNXQwdTQG6i8th7X0rLWGtj6KXUN7EMfpk7J375sz92p8C6vGv0FvmCeBbtHqy6DKeQfXz2%2fyp3tfJIM4sKSTK0f1sEa8QiYCbh5QE7hHUzyqjWgrFjzYkrceb4cgwzFcRQk%2bhGmYWps579bbP1vH5I321b90RlV92iyX%2fL48avtY81Y9TIwGhsUqJPwt2lGPJ9%2f%2fXURGfZniGu6CQNZ5sMnll7ZH%2fE5IXobUNg2itlulbaQPyCxzFe5BfBAVszgTkqh9UWOZVlrW9ZPQJAXXbi9Ta3cEGFPdUSquTk1UDMNZuzea&r=&i=Untitled%20Session" "1"C:\Users\admin\AppData\Local\Apps\2.0\WW58YX3V.N9O\EVN0M9YB.6Q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\ScreenConnect.ClientService.exe
ScreenConnect.WindowsClient.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
24.1.9.8915
Modules
Images
c:\users\admin\appdata\local\apps\2.0\ww58yx3v.n9o\evn0m9yb.6q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
6644"C:\Users\admin\AppData\Local\Apps\2.0\WW58YX3V.N9O\EVN0M9YB.6Q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\ScreenConnect.WindowsClient.exe" C:\Users\admin\AppData\Local\Apps\2.0\WW58YX3V.N9O\EVN0M9YB.6Q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\ScreenConnect.WindowsClient.exedfsvc.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
ScreenConnect Client
Exit code:
0
Version:
24.1.9.8915
Modules
Images
c:\users\admin\appdata\local\apps\2.0\ww58yx3v.n9o\evn0m9yb.6q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6860"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
ScreenConnect.Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\dfsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6920"C:\Users\admin\AppData\Local\Temp\ScreenConnect.Client.exe" C:\Users\admin\AppData\Local\Temp\ScreenConnect.Client.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\screenconnect.client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
6964"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7100"C:\Users\admin\AppData\Local\Apps\2.0\WW58YX3V.N9O\EVN0M9YB.6Q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=screlay.honeywellcloud.com&p=443&s=0253ea6e-07b5-47c1-a781-e87b7290b50e&k=BgIAAACkAABSU0ExAAgAAAEAAQAj2ASeRAOdsLfwObXg3jgoM9%2f5OvKC9Uvi7ypgNXQwdTQG6i8th7X0rLWGtj6KXUN7EMfpk7J375sz92p8C6vGv0FvmCeBbtHqy6DKeQfXz2%2fyp3tfJIM4sKSTK0f1sEa8QiYCbh5QE7hHUzyqjWgrFjzYkrceb4cgwzFcRQk%2bhGmYWps579bbP1vH5I321b90RlV92iyX%2fL48avtY81Y9TIwGhsUqJPwt2lGPJ9%2f%2fXURGfZniGu6CQNZ5sMnll7ZH%2fE5IXobUNg2itlulbaQPyCxzFe5BfBAVszgTkqh9UWOZVlrW9ZPQJAXXbi9Ta3cEGFPdUSquTk1UDMNZuzea&r=&i=Untitled%20Session" "1"C:\Users\admin\AppData\Local\Apps\2.0\WW58YX3V.N9O\EVN0M9YB.6Q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\ScreenConnect.ClientService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
24.1.9.8915
Modules
Images
c:\users\admin\appdata\local\apps\2.0\ww58yx3v.n9o\evn0m9yb.6q3\scre..tion_25b0fbb6ef7eb094_0018.0001_58836b72d99ae3d0\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
Total events
15 933
Read events
15 692
Write events
208
Delete events
33

Modification events

(PID) Process:(6920) ScreenConnect.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:7B0F360B775F76C94A12CA48445AA2D2A875701C
Value:
(PID) Process:(6920) ScreenConnect.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
Operation:writeName:Blob
Value:
0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E
(PID) Process:(6920) ScreenConnect.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Value:
(PID) Process:(6920) ScreenConnect.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Operation:writeName:Blob
Value:
0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054
(PID) Process:(6860) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
KP6BHQJMP23VR23GJX97PPBT
(PID) Process:(6860) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
KP6BHQJMP23VR23GJX97PPBT
(PID) Process:(6860) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(6860) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
WW58YX3VN9OEVN0M9YB6Q317
(PID) Process:(6860) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
O6E37NR16BE08YKQAZLHWDAW
(PID) Process:(6860) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
16
Suspicious files
18
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
6860dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\16ZV1ML2.VRM\3GJEALHX.684.applicationxml
MD5:A11A4B37E5254F5BE335209156A0514A
SHA256:6EEDE6925E5A245EBED80F3B499F0F6EEE2E58B2423033F11365E4CBB5EEE4B8
6860dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\97Z8VMQX.AN7\NW8BDBPV.21W\ScreenConnect.WindowsClient.exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
6860dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\97Z8VMQX.AN7\NW8BDBPV.21W\ScreenConnect.WindowsFileManager.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
6860dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\97Z8VMQX.AN7\NW8BDBPV.21W\ScreenConnect.WindowsBackstageShell.exeexecutable
MD5:C1F206B0C0058DC4CC7B9F3125F61E20
SHA256:94E711FD79FC81084FB222FF927893669DDBA9890C6622DD4981FB5766438A63
6860dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\97Z8VMQX.AN7\NW8BDBPV.21W\ScreenConnect.WindowsFileManager.exeexecutable
MD5:2C158A30F7274E1931860E434DE808A2
SHA256:B623E67BEA356C1793F3C921C5838719ED8B879EFCD966E97EE753498B1618B5
6860dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\97Z8VMQX.AN7\NW8BDBPV.21W\ScreenConnect.WindowsBackstageShell.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
6860dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\97Z8VMQX.AN7\NW8BDBPV.21W\ScreenConnect.WindowsClient.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
6860dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\97Z8VMQX.AN7\NW8BDBPV.21W\ScreenConnect.WindowsClient.exeexecutable
MD5:AB5FA8D90645878D587F386D0E276C02
SHA256:316BBF433F1F803D113ADF060C528CCC636656CEE26B90F5FEA011C1C73C7D16
6860dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\97Z8VMQX.AN7\NW8BDBPV.21W\ScreenConnect.Core.dll.genmanxml
MD5:12963223CB801DD760D52E26BF1C06E3
SHA256:DF4CC32F0279BAB39A5FB939227E1B30C5A237D461DD240168030B108143CA3B
6860dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\97Z8VMQX.AN7\NW8BDBPV.21W\ScreenConnect.Client.dllexecutable
MD5:F311A8217807F6C85817058522E234A2
SHA256:032450CD037D9E0EEC49E0B4FF44073D539775633FB4AF6FD76D4CB19116AAC9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
28
DNS requests
15
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6860
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6860
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D
unknown
whitelisted
6416
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3964
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6860
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
3964
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
7080
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6404
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6860
dfsvc.exe
20.72.175.38:443
secureconnect.honeywellcloud.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6860
dfsvc.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6416
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6416
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
7080
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.110
whitelisted
secureconnect.honeywellcloud.com
  • 20.72.175.38
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.133
  • 40.126.32.68
  • 40.126.32.74
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.136
whitelisted
screlay.honeywellcloud.com
  • 52.190.37.34
unknown
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
7100
ScreenConnect.ClientService.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ScreenConnect.Client.exe