| File name: | xad74ddaf0276f508893b47261127e75d2ab82c9ff7691cf3b433e82a0e95c2b3.exe |
| Full analysis: | https://app.any.run/tasks/aeb55a21-935c-4f06-802f-c0ef44472f8a |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | January 31, 2026, 00:51:12 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | C0562297D534E4C9F0170E2A7A7E984F |
| SHA1: | EB61A3FE5034756B9A52B4113E04B9AF2B7F8015 |
| SHA256: | AD74DDAF0276F508893B47261127E75D2AB82C9FF7691CF3B433E82A0E95C2B3 |
| SSDEEP: | 98304:iNdddc9LcdTJKOytH9awXB0DXe3S+5OmxlGwP3AW5JTGG0DR/WMDwZbM2WCPA9Tp:zDAt+GkR7CGkRVGkRZGkRsGkR/GkR6 |
MALICIOUS
SCREENCONNECT has been detected
- rundll32.exe (PID: 7272)
- msiexec.exe (PID: 1044)
SUSPICIOUS
Executable content was dropped or overwritten
- rundll32.exe (PID: 7272)
Executes as Windows Service
- VSSVC.exe (PID: 7680)
- ScreenConnect.ClientService.exe (PID: 8272)
Creates or modifies Windows services
- ScreenConnect.ClientService.exe (PID: 8272)
SCREENCONNECT mutex has been found
- ScreenConnect.ClientService.exe (PID: 8272)
Screenconnect has been detected
- ScreenConnect.ClientService.exe (PID: 8272)
- ScreenConnect.ClientService.exe (PID: 8272)
Detects ScreenConnect RAT (YARA)
- ScreenConnect.ClientService.exe (PID: 8272)
- ScreenConnect.WindowsClient.exe (PID: 7076)
INFO
Checks supported languages
- xad74ddaf0276f508893b47261127e75d2ab82c9ff7691cf3b433e82a0e95c2b3.exe (PID: 8508)
- msiexec.exe (PID: 1044)
- msiexec.exe (PID: 4624)
- msiexec.exe (PID: 6664)
- ScreenConnect.ClientService.exe (PID: 8272)
- ScreenConnect.WindowsClient.exe (PID: 7076)
- msiexec.exe (PID: 8460)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 1872)
- xad74ddaf0276f508893b47261127e75d2ab82c9ff7691cf3b433e82a0e95c2b3.exe (PID: 8508)
- ScreenConnect.ClientService.exe (PID: 8272)
- ScreenConnect.WindowsClient.exe (PID: 7076)
Creates files or folders in the user directory
- msiexec.exe (PID: 1872)
Create files in a temporary directory
- xad74ddaf0276f508893b47261127e75d2ab82c9ff7691cf3b433e82a0e95c2b3.exe (PID: 8508)
- rundll32.exe (PID: 7272)
Checks proxy server information
- msiexec.exe (PID: 1872)
- slui.exe (PID: 4948)
Reads the machine GUID from the registry
- xad74ddaf0276f508893b47261127e75d2ab82c9ff7691cf3b433e82a0e95c2b3.exe (PID: 8508)
- ScreenConnect.ClientService.exe (PID: 8272)
- ScreenConnect.WindowsClient.exe (PID: 7076)
Reads the computer name
- xad74ddaf0276f508893b47261127e75d2ab82c9ff7691cf3b433e82a0e95c2b3.exe (PID: 8508)
- msiexec.exe (PID: 1044)
- msiexec.exe (PID: 4624)
- msiexec.exe (PID: 8460)
- msiexec.exe (PID: 6664)
- ScreenConnect.ClientService.exe (PID: 8272)
- ScreenConnect.WindowsClient.exe (PID: 7076)
Process checks computer location settings
- xad74ddaf0276f508893b47261127e75d2ab82c9ff7691cf3b433e82a0e95c2b3.exe (PID: 8508)
Executable content was dropped or overwritten
- msiexec.exe (PID: 1872)
- msiexec.exe (PID: 1044)
Manages system restore points
- SrTasks.exe (PID: 4540)
CONNECTWISE has been detected
- msiexec.exe (PID: 1872)
- ScreenConnect.ClientService.exe (PID: 8272)
- ScreenConnect.WindowsClient.exe (PID: 7076)
SCREENCONNECT has been detected
- ScreenConnect.ClientService.exe (PID: 8272)
There is functionality for taking screenshot (YARA)
- ScreenConnect.ClientService.exe (PID: 8272)
Disables trace logs
- ScreenConnect.ClientService.exe (PID: 8272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:11:18 20:10:20+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.33 |
| CodeSize: | 45568 |
| InitializedDataSize: | 16825344 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x14ad |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
152
Monitored processes
14
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1044 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1872 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\ScreenConnect\25.7.7.9426\dff3dea059d5e7b5\ScreenConnect.ClientSetup.msi" | C:\Windows\SysWOW64\msiexec.exe | xad74ddaf0276f508893b47261127e75d2ab82c9ff7691cf3b433e82a0e95c2b3.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4540 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:15 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4624 | C:\Windows\syswow64\MsiExec.exe -Embedding 0CC7E2902429CCE5034DFEC715CBAF7B C | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4948 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6440 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6664 | C:\Windows\syswow64\MsiExec.exe -Embedding 2CA5E859F5D6A30AC755F173D0F4B07F E Global\MSI0000 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7076 | "C:\Program Files (x86)\ScreenConnect Client (dff3dea059d5e7b5)\ScreenConnect.WindowsClient.exe" "RunRole" "9999601f-c363-4db7-acdd-abd1fd52831c" "User" | C:\Program Files (x86)\ScreenConnect Client (dff3dea059d5e7b5)\ScreenConnect.WindowsClient.exe | ScreenConnect.ClientService.exe | ||||||||||||
User: admin Company: ScreenConnect Software Integrity Level: MEDIUM Description: ScreenConnect Client Version: 25.7.7.9426 Modules
| |||||||||||||||
| 7272 | rundll32.exe "C:\Users\admin\AppData\Local\Temp\MSI7BD5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1997843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments | C:\Windows\SysWOW64\rundll32.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7680 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
10 941
Read events
10 755
Write events
175
Delete events
11
Modification events
| (PID) Process: | (1044) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4800000000000000578102BE4B92DC01140400007C210000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1044) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 4800000000000000578102BE4B92DC01140400007C210000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1044) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 4800000000000000BD4245BE4B92DC01140400007C210000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1044) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 4800000000000000BD4245BE4B92DC01140400007C210000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1044) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000BD4245BE4B92DC01140400007C210000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1044) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 480000000000000024A547BE4B92DC01140400007C210000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1044) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 15 | |||
| (PID) Process: | (1044) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 480000000000000007B85ABE4B92DC01140400007C210000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7680) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (7680) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001 |
| Operation: | write | Name: | Element |
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000 | |||
Executable files
20
Suspicious files
25
Text files
12
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 8508 | xad74ddaf0276f508893b47261127e75d2ab82c9ff7691cf3b433e82a0e95c2b3.exe | C:\Users\admin\AppData\Local\Temp\ScreenConnect\25.7.7.9426\dff3dea059d5e7b5\ScreenConnect.ClientSetup.msi | — | |
MD5:— | SHA256:— | |||
| 1044 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 1044 | msiexec.exe | C:\Windows\Installer\1ea323.msi | — | |
MD5:— | SHA256:— | |||
| 1872 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI7BD5.tmp | executable | |
MD5:C1F94D8037BE9F77EF59BDA0777C99C6 | SHA256:559765353D8427330ABA0D1D5B92B2062733944C16ACE34AD714B0AEC6E69DB0 | |||
| 7272 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSI7BD5.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll | executable | |
MD5:A921A2B83B98F02D003D9139FA6BA3D8 | SHA256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1 | |||
| 1872 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | binary | |
MD5:ED4D5271D5264EF423ED1402D4B1FD06 | SHA256:6B320A15A4427EBABABB06419017A123A4BCC60EF8D00B7FA6181273FA8F166E | |||
| 1872 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_AE4B983DE066DC93BB134616BF886138 | binary | |
MD5:2713888FDD4A3D292B9728ED8D1C0CB1 | SHA256:A916653133B345BA4D3720E71AE96C74E4BE357F7661563B6C4415A339D99672 | |||
| 1872 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_AE4B983DE066DC93BB134616BF886138 | binary | |
MD5:F3B275BB773CB3A95C12F8EB0D25B05C | SHA256:4147434437F7310DD6E6F9F0C2CCEF0B07DA4CD3F7F98FADC3780E1DC2C74735 | |||
| 1872 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | binary | |
MD5:33644FACB58E0B9FB9C70C5D10F794DF | SHA256:66EA60536D84BB7BB788E4024463D742E501A86407BAA2E672F029BBD54F1645 | |||
| 7272 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSI7BD5.tmp-\Microsoft.Deployment.WindowsInstaller.dll | executable | |
MD5:5EF88919012E4A3D8A1E2955DC8C8D81 | SHA256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
23
DNS requests
12
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1872 | msiexec.exe | GET | 200 | 23.63.118.230:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAq7yhIMeYEKGC9y%2BJwENY8%3D | US | binary | 727 b | whitelisted |
1872 | msiexec.exe | GET | 200 | 23.63.118.230:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | US | binary | 727 b | whitelisted |
9080 | svchost.exe | GET | 200 | 2.16.164.49:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.49:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
— | — | GET | 200 | 2.16.164.49:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
4404 | slui.exe | POST | 500 | 48.192.1.65:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 512 b | whitelisted |
3292 | svchost.exe | GET | 200 | 23.52.181.212:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl | US | binary | 814 b | whitelisted |
3292 | svchost.exe | GET | 200 | 23.52.181.212:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | US | binary | 401 b | whitelisted |
3292 | svchost.exe | GET | 200 | 23.52.181.212:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl | US | binary | 400 b | whitelisted |
3292 | svchost.exe | GET | 200 | 23.52.181.212:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl | US | binary | 813 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
9080 | svchost.exe | 2.16.164.49:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 2.16.164.49:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6768 | MoUsoCoreWorker.exe | 2.16.164.49:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
9080 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1872 | msiexec.exe | 23.63.118.230:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
8272 | ScreenConnect.ClientService.exe | 51.195.240.51:443 | instance-trawyp-relay.screenconnect.com | OVH | FR | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
instance-trawyp-relay.screenconnect.com |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2292 | svchost.exe | Misc activity | ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain |
2292 | svchost.exe | Misc activity | ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain |