URL:

https://dash.atomaserv.xyz/Bin/ScreenConnect.ClientSetup.msi

Full analysis: https://app.any.run/tasks/3ca26845-44e3-48cd-bbca-cfb41fa04fad
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 29, 2026, 09:55:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
screenconnect
tool
rmm-tool
remote
loader
Indicators:
MD5:

F62891DFD630AF17849AA6E37C0F64B2

SHA1:

E91F2A6BF6704FC0B2768582CAF4E12C4804AE92

SHA256:

A8AD8771274981067AE89855C0EED8404E18C6345E4C93845C12436440B05762

SSDEEP:

3:N8cKD5tcWwK/tAl20QJM:2cG+KCL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
0
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

No data
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
28
DNS requests
15
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1360
svchost.exe
GET
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
US
whitelisted
7904
RUXIMICS.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=188&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
US
whitelisted
5336
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3593&FlightIds=&UpdateOfferedDays=344&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%206%20Model%2014%20Stepping%203&sku=48&ActivationChannel=Retail&AttrDataVer=188&IsMDMEnrolled=0&ProcessorCores=4&ProcessorModel=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&TotalPhysicalRAM=4096&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260246&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
7760
svchost.exe
HEAD
200
104.102.63.189:443
https://fs.microsoft.com/fs/windows/config.json
US
whitelisted
7028
msedge.exe
GET
200
23.171.177.145:443
https://dash.atomaserv.xyz/Bin/ScreenConnect.ClientSetup.msi
unknown
executable
12.7 Mb
unknown
1360
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
1360
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5336
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7904
RUXIMICS.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5336
MoUsoCoreWorker.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7904
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5336
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1360
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
224.0.0.251:5353
whitelisted
7028
msedge.exe
23.171.177.145:443
dash.atomaserv.xyz
ETHNC-ASN
US
unknown
1360
svchost.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7904
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5336
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
1360
svchost.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
7904
RUXIMICS.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.251.20.138
  • 142.251.20.113
  • 142.251.20.139
  • 142.251.20.101
  • 142.251.20.100
  • 142.251.20.102
whitelisted
dash.atomaserv.xyz
  • 23.171.177.145
unknown
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
fs.microsoft.com
  • 104.102.63.189
whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com
  • 2.16.168.108
  • 2.16.168.112
  • 92.223.97.79
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
www.bing.com
  • 23.3.89.98
  • 95.100.158.114
  • 23.3.89.96
  • 95.100.158.106
  • 95.100.158.123
  • 23.3.89.106
  • 23.3.89.89
  • 95.100.158.122
  • 23.3.89.105
whitelisted

Threats

PID
Process
Class
Message
1360
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://dash.atomaserv.xyz/Bin/ScreenConnect.ClientSetup.msi