Malware analysis /Downloads/SplashtopSOS.exe Malicious activity

Add for printing

download:	/Downloads/SplashtopSOS.exe
Full analysis:	https://app.any.run/tasks/39c82c30-874a-4851-ad97-458ec82e8f00
Verdict:	Malicious activity
Analysis date:	February 24, 2025, 14:43:44
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive, 4 sections
MD5:	4A8E6091B2D23695EAFCF9B70ABEF28C
SHA1:	3AD8985525B7AA59F4FDD4972CDD804A7B9DA4A9
SHA256:	AB591F9AAEE0C567F4BC664444C9F1E271356957EF914858585FFD104C0EAB8B
SSDEEP:	98304:b+6yxl1VG3pkk52D8Q8J3uQE+P1vPFc6Lz3rlTw/YOQ0NB7lsgP0YtxhvVxAiNHV:kYJioMKCQTRkN0FZu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - SplashtopSOS.exe (PID: 6516)
  - SplashtopSOS.exe (PID: 6724)
  - Launcher.exe (PID: 6412)
  - SRManagerSOS.exe (PID: 6288)
  - SRFeatureSOS.exe (PID: 2324)
  - SRUtilitySOS.exe (PID: 5472)
  - SRServerSOS.exe (PID: 5992)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 640)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - SplashtopSOS.exe (PID: 6516)
  - SplashtopSOS.exe (PID: 6724)
- Application launched itself
  - SplashtopSOS.exe (PID: 6516)
- Starts CMD.EXE for commands execution
  - SplashtopSOS.exe (PID: 6724)
- Process drops legitimate windows executable
  - expand.exe (PID: 6964)
- Executable content was dropped or overwritten
  - expand.exe (PID: 6964)
  - SplashtopSOS.exe (PID: 6724)
- Add new program in existing scheduled task
  - schtasks.exe (PID: 1140)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 3688)
- The process executes via Task Scheduler
  - Launcher.exe (PID: 6412)
- There is functionality for taking screenshot (YARA)
  - SplashtopSOS.exe (PID: 6724)
- Checks Windows Trust Settings
  - SRManagerSOS.exe (PID: 6288)
INFO
- Reads the computer name
  - SplashtopSOS.exe (PID: 6516)
  - SplashtopSOS.exe (PID: 6724)
  - SRManagerSOS.exe (PID: 6288)
  - SRServerSOS.exe (PID: 5992)
- The sample compiled with english language support
  - SplashtopSOS.exe (PID: 6516)
  - SplashtopSOS.exe (PID: 6724)
  - expand.exe (PID: 6964)
- Process checks computer location settings
  - SplashtopSOS.exe (PID: 6516)
  - SplashtopSOS.exe (PID: 6724)
- Checks supported languages
  - SplashtopSOS.exe (PID: 6516)
  - expand.exe (PID: 6964)
  - SplashtopSOS.exe (PID: 6724)
  - Launcher.exe (PID: 6412)
  - SRManagerSOS.exe (PID: 6288)
  - SRUtilitySOS.exe (PID: 5472)
  - SRServerSOS.exe (PID: 5992)
- Reads the machine GUID from the registry
  - expand.exe (PID: 6964)
  - SRManagerSOS.exe (PID: 6288)
- Create files in a temporary directory
  - SRManagerSOS.exe (PID: 6288)
  - SplashtopSOS.exe (PID: 6724)
  - expand.exe (PID: 6964)
- Reads the software policy settings
  - SRManagerSOS.exe (PID: 6288)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:10:04 03:01:17+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	200704
InitializedDataSize:	277504
UninitializedDataSize:	-
EntryPoint:	0x13c25
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	3.34.9.4662
ProductVersionNumber:	3.3.4.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Splashtop Inc.
FileDescription:	Splashtop® SOS
FileVersion:	3.34.9.4662
LegalCopyright:	Copyright © Splashtop Inc. All Rights Reserved.
ProductName:	Splashtop® SOS
ProductVersion:	3.3.4.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

145

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

640

"C:\WINDOWS\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\System32\cmd.exe

—

SplashtopSOS.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

1140

schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1228

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Launcher.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1512

schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2324

"C:\Users\admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"

C:\Users\admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

—

SRManagerSOS.exe

User:

SYSTEM

Company:

Splashtop Inc.

Integrity Level:

SYSTEM

Description:

Splashtop® Streamer Feature

Version:

3.34.9.4662

Modules

Images
c:\users\admin\appdata\local\temp\unpacksos\1\srfeaturesos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

3688

schtasks /delete /f /tn ASOS1

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

4444

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SRUtilitySOS.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4976

"C:\WINDOWS\sysnative\cmd.exe" /c schtasks /run /tn ASOS1

C:\Windows\System32\cmd.exe

—

SplashtopSOS.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

5472

SRUtilitySOS.exe -r

C:\Users\admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

—

SRFeatureSOS.exe

User:

admin

Company:

Splashtop Inc.

Integrity Level:

MEDIUM

Description:

Splashtop® Streamer Utility

Exit code:

Version:

3.34.9.4662

Modules

Images
c:\users\admin\appdata\local\temp\unpacksos\1\srutilitysos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

5556

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

5 425

Read events

5 401

Write events

Delete events

Modification events


(PID) Process:	(6724) SplashtopSOS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	write	Name:	ImagePath
Value: C:\Users\admin\Downloads\SplashtopSOS.exe
(PID) Process:	(6724) SplashtopSOS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	write	Name:	DesktopPath
Value: C:\Users\admin\Desktop\SOS.exe
(PID) Process:	(6724) SplashtopSOS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	delete value	Name:	NoteSession
Value:
(PID) Process:	(6724) SplashtopSOS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	delete value	Name:	IdleSessionTimeout
Value:
(PID) Process:	(6724) SplashtopSOS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	write	Name:	IsSystemUser
Value: 1
(PID) Process:	(6288) SRManagerSOS.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	delete value	Name:	LaunchSid_DC
Value:
(PID) Process:	(5992) SRServerSOS.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS
Operation:	write	Name:	AutoMute
Value: 2
(PID) Process:	(6288) SRManagerSOS.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	write	Name:	ServerUUID_Method
Value: 0
(PID) Process:	(6288) SRManagerSOS.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	write	Name:	ServerUUID
Value: 10012241704782390541706068286396
(PID) Process:	(5992) SRServerSOS.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS
Operation:	write	Name:	CloudProxyEnable
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6724	SplashtopSOS.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\streamer1.cab		—
		MD5:—	SHA256:—
6724	SplashtopSOS.exe	C:\Users\admin\AppData\Local\Temp\unpack1.log		text
		MD5:6705739697D2CF344857093292443CEA	SHA256:114FA0124FFC9625307D3A1FC8D364C3EE934C9AEF886295A8A45D03094FE39C
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll		executable
		MD5:EEDA10135EDE6EDB5C85DF3BD878E557	SHA256:4B890DE3708716D81C1C719B498734339D417E8FFC4955D81483D1EBC0F84697
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\Acknowledgements.htm		html
		MD5:A3CD653D41BE36B3DBD81AA1686D6FB4	SHA256:06530A2DDFF1CC2283901E7FF8E22CE5EE2365E170A5B3DCDC37DC6BE0929CC4
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\stprinter.inf		text
		MD5:313535621266212971E303AF0AF4FE21	SHA256:0B60A283CB98034CEE13118BF1F885A644479CC6F4B19D9E4D24A5FEC6064A1F
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\libcelt-0.dll		executable
		MD5:8BBA1737DC72388009059A1FFF1E1972	SHA256:4B446A58944E0BB1BDC5561ECBB5AB110F4D770F9091A45CAD93394ADB5DB2E7
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\stprinterx.cat		binary
		MD5:1D56A3F8D7F5DAB184A8CC4FEDDAA173	SHA256:84E1A32B4975E92477CF6A36D8931921DA735EF988E0C09A2B056F2904541B1E
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\stprintmon_x64.dll		executable
		MD5:7DD3CA728E061F9C438209935DF41FD8	SHA256:F19F300E4623E3B57F870D8E4B150F2E70D29E6CB47750671D53667BB0804202
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\stprintmon_x86.dll		executable
		MD5:DDBCBCED9CCBA27D296B680D04178B1D	SHA256:B23B42E24EAB4E2F1DD94711EEC741F94D39F5EBAF238820A0B9D464522C24D2
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\SRChatSOS.exe		executable
		MD5:18D19E4CAE660A5BF6E0901C3C9CAB41	SHA256:63FE4A9F10560A3BD05C6A475561FE120373F5B6C5C400DAD86984478A67178A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.53.41.83:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2040	svchost.exe	GET	200	23.53.41.83:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2040	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6288	SRManagerSOS.exe	GET	200	184.30.131.114:80	http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D	unknown	—	—	whitelisted
6288	SRManagerSOS.exe	GET	200	184.30.131.114:80	http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEHhvSYT5N0gvTTb3x7RJTGs%3D	unknown	—	—	whitelisted
6288	SRManagerSOS.exe	GET	200	184.30.131.114:80	http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D	unknown	—	—	whitelisted
—	—	GET	200	184.30.131.114:80	http://s1.symcb.com/pca3-g5.crl	unknown	—	—	whitelisted
6288	SRManagerSOS.exe	GET	200	184.30.131.114:80	http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEHhvSYT5N0gvTTb3x7RJTGs%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.53.41.83:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2040	svchost.exe	23.53.41.83:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2040	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2356	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	104.126.37.137:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
2040	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	23.53.41.83 23.53.41.96 23.53.40.178 23.53.40.200 23.53.40.170	whitelisted
www.microsoft.com	184.30.21.171 104.119.109.218	whitelisted
google.com	142.250.185.206	whitelisted
www.bing.com	104.126.37.137 104.126.37.123 104.126.37.139 104.126.37.185 104.126.37.184 104.126.37.144 104.126.37.145 104.126.37.128 104.126.37.131	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
login.live.com	20.190.160.4 20.190.160.14 40.126.32.140 20.190.160.64 40.126.32.72 20.190.160.132 40.126.32.68 40.126.32.76	whitelisted
s2.symcb.com	184.30.131.114	whitelisted
s1.symcb.com	184.30.131.114	whitelisted
sv.symcd.com	184.30.131.114	whitelisted
go.microsoft.com	23.213.166.81	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
6288	SRManagerSOS.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
2192	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
2192	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
6288	SRManagerSOS.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
2192	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)

Add for printing

Process	Message
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUtility::OSInfo] OS 10.0(19045) x64:1 (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::FindHeader] Name:C:\Users\admin\Downloads\SplashtopSOS.exe (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::FindHeader] Sign Size:6096 (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::FindHeader] Header offset:479232 (Last=183)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::UnPackFiles] FreeSpace:228969738240 FileSize:7226558 (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::UnPackFiles] (1/1)UnPack file name:C:\Users\admin\AppData\Local\Temp\unpacksos\1\streamer1.cab (7226558) (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::UnPackFiles] UnPack count:1 len:7226558 File:(null) (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::UnPackFiles] UnPack total 1 files. (Last=183)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPackFileApp::ExecuteCommand] succ wait pid:1372 (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:56 [CUnPackFileApp::ExecuteCommand] pid:1372 finish ecode:0 (Last=0)

General Info

/Downloads/SplashtopSOS.exe

4A8E6091B2D23695EAFCF9B70ABEF28C

3AD8985525B7AA59F4FDD4972CDD804A7B9DA4A9

AB591F9AAEE0C567F4BC664444C9F1E271356957EF914858585FFD104C0EAB8B

98304:b+6yxl1VG3pkk52D8Q8J3uQE+P1vPFc6Lz3rlTw/YOQ0NB7lsgP0YtxhvVxAiNHV:kYJioMKCQTRkN0FZu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Uses Task Scheduler to run other applications

SUSPICIOUS

Reads security settings of Internet Explorer

Application launched itself

Starts CMD.EXE for commands execution

Process drops legitimate windows executable

Executable content was dropped or overwritten

Add new program in existing scheduled task

Deletes scheduled task without confirmation

The process executes via Task Scheduler

There is functionality for taking screenshot (YARA)

Checks Windows Trust Settings

INFO

Reads the computer name

The sample compiled with english language support

Process checks computer location settings

Checks supported languages

Reads the machine GUID from the registry

Create files in a temporary directory

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings