File name:	ScreenConnect.ClientSetup.msi
Full analysis:	https://app.any.run/tasks/bc09021f-20ae-485d-9efb-297fe1dc80d6
Verdict:	Malicious activity
Analysis date:	March 26, 2026, 13:23:06
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc connectwise rmm-tool screenconnect remote
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {1C54124B-3EB4-F294-12A8-0DE0A5AA1F16}, Create Time/Date: Wed Mar 11 16:28:48 2026, Last Saved Time/Date: Wed Mar 11 16:28:48 2026, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
MD5:	EC55BBDF462C5D95A28304DDB98E6205
SHA1:	92B3A96B8B82F8F12CA09B368778FCDE89806B0F
SHA256:	DFA98A10C4E8D7F15B64C84D4F3EECF11198BE6B1C9A6972F39FB1F4101B81AF
SSDEEP:	3:uKfKYBaluBYyP:Ff/

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Default
Author:	ScreenConnect Software
Keywords:	Default
Comments:	Default
Template:	Intel;1033
RevisionNumber:	{1C54124B-3EB4-F294-12A8-0DE0A5AA1F16}
CreateDate:	2026:03:11 16:28:48
ModifyDate:	2026:03:11 16:28:48
Pages:	200
Words:	2
Software:	Windows Installer XML Toolset (3.11.0.1701)
Security:	Read-only recommended


(PID) Process:	(6084) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6084) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6084) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6084) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6084) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6084) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6084) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6084) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6084) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6084) rundll32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
6816	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:4073ECDFC35AB708B9E7A21512EAB6A9	SHA256:42BADF727C04C14124A54E5884E434305CD879864FF6038DD022D79E8551BC38
6816	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:BB4F9F8625E93C73A2818ED44B172029	SHA256:2FEB3DE86F9EC1412F3E894DA4C31BE456434F88BA6AD8E6EF0E3B889E179FFD
6816	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_59E89BCE9615F2B61F2F2C691688F111		binary
		MD5:CF89C60BE483490284C325E0846D48F7	SHA256:AAF640EF4FCF5B17DCF35AE00AA27180CE4FE4F428C0EEFB4E8DE309C895FEF6
6816	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI21E.tmp		executable
		MD5:3DA27D0C256A14BB017F21F3A486D136	SHA256:AC1B1AFB6C8E73E6A476DE1C2EF07E8D31888468BA705B9AC548A0E860017363
6816	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_59E89BCE9615F2B61F2F2C691688F111		binary
		MD5:EE45620DFFE4892C11EEB8BF852A471A	SHA256:615E58A78A99F51B88521AB9992AEFDFB886A6FA4DDDDE108004A2BFCFB13563
3200	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI21E.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll		executable
		MD5:A921A2B83B98F02D003D9139FA6BA3D8	SHA256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
3200	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI21E.tmp-\Microsoft.Deployment.WindowsInstaller.dll		executable
		MD5:5EF88919012E4A3D8A1E2955DC8C8D81	SHA256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
3200	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI21E.tmp-\ScreenConnect.InstallerActions.dll		executable
		MD5:0C94BBD2593BB06F7E96A3F19DE39EF0	SHA256:54ED2A3200E96D8CF603E594F148F2832340FA23A6CE0140A16B666966CD5D3B
3200	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI21E.tmp-\ScreenConnect.Windows.dll		executable
		MD5:0E7A185162AFAAE9E8B9E088D97A0887	SHA256:D61EA81371332C01BE9969D359DF8412B7E1B0F5803C08DFC480C0421DCE8A44
3200	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI21E.tmp-\ScreenConnect.WindowsInstaller.dll		executable
		MD5:32BC6332F1C75908D862CDD7DF4E981D	SHA256:0DFB99E851541CEF064ABC98270922CA8F9380635B58F43219557E828634F3BE

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6084	rundll32.exe	POST	—	35.172.252.168:443	https://check.screenconnect.com/InstallerOriginInfo.axd	US	—	—	unknown
5276	MoUsoCoreWorker.exe	GET	304	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	US	—	—	whitelisted
6816	msiexec.exe	GET	200	23.11.41.157:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	NL	binary	727 b	whitelisted
7788	svchost.exe	POST	403	23.52.181.141:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	US	html	384 b	whitelisted
7788	svchost.exe	POST	403	23.52.181.141:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	US	html	384 b	whitelisted
6816	msiexec.exe	GET	200	23.11.41.157:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAHd28bpFj1AfZgKPq95hSg%3D	NL	binary	727 b	whitelisted
5316	svchost.exe	GET	200	23.11.41.157:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D	NL	binary	471 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	304	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
5316	svchost.exe	POST	400	20.190.159.129:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	whitelisted
5316	svchost.exe	POST	200	20.190.159.129:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
7784	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
6816	msiexec.exe	23.11.41.157:80	ocsp.digicert.com	AKAMAI-AMS	NL	whitelisted
6084	rundll32.exe	35.172.252.168:443	check.screenconnect.com	AMAZON-AES	US	whitelisted
3428	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5316	svchost.exe	20.190.159.129:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5316	svchost.exe	23.11.41.157:80	ocsp.digicert.com	AKAMAI-AMS	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208 40.127.240.158 4.231.128.59	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
google.com	142.251.141.142	whitelisted
ocsp.digicert.com	23.11.41.157	whitelisted
check.screenconnect.com	35.172.252.168 107.21.141.65 18.214.243.167	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	20.190.159.129 40.126.31.131 20.190.159.4 40.126.31.130 40.126.31.128 40.126.31.69 40.126.31.2 40.126.31.0	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.166 23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	95.100.102.101	whitelisted
go.microsoft.com	23.52.181.141	whitelisted

PID	Process	Class	Message
2232	svchost.exe	Misc activity	ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain
7784	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2232	svchost.exe	Misc activity	ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain
6228	ScreenConnect.ClientService.exe	Potential Corporate Privacy Violation	REMOTE [ANY.RUN] ScreenConnect Server Response

General Info

ScreenConnect.ClientSetup.msi

EC55BBDF462C5D95A28304DDB98E6205

92B3A96B8B82F8F12CA09B368778FCDE89806B0F

DFA98A10C4E8D7F15B64C84D4F3EECF11198BE6B1C9A6972F39FB1F4101B81AF

3:uKfKYBaluBYyP:Ff/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SCREENCONNECT has been detected

SCREENCONNECT has been detected (SURICATA)

SUSPICIOUS

Executes as Windows Service

Executable content was dropped or overwritten

Uses RUNDLL32.EXE to run a file without a DLL extension

Creates or modifies Windows services

Screenconnect has been detected

SCREENCONNECT mutex has been found

Potential Corporate Privacy Violation

INFO

Reads security settings of Internet Explorer

Checks supported languages

Creates files or folders in the user directory

Executable content was dropped or overwritten

Create files in a temporary directory

Disables trace logs

CONNECTWISE has been detected

Manages system restore points

Reads the computer name

Reads the machine GUID from the registry

SCREENCONNECT has been detected

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings