URL:

http://dss.r302.cc/

Full analysis: https://app.any.run/tasks/164fc61f-989c-41dc-9281-091ecc061a51
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 02, 2021, 18:43:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

F8CCD6245799E1F6A180F27372D85CFB

SHA1:

A326B8B5EE5FB2EFB0384A6A6BF5BFFD366D3DA5

SHA256:

C6591C1D0B1C0878AEFA35B042F2307E74F2C3DC59268BC0998F8FE6AFEB1CF0

SSDEEP:

3:N1KaWRVXLs:CaOLs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 2516)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdate.exe (PID: 832)
      • EasiUpdateSetup.exe (PID: 2624)
      • EasiUpdate.exe (PID: 3008)
      • SWSTAudioController.exe (PID: 3336)
      • devtool.exe (PID: 3876)
      • SWSTClientService.exe (PID: 2768)
      • SWSTClientService.exe (PID: 5396)
      • SWSTClientService.exe (PID: 2616)
      • SWExtendScreen.exe (PID: 5352)
      • ScreenSharePro.exe (PID: 6124)
      • SWSTRemoteControlService.exe (PID: 3316)
      • ScreenSharePro.exe (PID: 6044)
      • ScreenSharePro.exe (PID: 4124)

    • Drops executable file immediately after starts

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)

    • Loads dropped or rewritten executable

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)
      • EasiUpdate.exe (PID: 3008)
      • EasiUpdate.exe (PID: 832)
      • SWSTClientService.exe (PID: 2768)
      • SWSTClientService.exe (PID: 5396)
      • SWSTClientService.exe (PID: 2616)
      • SWSTRemoteControlService.exe (PID: 3316)
      • SWExtendScreen.exe (PID: 5352)
      • ScreenSharePro.exe (PID: 6124)
      • ScreenSharePro.exe (PID: 6044)
      • ScreenSharePro.exe (PID: 4124)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3432)
      • cmd.exe (PID: 148)
      • cmd.exe (PID: 4312)

    • Adds new firewall rule via NETSH.EXE

      • cmd.exe (PID: 148)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1748)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 1748)
      • iexplore.exe (PID: 612)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)
      • EasiUpdate.exe (PID: 832)

    • Reads Environment values

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • netsh.exe (PID: 2596)
      • netsh.exe (PID: 1288)
      • netsh.exe (PID: 3468)
      • netsh.exe (PID: 1284)
      • netsh.exe (PID: 3832)
      • netsh.exe (PID: 1636)
      • netsh.exe (PID: 2992)
      • netsh.exe (PID: 3228)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 3220)
      • netsh.exe (PID: 2144)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 2132)
      • netsh.exe (PID: 2676)
      • netsh.exe (PID: 2524)
      • netsh.exe (PID: 2184)
      • netsh.exe (PID: 1368)
      • netsh.exe (PID: 2372)
      • netsh.exe (PID: 1556)
      • netsh.exe (PID: 2288)
      • netsh.exe (PID: 3156)
      • netsh.exe (PID: 2872)
      • netsh.exe (PID: 996)
      • netsh.exe (PID: 3704)
      • netsh.exe (PID: 2968)
      • netsh.exe (PID: 3456)
      • netsh.exe (PID: 1148)
      • netsh.exe (PID: 3408)
      • netsh.exe (PID: 3616)
      • netsh.exe (PID: 712)
      • netsh.exe (PID: 3076)
      • netsh.exe (PID: 2236)
      • netsh.exe (PID: 3180)
      • netsh.exe (PID: 2544)
      • netsh.exe (PID: 3248)
      • netsh.exe (PID: 3728)
      • netsh.exe (PID: 3336)
      • netsh.exe (PID: 2928)
      • netsh.exe (PID: 3696)
      • netsh.exe (PID: 776)
      • netsh.exe (PID: 4052)
      • netsh.exe (PID: 4064)
      • netsh.exe (PID: 2148)
      • netsh.exe (PID: 2640)
      • netsh.exe (PID: 3900)
      • netsh.exe (PID: 676)
      • netsh.exe (PID: 3176)
      • netsh.exe (PID: 4716)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 2840)
      • netsh.exe (PID: 3332)
      • netsh.exe (PID: 2476)
      • netsh.exe (PID: 3500)
      • netsh.exe (PID: 1160)
      • netsh.exe (PID: 2920)
      • netsh.exe (PID: 3440)
      • netsh.exe (PID: 3956)
      • netsh.exe (PID: 3016)
      • netsh.exe (PID: 3528)
      • netsh.exe (PID: 2240)
      • netsh.exe (PID: 2972)
      • netsh.exe (PID: 3012)
      • netsh.exe (PID: 3992)
      • netsh.exe (PID: 2216)
      • netsh.exe (PID: 3824)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 3872)
      • netsh.exe (PID: 1424)
      • netsh.exe (PID: 5020)
      • netsh.exe (PID: 964)
      • netsh.exe (PID: 2708)
      • netsh.exe (PID: 4140)
      • netsh.exe (PID: 3324)
      • netsh.exe (PID: 3300)
      • netsh.exe (PID: 5468)
      • netsh.exe (PID: 4884)
      • netsh.exe (PID: 5780)
      • netsh.exe (PID: 3304)
      • netsh.exe (PID: 3712)
      • netsh.exe (PID: 4668)
      • netsh.exe (PID: 3736)
      • netsh.exe (PID: 2588)
      • netsh.exe (PID: 4332)
      • netsh.exe (PID: 496)
      • netsh.exe (PID: 5344)
      • netsh.exe (PID: 516)
      • netsh.exe (PID: 5580)
      • netsh.exe (PID: 5652)
      • netsh.exe (PID: 4864)
      • netsh.exe (PID: 4996)
      • netsh.exe (PID: 5452)
      • netsh.exe (PID: 4448)
      • netsh.exe (PID: 3044)
      • netsh.exe (PID: 5672)
      • netsh.exe (PID: 2944)
      • netsh.exe (PID: 3976)
      • netsh.exe (PID: 4536)
      • netsh.exe (PID: 6064)
      • netsh.exe (PID: 3060)
      • netsh.exe (PID: 4576)
      • ScreenSharePro.exe (PID: 6124)

    • Reads the computer name

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)
      • EasiUpdate.exe (PID: 3008)
      • EasiUpdate.exe (PID: 832)
      • SWSTAudioController.exe (PID: 3336)
      • devtool.exe (PID: 3876)
      • SWSTClientService.exe (PID: 2768)
      • SWSTClientService.exe (PID: 5396)
      • SWSTClientService.exe (PID: 2616)
      • SWSTRemoteControlService.exe (PID: 3316)
      • ScreenSharePro.exe (PID: 6044)
      • ScreenSharePro.exe (PID: 4124)
      • ScreenSharePro.exe (PID: 6124)

    • Starts application with an unusual extension

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)

    • Drops a file that was compiled in debug mode

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 3408)
      • cmd.exe (PID: 4024)
      • cmd.exe (PID: 4312)

    • Starts CMD.EXE for commands execution

      • ns69D7.tmp (PID: 2184)
      • ns6B3F.tmp (PID: 2880)
      • ns6C1B.tmp (PID: 4036)
      • ns6D07.tmp (PID: 3500)
      • ns6DF2.tmp (PID: 3260)
      • nsC257.tmp (PID: 2984)
      • cmd.exe (PID: 148)
      • nsCD16.tmp (PID: 1116)
      • nsCEB1.tmp (PID: 3120)
      • cmd.exe (PID: 4068)
      • nsE77A.tmp (PID: 120)
      • cmd.exe (PID: 4312)

    • Checks supported languages

      • ns69D7.tmp (PID: 2184)
      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 3408)
      • ns6B3F.tmp (PID: 2880)
      • cmd.exe (PID: 4024)
      • ns6C1B.tmp (PID: 4036)
      • cmd.exe (PID: 3432)
      • ns6DF2.tmp (PID: 3260)
      • cmd.exe (PID: 2344)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • ns6D07.tmp (PID: 3500)
      • EasiUpdateSetup.exe (PID: 2624)
      • cmd.exe (PID: 148)
      • nsC257.tmp (PID: 2984)
      • EasiUpdate.exe (PID: 832)
      • EasiUpdate.exe (PID: 3008)
      • cmd.exe (PID: 2728)
      • cmd.exe (PID: 3384)
      • nsCD16.tmp (PID: 1116)
      • nsCEB1.tmp (PID: 3120)
      • cmd.exe (PID: 3368)
      • cmd.exe (PID: 4068)
      • SWSTAudioController.exe (PID: 3336)
      • devtool.exe (PID: 3876)
      • cmd.exe (PID: 1480)
      • nsDD96.tmp (PID: 4492)
      • cmd.exe (PID: 4312)
      • nsE77A.tmp (PID: 120)
      • SWSTClientService.exe (PID: 2768)
      • SWSTClientService.exe (PID: 5396)
      • SWSTClientService.exe (PID: 2616)
      • cmd.exe (PID: 1024)
      • SWExtendScreen.exe (PID: 5352)
      • SWSTRemoteControlService.exe (PID: 3316)
      • ScreenSharePro.exe (PID: 6124)
      • ScreenSharePro.exe (PID: 4124)
      • ScreenSharePro.exe (PID: 6044)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2344)
      • cmd.exe (PID: 148)
      • cmd.exe (PID: 4312)

    • Creates a directory in Program Files

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)

    • Drops a file with too old compile date

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)

    • Creates files in the program directory

      • EasiUpdateSetup.exe (PID: 2624)
      • EasiUpdate.exe (PID: 3008)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdate.exe (PID: 832)
      • SWSTClientService.exe (PID: 2768)
      • SWSTClientService.exe (PID: 5396)

    • Creates a software uninstall entry

      • EasiUpdateSetup.exe (PID: 2624)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)

    • Executed as Windows Service

      • EasiUpdate.exe (PID: 832)
      • SWSTClientService.exe (PID: 5396)
      • SWSTClientService.exe (PID: 2616)

    • Application launched itself

      • cmd.exe (PID: 148)
      • cmd.exe (PID: 4068)
      • cmd.exe (PID: 4312)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 148)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)

    • Reads CPU info

      • EasiUpdate.exe (PID: 832)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • ScreenSharePro.exe (PID: 6124)

    • Creates files in the Windows directory

      • EasiUpdate.exe (PID: 832)

    • Executed via COM

      • explorer.exe (PID: 6092)

    • Reads the Windows organization settings

      • ScreenSharePro.exe (PID: 6124)

    • Reads Windows owner or organization settings

      • ScreenSharePro.exe (PID: 6124)

    • Creates files in the user directory

      • ScreenSharePro.exe (PID: 4124)
      • ScreenSharePro.exe (PID: 6124)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 612)

    • Changes internet zones settings

      • iexplore.exe (PID: 612)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1748)
      • iexplore.exe (PID: 612)

    • Checks supported languages

      • iexplore.exe (PID: 1748)
      • iexplore.exe (PID: 612)
      • taskkill.exe (PID: 3972)
      • taskkill.exe (PID: 3460)
      • taskkill.exe (PID: 188)
      • net.exe (PID: 564)
      • sc.exe (PID: 2708)
      • net1.exe (PID: 3016)
      • net.exe (PID: 276)
      • net1.exe (PID: 2424)
      • sc.exe (PID: 1636)
      • cacls.exe (PID: 4064)
      • cacls.exe (PID: 628)
      • netsh.exe (PID: 2596)
      • netsh.exe (PID: 3468)
      • netsh.exe (PID: 1284)
      • netsh.exe (PID: 1636)
      • netsh.exe (PID: 3832)
      • netsh.exe (PID: 1288)
      • netsh.exe (PID: 2992)
      • netsh.exe (PID: 3228)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 3220)
      • netsh.exe (PID: 2144)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 3156)
      • netsh.exe (PID: 1368)
      • netsh.exe (PID: 2132)
      • netsh.exe (PID: 2184)
      • netsh.exe (PID: 2288)
      • netsh.exe (PID: 2676)
      • netsh.exe (PID: 2372)
      • netsh.exe (PID: 2524)
      • netsh.exe (PID: 2872)
      • netsh.exe (PID: 1556)
      • netsh.exe (PID: 3408)
      • netsh.exe (PID: 2968)
      • netsh.exe (PID: 996)
      • netsh.exe (PID: 3704)
      • netsh.exe (PID: 1148)
      • netsh.exe (PID: 3456)
      • netsh.exe (PID: 3616)
      • netsh.exe (PID: 2236)
      • netsh.exe (PID: 712)
      • netsh.exe (PID: 2928)
      • netsh.exe (PID: 3076)
      • netsh.exe (PID: 3728)
      • netsh.exe (PID: 676)
      • netsh.exe (PID: 3248)
      • netsh.exe (PID: 3900)
      • netsh.exe (PID: 3180)
      • netsh.exe (PID: 2544)
      • netsh.exe (PID: 3336)
      • netsh.exe (PID: 2476)
      • netsh.exe (PID: 4052)
      • netsh.exe (PID: 2840)
      • netsh.exe (PID: 2148)
      • netsh.exe (PID: 4064)
      • netsh.exe (PID: 2920)
      • netsh.exe (PID: 2640)
      • netsh.exe (PID: 3696)
      • netsh.exe (PID: 3332)
      • netsh.exe (PID: 3872)
      • netsh.exe (PID: 3016)
      • netsh.exe (PID: 3528)
      • netsh.exe (PID: 3956)
      • netsh.exe (PID: 3176)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 1160)
      • netsh.exe (PID: 3440)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 2240)
      • netsh.exe (PID: 4716)
      • netsh.exe (PID: 3500)
      • netsh.exe (PID: 2972)
      • netsh.exe (PID: 776)
      • netsh.exe (PID: 3992)
      • netsh.exe (PID: 2216)
      • netsh.exe (PID: 3824)
      • netsh.exe (PID: 964)
      • netsh.exe (PID: 3012)
      • netsh.exe (PID: 496)
      • netsh.exe (PID: 3736)
      • netsh.exe (PID: 2588)
      • netsh.exe (PID: 3712)
      • netsh.exe (PID: 3324)
      • netsh.exe (PID: 5020)
      • netsh.exe (PID: 1424)
      • netsh.exe (PID: 2708)
      • netsh.exe (PID: 3304)
      • netsh.exe (PID: 4332)
      • netsh.exe (PID: 5344)
      • netsh.exe (PID: 5780)
      • netsh.exe (PID: 4140)
      • netsh.exe (PID: 5468)
      • netsh.exe (PID: 4668)
      • netsh.exe (PID: 4448)
      • netsh.exe (PID: 4864)
      • netsh.exe (PID: 516)
      • netsh.exe (PID: 3300)
      • netsh.exe (PID: 6064)
      • netsh.exe (PID: 4884)
      • netsh.exe (PID: 3044)
      • netsh.exe (PID: 5652)
      • netsh.exe (PID: 4996)
      • netsh.exe (PID: 2944)
      • netsh.exe (PID: 5580)
      • netsh.exe (PID: 4536)
      • netsh.exe (PID: 5672)
      • netsh.exe (PID: 4576)
      • netsh.exe (PID: 3976)
      • netsh.exe (PID: 5452)
      • netsh.exe (PID: 3060)
      • net.exe (PID: 6040)
      • sc.exe (PID: 2200)
      • taskkill.exe (PID: 4080)
      • taskkill.exe (PID: 5492)
      • taskkill.exe (PID: 5440)
      • net1.exe (PID: 4740)
      • net.exe (PID: 5400)
      • net1.exe (PID: 3552)
      • explorer.exe (PID: 4648)
      • explorer.exe (PID: 6092)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1748)
      • iexplore.exe (PID: 612)

    • Reads the computer name

      • iexplore.exe (PID: 612)
      • iexplore.exe (PID: 1748)
      • taskkill.exe (PID: 3972)
      • taskkill.exe (PID: 3460)
      • net1.exe (PID: 3016)
      • sc.exe (PID: 2708)
      • taskkill.exe (PID: 188)
      • net1.exe (PID: 2424)
      • sc.exe (PID: 1636)
      • cacls.exe (PID: 4064)
      • cacls.exe (PID: 628)
      • netsh.exe (PID: 3468)
      • netsh.exe (PID: 1284)
      • netsh.exe (PID: 2596)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 3832)
      • netsh.exe (PID: 1288)
      • netsh.exe (PID: 2992)
      • netsh.exe (PID: 3228)
      • netsh.exe (PID: 2144)
      • netsh.exe (PID: 3220)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 1636)
      • netsh.exe (PID: 2132)
      • netsh.exe (PID: 3156)
      • netsh.exe (PID: 2288)
      • netsh.exe (PID: 2676)
      • netsh.exe (PID: 2524)
      • netsh.exe (PID: 2372)
      • netsh.exe (PID: 1368)
      • netsh.exe (PID: 3616)
      • netsh.exe (PID: 3408)
      • netsh.exe (PID: 2968)
      • netsh.exe (PID: 1556)
      • netsh.exe (PID: 2184)
      • netsh.exe (PID: 3704)
      • netsh.exe (PID: 996)
      • netsh.exe (PID: 2928)
      • netsh.exe (PID: 3076)
      • netsh.exe (PID: 2872)
      • netsh.exe (PID: 3456)
      • netsh.exe (PID: 1148)
      • netsh.exe (PID: 3956)
      • netsh.exe (PID: 2216)
      • netsh.exe (PID: 712)
      • netsh.exe (PID: 2972)
      • netsh.exe (PID: 2708)
      • netsh.exe (PID: 4052)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 4064)
      • netsh.exe (PID: 3248)
      • netsh.exe (PID: 4716)
      • netsh.exe (PID: 2640)
      • netsh.exe (PID: 3992)
      • netsh.exe (PID: 3180)
      • netsh.exe (PID: 3900)
      • netsh.exe (PID: 2236)
      • netsh.exe (PID: 776)
      • netsh.exe (PID: 3696)
      • netsh.exe (PID: 3824)
      • netsh.exe (PID: 2148)
      • netsh.exe (PID: 2920)
      • netsh.exe (PID: 3728)
      • netsh.exe (PID: 1160)
      • netsh.exe (PID: 3176)
      • netsh.exe (PID: 2588)
      • netsh.exe (PID: 676)
      • netsh.exe (PID: 3336)
      • netsh.exe (PID: 2476)
      • netsh.exe (PID: 3300)
      • netsh.exe (PID: 3872)
      • netsh.exe (PID: 3332)
      • netsh.exe (PID: 2840)
      • netsh.exe (PID: 5468)
      • netsh.exe (PID: 3500)
      • netsh.exe (PID: 3440)
      • netsh.exe (PID: 3324)
      • netsh.exe (PID: 3012)
      • netsh.exe (PID: 3016)
      • netsh.exe (PID: 2544)
      • netsh.exe (PID: 3528)
      • netsh.exe (PID: 5020)
      • netsh.exe (PID: 4884)
      • netsh.exe (PID: 5780)
      • netsh.exe (PID: 2240)
      • netsh.exe (PID: 5344)
      • netsh.exe (PID: 3304)
      • netsh.exe (PID: 1424)
      • netsh.exe (PID: 5672)
      • netsh.exe (PID: 3736)
      • netsh.exe (PID: 516)
      • netsh.exe (PID: 6064)
      • netsh.exe (PID: 4668)
      • netsh.exe (PID: 4576)
      • netsh.exe (PID: 4140)
      • netsh.exe (PID: 964)
      • netsh.exe (PID: 5652)
      • netsh.exe (PID: 3976)
      • netsh.exe (PID: 3044)
      • netsh.exe (PID: 5580)
      • netsh.exe (PID: 5452)
      • netsh.exe (PID: 4332)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 3712)
      • netsh.exe (PID: 4536)
      • netsh.exe (PID: 4864)
      • netsh.exe (PID: 2944)
      • netsh.exe (PID: 4996)
      • net1.exe (PID: 4740)
      • sc.exe (PID: 2200)
      • netsh.exe (PID: 3060)
      • netsh.exe (PID: 4448)
      • taskkill.exe (PID: 5492)
      • taskkill.exe (PID: 4080)
      • taskkill.exe (PID: 5440)
      • netsh.exe (PID: 496)
      • net1.exe (PID: 3552)
      • explorer.exe (PID: 4648)
      • explorer.exe (PID: 6092)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1748)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 612)

    • Creates files in the user directory

      • iexplore.exe (PID: 612)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 612)

    • Changes settings of System certificates

      • iexplore.exe (PID: 612)

    • Dropped object may contain Bitcoin addresses

      • EasiUpdate.exe (PID: 832)

    • Manual execution by user

      • ScreenSharePro.exe (PID: 4124)
      • ScreenSharePro.exe (PID: 6044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
301
Monitored processes
161
Malicious processes
15
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe screenshare_windows_3.1.0.2422(20210126110300).exe no specs screenshare_windows_3.1.0.2422(20210126110300).exe ns69d7.tmp no specs cmd.exe no specs taskkill.exe no specs ns6b3f.tmp no specs cmd.exe no specs taskkill.exe no specs ns6c1b.tmp no specs cmd.exe no specs taskkill.exe no specs ns6d07.tmp no specs cmd.exe no specs net.exe no specs net1.exe no specs ns6df2.tmp no specs cmd.exe no specs sc.exe no specs easiupdatesetup.exe nsc257.tmp no specs cmd.exe no specs net.exe no specs net1.exe no specs sc.exe no specs easiupdate.exe no specs easiupdate.exe cmd.exe no specs cacls.exe no specs cacls.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs nscd16.tmp no specs cmd.exe no specs nsceb1.tmp no specs cmd.exe no specs cmd.exe no specs swstaudiocontroller.exe no specs devtool.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs nsdd96.tmp no specs nse77a.tmp no specs cmd.exe no specs net.exe no specs net1.exe no specs sc.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs swstclientservice.exe no specs swstclientservice.exe net.exe no specs net1.exe no specs swstclientservice.exe no specs cmd.exe no specs swstremotecontrolservice.exe no specs swextendscreen.exe no specs explorer.exe no specs explorer.exe no specs screensharepro.exe no specs screensharepro.exe screensharepro.exe

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Users\admin\AppData\Local\Temp\nsh6801.tmp\nsE77A.tmp" C:\Program Files\ScreenShare Pro\ScreenShare Pro\swstclientservice_install.batC:\Users\admin\AppData\Local\Temp\nsh6801.tmp\nsE77A.tmpScreenShare_windows_3.1.0.2422(20210126110300).exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsh6801.tmp\nse77a.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
148C:\Windows\system32\cmd.exe /c C:\ProgramData\Seewo\Easiupdate\easi_update_install.batC:\Windows\system32\cmd.exensC257.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
188taskkill /f /im SWSTClientService.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
276net stop EasiUpdateC:\Windows\system32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll
496netsh advfirewall firewall add rule name="SWSTAudioController" dir=out action=allow program="C:\Program Files\ScreenShare Pro\ScreenShare Pro_3.1.0.2422\SWSTAudioController.exe"C:\Windows\system32\netsh.exeScreenShare_windows_3.1.0.2422(20210126110300).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
516netsh advfirewall firewall add rule name="certmgr" dir=out action=allow program="C:\Program Files\ScreenShare Pro\ScreenShare Pro_3.1.0.2422\tool\amd64\certmgr.exe"C:\Windows\system32\netsh.exeScreenShare_windows_3.1.0.2422(20210126110300).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
564net stop SWSTClientServiceC:\Windows\system32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
612"C:\Program Files\Internet Explorer\iexplore.exe" "http://dss.r302.cc/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
628CACLS "C:\Users\admin\AppData\Roaming"\EasiUpdate /C /P everyone:F /TC:\Windows\system32\cacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
676netsh advfirewall firewall add rule name="devtool" dir=in action=allow program="C:\Program Files\ScreenShare Pro\ScreenShare Pro_3.1.0.2422\Main\SupportFiles\Drivers\tool\x86\devtool.exe"C:\Windows\system32\netsh.exeScreenShare_windows_3.1.0.2422(20210126110300).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
Total events
72 859
Read events
68 035
Write events
4 820
Delete events
4

Modification events

(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30926764
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30926764
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
146
Suspicious files
28
Text files
206
Unknown types
60

Dropped files

PID
Process
Filename
Type
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:
SHA256:
612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B0D23D3C898C896396B1808A378B9A19_F6C703C201F067691E0EDDA8D9EE1B97der
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dder
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771binary
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3EB21F054565AC12ED9350FD0AD354F6_C1FFFEE91E89F15C6572BDA561A1685Ader
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B0D23D3C898C896396B1808A378B9A19_F6C703C201F067691E0EDDA8D9EE1B97binary
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\ScreenShare_windows_3.1.0.2422(20210126110300)[1].exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
55
DNS requests
23
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1748
iexplore.exe
GET
54.203.29.115:80
http://dss.r302.cc/static/images/browser-redirect-d70b975a00.png
US
unknown
612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
1748
iexplore.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
1748
iexplore.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
1748
iexplore.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQDKqHKUi65qEw%3D%3D
US
der
1.74 Kb
whitelisted
1748
iexplore.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQDjHaegJYeb%2Bg%3D%3D
US
der
1.74 Kb
whitelisted
832
EasiUpdate.exe
GET
200
54.203.29.115:80
http://iwbota.com/api/v1/update?appKey=7df84e741e7c6ced38b628e9fd9d64c0074ece7e&versionCode=3.1.0.2422&platform=windows_app&deviceMac=12:A9:86:6C:77:DE
US
binary
547 b
unknown
1748
iexplore.exe
GET
200
54.203.29.115:80
http://dss.r302.cc/
US
html
1.34 Kb
unknown
612
iexplore.exe
GET
200
2.16.186.81:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d85cd64283bf8617
unknown
compressed
4.70 Kb
whitelisted
612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1748
iexplore.exe
54.203.29.115:80
dss.r302.cc
Amazon.com, Inc.
US
unknown
1748
iexplore.exe
101.226.28.200:80
dn-growing.qbox.me
China Telecom (Group)
CN
unknown
1748
iexplore.exe
47.102.226.149:443
e.seewo.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
1748
iexplore.exe
163.171.128.150:443
friday.cvte.com
US
malicious
612
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1748
iexplore.exe
2.16.186.81:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
612
iexplore.exe
2.16.186.81:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
1748
iexplore.exe
192.124.249.24:80
ocsp.godaddy.com
Sucuri
US
suspicious
612
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1748
iexplore.exe
180.97.64.41:443
imlizhi-store-https.seewo.com
AS Number for CHINANET jiangsu province backbone
CN
malicious

DNS requests

Domain
IP
Reputation
dss.r302.cc
  • 54.203.29.115
unknown
dn-growing.qbox.me
  • 101.226.28.200
  • 101.226.28.198
  • 101.226.28.203
  • 101.226.28.202
  • 101.226.28.205
  • 101.226.28.199
  • 101.226.28.201
  • 101.226.28.204
unknown
hm.baidu.com
  • 103.235.46.191
whitelisted
friday.cvte.com
  • 163.171.128.150
suspicious
api.bing.com
  • 13.107.13.80
whitelisted
e.seewo.com
  • 47.102.226.149
unknown
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 2.16.186.81
  • 2.16.186.56
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.godaddy.com
  • 192.124.249.24
  • 192.124.249.22
  • 192.124.249.36
  • 192.124.249.41
  • 192.124.249.23
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .cc TLD
832
EasiUpdate.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
832
EasiUpdate.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
832
EasiUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
EasiUpdate.exe
[ERROR 2021-12-02 18:44:52.879 1260 EnvManager.cpp (88) EnvManager::QueryRestoreSoftwareList] QueryRestoreSoftwareList error: catched
SWSTClientService.exe
[ERROR 2021-12-02 18:45:05.707 3732 SWDongleService.cpp (272) wWinMain] create mutex failed: 0
ScreenSharePro.exe
[ERROR 2021-12-02 18:45:53.269 4708 main.cpp (104) main] Client is running, quit now
ScreenSharePro.exe
[ERROR 2021-12-02 18:46:05.894 1808 main.cpp (104) main] Client is running, quit now
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://dss.r302.cc/