Malware analysis /Downloads/SplashtopSOS.exe Malicious activity

Add for printing

download:	/Downloads/SplashtopSOS.exe
Full analysis:	https://app.any.run/tasks/39c82c30-874a-4851-ad97-458ec82e8f00
Verdict:	Malicious activity
Analysis date:	February 24, 2025, 14:43:44
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive, 4 sections
MD5:	4A8E6091B2D23695EAFCF9B70ABEF28C
SHA1:	3AD8985525B7AA59F4FDD4972CDD804A7B9DA4A9
SHA256:	AB591F9AAEE0C567F4BC664444C9F1E271356957EF914858585FFD104C0EAB8B
SSDEEP:	98304:b+6yxl1VG3pkk52D8Q8J3uQE+P1vPFc6Lz3rlTw/YOQ0NB7lsgP0YtxhvVxAiNHV:kYJioMKCQTRkN0FZu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - SplashtopSOS.exe (PID: 6724)
  - SplashtopSOS.exe (PID: 6516)
  - SRManagerSOS.exe (PID: 6288)
  - Launcher.exe (PID: 6412)
  - SRServerSOS.exe (PID: 5992)
  - SRUtilitySOS.exe (PID: 5472)
  - SRFeatureSOS.exe (PID: 2324)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 640)
SUSPICIOUS
- Application launched itself
  - SplashtopSOS.exe (PID: 6516)
- Reads security settings of Internet Explorer
  - SplashtopSOS.exe (PID: 6724)
  - SplashtopSOS.exe (PID: 6516)
- Starts CMD.EXE for commands execution
  - SplashtopSOS.exe (PID: 6724)
- Process drops legitimate windows executable
  - expand.exe (PID: 6964)
- Executable content was dropped or overwritten
  - expand.exe (PID: 6964)
  - SplashtopSOS.exe (PID: 6724)
- The process executes via Task Scheduler
  - Launcher.exe (PID: 6412)
- Add new program in existing scheduled task
  - schtasks.exe (PID: 1140)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 3688)
- Checks Windows Trust Settings
  - SRManagerSOS.exe (PID: 6288)
- There is functionality for taking screenshot (YARA)
  - SplashtopSOS.exe (PID: 6724)
INFO
- Reads the computer name
  - SplashtopSOS.exe (PID: 6516)
  - SplashtopSOS.exe (PID: 6724)
  - SRManagerSOS.exe (PID: 6288)
  - SRServerSOS.exe (PID: 5992)
- Process checks computer location settings
  - SplashtopSOS.exe (PID: 6516)
  - SplashtopSOS.exe (PID: 6724)
- Checks supported languages
  - SplashtopSOS.exe (PID: 6724)
  - SplashtopSOS.exe (PID: 6516)
  - expand.exe (PID: 6964)
  - Launcher.exe (PID: 6412)
  - SRManagerSOS.exe (PID: 6288)
  - SRUtilitySOS.exe (PID: 5472)
  - SRServerSOS.exe (PID: 5992)
- The sample compiled with english language support
  - SplashtopSOS.exe (PID: 6516)
  - expand.exe (PID: 6964)
  - SplashtopSOS.exe (PID: 6724)
- Create files in a temporary directory
  - SplashtopSOS.exe (PID: 6724)
  - expand.exe (PID: 6964)
  - SRManagerSOS.exe (PID: 6288)
- Reads the machine GUID from the registry
  - expand.exe (PID: 6964)
  - SRManagerSOS.exe (PID: 6288)
- Reads the software policy settings
  - SRManagerSOS.exe (PID: 6288)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:10:04 03:01:17+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	200704
InitializedDataSize:	277504
UninitializedDataSize:	-
EntryPoint:	0x13c25
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	3.34.9.4662
ProductVersionNumber:	3.3.4.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Splashtop Inc.
FileDescription:	Splashtop® SOS
FileVersion:	3.34.9.4662
LegalCopyright:	Copyright © Splashtop Inc. All Rights Reserved.
ProductName:	Splashtop® SOS
ProductVersion:	3.3.4.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

145

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

640

"C:\WINDOWS\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\System32\cmd.exe

—

SplashtopSOS.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

1140

schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1228

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Launcher.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1512

schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2324

"C:\Users\admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"

C:\Users\admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

—

SRManagerSOS.exe

User:

SYSTEM

Company:

Splashtop Inc.

Integrity Level:

SYSTEM

Description:

Splashtop® Streamer Feature

Version:

3.34.9.4662

Modules

Images
c:\users\admin\appdata\local\temp\unpacksos\1\srfeaturesos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

3688

schtasks /delete /f /tn ASOS1

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

4444

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SRUtilitySOS.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4976

"C:\WINDOWS\sysnative\cmd.exe" /c schtasks /run /tn ASOS1

C:\Windows\System32\cmd.exe

—

SplashtopSOS.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

5472

SRUtilitySOS.exe -r

C:\Users\admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

—

SRFeatureSOS.exe

User:

admin

Company:

Splashtop Inc.

Integrity Level:

MEDIUM

Description:

Splashtop® Streamer Utility

Exit code:

Version:

3.34.9.4662

Modules

Images
c:\users\admin\appdata\local\temp\unpacksos\1\srutilitysos.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

5556

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

5 425

Read events

5 401

Write events

Delete events

Modification events


(PID) Process:	(6724) SplashtopSOS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	write	Name:	ImagePath
Value: C:\Users\admin\Downloads\SplashtopSOS.exe
(PID) Process:	(6724) SplashtopSOS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	write	Name:	DesktopPath
Value: C:\Users\admin\Desktop\SOS.exe
(PID) Process:	(6724) SplashtopSOS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	delete value	Name:	NoteSession
Value:
(PID) Process:	(6724) SplashtopSOS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	delete value	Name:	IdleSessionTimeout
Value:
(PID) Process:	(6724) SplashtopSOS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	write	Name:	IsSystemUser
Value: 1
(PID) Process:	(6288) SRManagerSOS.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	delete value	Name:	LaunchSid_DC
Value:
(PID) Process:	(5992) SRServerSOS.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS
Operation:	write	Name:	AutoMute
Value: 2
(PID) Process:	(6288) SRManagerSOS.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	write	Name:	ServerUUID_Method
Value: 0
(PID) Process:	(6288) SRManagerSOS.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS_1
Operation:	write	Name:	ServerUUID
Value: 10012241704782390541706068286396
(PID) Process:	(5992) SRServerSOS.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Splashtop Inc.\Splashtop Remote Server SOS
Operation:	write	Name:	CloudProxyEnable
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6724	SplashtopSOS.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\streamer1.cab		—
		MD5:—	SHA256:—
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\libcelt-0.dll		executable
		MD5:8BBA1737DC72388009059A1FFF1E1972	SHA256:4B446A58944E0BB1BDC5561ECBB5AB110F4D770F9091A45CAD93394ADB5DB2E7
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\SRAppSOS.exe		executable
		MD5:6F256FC395102A655F5A6171E69C4672	SHA256:6ECA0477C312ED4B863FE39295862065ECEC2620D07468D8D83D43B2F8BDBF6A
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\Launcher.exe		executable
		MD5:C634F80818DE810BEF3C024B73FF758A	SHA256:CE48AA9C9295E58462BBCEF4BE39DDB6859E59353F6A2483A216E6614C1E18E6
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\p_unmount.bat		text
		MD5:FA3C191799254E542687F1F5D0974BC5	SHA256:347B12E6E2FC79E2A3668625341D7642D531159FFE5B01AB2BC5469E0EFC6B3F
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\libx264-116.dll		executable
		MD5:DBD2912F2E21847D7303E91CC23F099E	SHA256:8AFD41F2FB41025EF19AF5A4CC00C986ED19C6EC5DB33D3E6FD0E898594725C5
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\SRClient.pem		text
		MD5:D3EFF9D97C0E91A49577CC0BA2EDC52A	SHA256:BFBC68E1A615C677E197DBEA38BCACCA99C35B32A0311767AEB2728F0040AD2E
6724	SplashtopSOS.exe	C:\Users\admin\AppData\Local\Temp\unpack1.log		text
		MD5:6705739697D2CF344857093292443CEA	SHA256:114FA0124FFC9625307D3A1FC8D364C3EE934C9AEF886295A8A45D03094FE39C
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\SRServer.pem		text
		MD5:D3EFF9D97C0E91A49577CC0BA2EDC52A	SHA256:BFBC68E1A615C677E197DBEA38BCACCA99C35B32A0311767AEB2728F0040AD2E
6964	expand.exe	C:\Users\admin\AppData\Local\Temp\unpacksos\1\p_mount.bat		text
		MD5:88E59700F53DE95D2847B9687764BE30	SHA256:B085F4E0D6A7A4DC967C96D7C318CB749BC497135FD9E35D7AD0C88E6C53F577

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.53.41.83:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2040	svchost.exe	GET	200	23.53.41.83:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6288	SRManagerSOS.exe	GET	403	108.138.7.104:80	http://st2-v3-dc.splashtop.com/api/fulong	unknown	—	—	whitelisted
6288	SRManagerSOS.exe	GET	200	184.30.131.114:80	http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D	unknown	—	—	whitelisted
6288	SRManagerSOS.exe	GET	403	108.138.7.104:80	http://st2-v3-dc.splashtop.com/api/fulong	unknown	—	—	whitelisted
6288	SRManagerSOS.exe	GET	403	108.138.7.104:80	http://st2-v3-dc.splashtop.com/api/fulong	unknown	—	—	whitelisted
6288	SRManagerSOS.exe	GET	403	108.138.7.104:80	http://st2-v3-dc.splashtop.com/api/fulong	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.53.41.83:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2040	svchost.exe	23.53.41.83:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2040	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2356	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	104.126.37.137:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
2040	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	23.53.41.83 23.53.41.96 23.53.40.178 23.53.40.200 23.53.40.170	whitelisted
www.microsoft.com	184.30.21.171 104.119.109.218	whitelisted
google.com	142.250.185.206	whitelisted
www.bing.com	104.126.37.137 104.126.37.123 104.126.37.139 104.126.37.185 104.126.37.184 104.126.37.144 104.126.37.145 104.126.37.128 104.126.37.131	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
login.live.com	20.190.160.4 20.190.160.14 40.126.32.140 20.190.160.64 40.126.32.72 20.190.160.132 40.126.32.68 40.126.32.76	whitelisted
s2.symcb.com	184.30.131.114	whitelisted
s1.symcb.com	184.30.131.114	whitelisted
sv.symcd.com	184.30.131.114	whitelisted
go.microsoft.com	23.213.166.81	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
6288	SRManagerSOS.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
2192	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
2192	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
6288	SRManagerSOS.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
2192	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)

Add for printing

Process	Message
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUtility::OSInfo] OS 10.0(19045) x64:1 (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::FindHeader] Name:C:\Users\admin\Downloads\SplashtopSOS.exe (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::FindHeader] Sign Size:6096 (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::FindHeader] Header offset:479232 (Last=183)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::UnPackFiles] FreeSpace:228969738240 FileSize:7226558 (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::UnPackFiles] (1/1)UnPack file name:C:\Users\admin\AppData\Local\Temp\unpacksos\1\streamer1.cab (7226558) (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::UnPackFiles] UnPack count:1 len:7226558 File:(null) (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPack::UnPackFiles] UnPack total 1 files. (Last=183)
SplashtopSOS.exe	[6724]2025-02-24 14:43:54 [CUnPackFileApp::ExecuteCommand] succ wait pid:1372 (Last=0)
SplashtopSOS.exe	[6724]2025-02-24 14:43:56 [CUnPackFileApp::ExecuteCommand] pid:1372 finish ecode:0 (Last=0)

General Info

/Downloads/SplashtopSOS.exe

4A8E6091B2D23695EAFCF9B70ABEF28C

3AD8985525B7AA59F4FDD4972CDD804A7B9DA4A9

AB591F9AAEE0C567F4BC664444C9F1E271356957EF914858585FFD104C0EAB8B

98304:b+6yxl1VG3pkk52D8Q8J3uQE+P1vPFc6Lz3rlTw/YOQ0NB7lsgP0YtxhvVxAiNHV:kYJioMKCQTRkN0FZu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Uses Task Scheduler to run other applications

SUSPICIOUS

Application launched itself

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process executes via Task Scheduler

Add new program in existing scheduled task

Deletes scheduled task without confirmation

Checks Windows Trust Settings

There is functionality for taking screenshot (YARA)

INFO

Reads the computer name

Process checks computer location settings

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings