URL:

http://dss.r302.cc/

Full analysis: https://app.any.run/tasks/164fc61f-989c-41dc-9281-091ecc061a51
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 02, 2021, 18:43:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

F8CCD6245799E1F6A180F27372D85CFB

SHA1:

A326B8B5EE5FB2EFB0384A6A6BF5BFFD366D3DA5

SHA256:

C6591C1D0B1C0878AEFA35B042F2307E74F2C3DC59268BC0998F8FE6AFEB1CF0

SSDEEP:

3:N1KaWRVXLs:CaOLs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 2516)
      • EasiUpdateSetup.exe (PID: 2624)
      • EasiUpdate.exe (PID: 3008)
      • EasiUpdate.exe (PID: 832)
      • SWSTAudioController.exe (PID: 3336)
      • devtool.exe (PID: 3876)
      • SWSTClientService.exe (PID: 2768)
      • SWSTClientService.exe (PID: 5396)
      • SWSTRemoteControlService.exe (PID: 3316)
      • SWExtendScreen.exe (PID: 5352)
      • SWSTClientService.exe (PID: 2616)
      • ScreenSharePro.exe (PID: 6124)
      • ScreenSharePro.exe (PID: 4124)
      • ScreenSharePro.exe (PID: 6044)

    • Drops executable file immediately after starts

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3432)
      • cmd.exe (PID: 148)
      • cmd.exe (PID: 4312)

    • Loads dropped or rewritten executable

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)
      • EasiUpdate.exe (PID: 3008)
      • EasiUpdate.exe (PID: 832)
      • SWSTClientService.exe (PID: 2768)
      • SWSTClientService.exe (PID: 5396)
      • SWExtendScreen.exe (PID: 5352)
      • SWSTClientService.exe (PID: 2616)
      • ScreenSharePro.exe (PID: 6124)
      • SWSTRemoteControlService.exe (PID: 3316)
      • ScreenSharePro.exe (PID: 4124)
      • ScreenSharePro.exe (PID: 6044)

    • Adds new firewall rule via NETSH.EXE

      • cmd.exe (PID: 148)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1748)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 1748)
      • iexplore.exe (PID: 612)
      • EasiUpdateSetup.exe (PID: 2624)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdate.exe (PID: 832)

    • Reads Environment values

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • netsh.exe (PID: 2596)
      • netsh.exe (PID: 3468)
      • netsh.exe (PID: 1284)
      • netsh.exe (PID: 2992)
      • netsh.exe (PID: 1288)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 3832)
      • netsh.exe (PID: 1636)
      • netsh.exe (PID: 3220)
      • netsh.exe (PID: 2144)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 2132)
      • netsh.exe (PID: 2288)
      • netsh.exe (PID: 3156)
      • netsh.exe (PID: 2524)
      • netsh.exe (PID: 2676)
      • netsh.exe (PID: 1368)
      • netsh.exe (PID: 2184)
      • netsh.exe (PID: 1556)
      • netsh.exe (PID: 3408)
      • netsh.exe (PID: 2872)
      • netsh.exe (PID: 2968)
      • netsh.exe (PID: 3704)
      • netsh.exe (PID: 996)
      • netsh.exe (PID: 2372)
      • netsh.exe (PID: 1148)
      • netsh.exe (PID: 3616)
      • netsh.exe (PID: 3180)
      • netsh.exe (PID: 3456)
      • netsh.exe (PID: 712)
      • netsh.exe (PID: 3076)
      • netsh.exe (PID: 2236)
      • netsh.exe (PID: 2928)
      • netsh.exe (PID: 3696)
      • netsh.exe (PID: 3228)
      • netsh.exe (PID: 3248)
      • netsh.exe (PID: 3336)
      • netsh.exe (PID: 2544)
      • netsh.exe (PID: 3900)
      • netsh.exe (PID: 4052)
      • netsh.exe (PID: 4064)
      • netsh.exe (PID: 2148)
      • netsh.exe (PID: 3728)
      • netsh.exe (PID: 2640)
      • netsh.exe (PID: 676)
      • netsh.exe (PID: 4716)
      • netsh.exe (PID: 2840)
      • netsh.exe (PID: 3332)
      • netsh.exe (PID: 3176)
      • netsh.exe (PID: 1160)
      • netsh.exe (PID: 2476)
      • netsh.exe (PID: 2920)
      • netsh.exe (PID: 776)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 3500)
      • netsh.exe (PID: 3956)
      • netsh.exe (PID: 3872)
      • netsh.exe (PID: 3440)
      • netsh.exe (PID: 2972)
      • netsh.exe (PID: 2240)
      • netsh.exe (PID: 3992)
      • netsh.exe (PID: 2216)
      • netsh.exe (PID: 3012)
      • netsh.exe (PID: 3824)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 3016)
      • netsh.exe (PID: 3528)
      • netsh.exe (PID: 1424)
      • netsh.exe (PID: 964)
      • netsh.exe (PID: 5020)
      • netsh.exe (PID: 2708)
      • netsh.exe (PID: 3324)
      • netsh.exe (PID: 4140)
      • netsh.exe (PID: 3736)
      • netsh.exe (PID: 2588)
      • netsh.exe (PID: 5780)
      • netsh.exe (PID: 4884)
      • netsh.exe (PID: 3304)
      • netsh.exe (PID: 3712)
      • netsh.exe (PID: 4668)
      • netsh.exe (PID: 5468)
      • netsh.exe (PID: 3300)
      • netsh.exe (PID: 496)
      • netsh.exe (PID: 4332)
      • netsh.exe (PID: 5344)
      • netsh.exe (PID: 4448)
      • netsh.exe (PID: 4996)
      • netsh.exe (PID: 5452)
      • netsh.exe (PID: 6064)
      • netsh.exe (PID: 516)
      • netsh.exe (PID: 5580)
      • netsh.exe (PID: 5652)
      • netsh.exe (PID: 4864)
      • netsh.exe (PID: 3044)
      • netsh.exe (PID: 4576)
      • netsh.exe (PID: 5672)
      • netsh.exe (PID: 4536)
      • netsh.exe (PID: 2944)
      • netsh.exe (PID: 3976)
      • netsh.exe (PID: 3060)
      • ScreenSharePro.exe (PID: 6124)

    • Reads the computer name

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)
      • EasiUpdate.exe (PID: 3008)
      • EasiUpdate.exe (PID: 832)
      • devtool.exe (PID: 3876)
      • SWSTAudioController.exe (PID: 3336)
      • SWSTClientService.exe (PID: 2768)
      • SWSTClientService.exe (PID: 5396)
      • SWSTClientService.exe (PID: 2616)
      • ScreenSharePro.exe (PID: 6124)
      • SWSTRemoteControlService.exe (PID: 3316)
      • ScreenSharePro.exe (PID: 4124)
      • ScreenSharePro.exe (PID: 6044)

    • Starts application with an unusual extension

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)

    • Checks supported languages

      • ns69D7.tmp (PID: 2184)
      • cmd.exe (PID: 2892)
      • ns6B3F.tmp (PID: 2880)
      • cmd.exe (PID: 4024)
      • ns6C1B.tmp (PID: 4036)
      • cmd.exe (PID: 3408)
      • ns6D07.tmp (PID: 3500)
      • cmd.exe (PID: 3432)
      • ns6DF2.tmp (PID: 3260)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)
      • nsC257.tmp (PID: 2984)
      • cmd.exe (PID: 148)
      • EasiUpdate.exe (PID: 3008)
      • EasiUpdate.exe (PID: 832)
      • cmd.exe (PID: 2344)
      • cmd.exe (PID: 2728)
      • cmd.exe (PID: 3384)
      • nsCD16.tmp (PID: 1116)
      • nsCEB1.tmp (PID: 3120)
      • cmd.exe (PID: 3368)
      • SWSTAudioController.exe (PID: 3336)
      • cmd.exe (PID: 4068)
      • cmd.exe (PID: 1480)
      • devtool.exe (PID: 3876)
      • nsDD96.tmp (PID: 4492)
      • nsE77A.tmp (PID: 120)
      • cmd.exe (PID: 4312)
      • SWSTClientService.exe (PID: 2768)
      • SWSTClientService.exe (PID: 5396)
      • SWSTClientService.exe (PID: 2616)
      • cmd.exe (PID: 1024)
      • SWExtendScreen.exe (PID: 5352)
      • ScreenSharePro.exe (PID: 6124)
      • SWSTRemoteControlService.exe (PID: 3316)
      • ScreenSharePro.exe (PID: 4124)
      • ScreenSharePro.exe (PID: 6044)

    • Drops a file that was compiled in debug mode

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 4024)
      • cmd.exe (PID: 3408)
      • cmd.exe (PID: 4312)

    • Starts CMD.EXE for commands execution

      • ns6B3F.tmp (PID: 2880)
      • ns69D7.tmp (PID: 2184)
      • ns6C1B.tmp (PID: 4036)
      • ns6D07.tmp (PID: 3500)
      • ns6DF2.tmp (PID: 3260)
      • nsC257.tmp (PID: 2984)
      • cmd.exe (PID: 148)
      • nsCD16.tmp (PID: 1116)
      • nsCEB1.tmp (PID: 3120)
      • cmd.exe (PID: 4068)
      • nsE77A.tmp (PID: 120)
      • cmd.exe (PID: 4312)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2344)
      • cmd.exe (PID: 148)
      • cmd.exe (PID: 4312)

    • Creates a directory in Program Files

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)

    • Drops a file with too old compile date

      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdateSetup.exe (PID: 2624)

    • Creates files in the program directory

      • EasiUpdateSetup.exe (PID: 2624)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • EasiUpdate.exe (PID: 3008)
      • EasiUpdate.exe (PID: 832)
      • SWSTClientService.exe (PID: 5396)
      • SWSTClientService.exe (PID: 2768)

    • Creates a software uninstall entry

      • EasiUpdateSetup.exe (PID: 2624)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)

    • Executed as Windows Service

      • EasiUpdate.exe (PID: 832)
      • SWSTClientService.exe (PID: 5396)
      • SWSTClientService.exe (PID: 2616)

    • Application launched itself

      • cmd.exe (PID: 148)
      • cmd.exe (PID: 4068)
      • cmd.exe (PID: 4312)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 148)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)

    • Reads CPU info

      • EasiUpdate.exe (PID: 832)
      • ScreenShare_windows_3.1.0.2422(20210126110300).exe (PID: 880)
      • ScreenSharePro.exe (PID: 6124)

    • Creates files in the Windows directory

      • EasiUpdate.exe (PID: 832)

    • Executed via COM

      • explorer.exe (PID: 6092)

    • Creates files in the user directory

      • ScreenSharePro.exe (PID: 4124)
      • ScreenSharePro.exe (PID: 6124)

    • Reads the Windows organization settings

      • ScreenSharePro.exe (PID: 6124)

    • Reads Windows owner or organization settings

      • ScreenSharePro.exe (PID: 6124)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 612)
      • iexplore.exe (PID: 1748)
      • taskkill.exe (PID: 3972)
      • taskkill.exe (PID: 3460)
      • taskkill.exe (PID: 188)
      • net1.exe (PID: 3016)
      • sc.exe (PID: 2708)
      • net1.exe (PID: 2424)
      • net.exe (PID: 276)
      • sc.exe (PID: 1636)
      • cacls.exe (PID: 628)
      • netsh.exe (PID: 2596)
      • net.exe (PID: 564)
      • netsh.exe (PID: 3468)
      • netsh.exe (PID: 1284)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 1288)
      • netsh.exe (PID: 2992)
      • netsh.exe (PID: 3228)
      • netsh.exe (PID: 3832)
      • netsh.exe (PID: 1636)
      • netsh.exe (PID: 2144)
      • netsh.exe (PID: 3220)
      • netsh.exe (PID: 3792)
      • cacls.exe (PID: 4064)
      • netsh.exe (PID: 2132)
      • netsh.exe (PID: 1368)
      • netsh.exe (PID: 2288)
      • netsh.exe (PID: 3156)
      • netsh.exe (PID: 2372)
      • netsh.exe (PID: 2676)
      • netsh.exe (PID: 2872)
      • netsh.exe (PID: 3408)
      • netsh.exe (PID: 1556)
      • netsh.exe (PID: 2184)
      • netsh.exe (PID: 2524)
      • netsh.exe (PID: 996)
      • netsh.exe (PID: 2968)
      • netsh.exe (PID: 1148)
      • netsh.exe (PID: 3456)
      • netsh.exe (PID: 2236)
      • netsh.exe (PID: 3616)
      • netsh.exe (PID: 712)
      • netsh.exe (PID: 3076)
      • netsh.exe (PID: 2928)
      • netsh.exe (PID: 3704)
      • netsh.exe (PID: 3180)
      • netsh.exe (PID: 676)
      • netsh.exe (PID: 3248)
      • netsh.exe (PID: 3900)
      • netsh.exe (PID: 2640)
      • netsh.exe (PID: 3696)
      • netsh.exe (PID: 3336)
      • netsh.exe (PID: 2544)
      • netsh.exe (PID: 3332)
      • netsh.exe (PID: 4052)
      • netsh.exe (PID: 2840)
      • netsh.exe (PID: 4064)
      • netsh.exe (PID: 3728)
      • netsh.exe (PID: 2476)
      • netsh.exe (PID: 2920)
      • netsh.exe (PID: 1160)
      • netsh.exe (PID: 3440)
      • netsh.exe (PID: 3872)
      • netsh.exe (PID: 3016)
      • netsh.exe (PID: 3528)
      • netsh.exe (PID: 3956)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 3176)
      • netsh.exe (PID: 2148)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 3500)
      • netsh.exe (PID: 2240)
      • netsh.exe (PID: 776)
      • netsh.exe (PID: 4716)
      • netsh.exe (PID: 2972)
      • netsh.exe (PID: 3824)
      • netsh.exe (PID: 964)
      • netsh.exe (PID: 3012)
      • netsh.exe (PID: 3992)
      • netsh.exe (PID: 2216)
      • netsh.exe (PID: 496)
      • netsh.exe (PID: 3736)
      • netsh.exe (PID: 2588)
      • netsh.exe (PID: 3324)
      • netsh.exe (PID: 3712)
      • netsh.exe (PID: 5468)
      • netsh.exe (PID: 4140)
      • netsh.exe (PID: 2708)
      • netsh.exe (PID: 1424)
      • netsh.exe (PID: 5020)
      • netsh.exe (PID: 4668)
      • netsh.exe (PID: 5344)
      • netsh.exe (PID: 5780)
      • netsh.exe (PID: 3304)
      • netsh.exe (PID: 4332)
      • netsh.exe (PID: 4864)
      • netsh.exe (PID: 3300)
      • netsh.exe (PID: 516)
      • netsh.exe (PID: 6064)
      • netsh.exe (PID: 5580)
      • netsh.exe (PID: 4996)
      • netsh.exe (PID: 2944)
      • netsh.exe (PID: 4448)
      • netsh.exe (PID: 3044)
      • netsh.exe (PID: 5652)
      • netsh.exe (PID: 4884)
      • netsh.exe (PID: 5672)
      • netsh.exe (PID: 4576)
      • netsh.exe (PID: 4536)
      • netsh.exe (PID: 5452)
      • netsh.exe (PID: 3060)
      • netsh.exe (PID: 3976)
      • net.exe (PID: 6040)
      • net1.exe (PID: 4740)
      • sc.exe (PID: 2200)
      • taskkill.exe (PID: 5492)
      • taskkill.exe (PID: 4080)
      • taskkill.exe (PID: 5440)
      • net.exe (PID: 5400)
      • net1.exe (PID: 3552)
      • explorer.exe (PID: 6092)
      • explorer.exe (PID: 4648)

    • Reads the computer name

      • iexplore.exe (PID: 1748)
      • iexplore.exe (PID: 612)
      • taskkill.exe (PID: 3972)
      • taskkill.exe (PID: 3460)
      • taskkill.exe (PID: 188)
      • net1.exe (PID: 3016)
      • sc.exe (PID: 2708)
      • sc.exe (PID: 1636)
      • net1.exe (PID: 2424)
      • cacls.exe (PID: 628)
      • cacls.exe (PID: 4064)
      • netsh.exe (PID: 1284)
      • netsh.exe (PID: 2596)
      • netsh.exe (PID: 3468)
      • netsh.exe (PID: 2992)
      • netsh.exe (PID: 1288)
      • netsh.exe (PID: 3228)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 3832)
      • netsh.exe (PID: 1636)
      • netsh.exe (PID: 3220)
      • netsh.exe (PID: 2144)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 2132)
      • netsh.exe (PID: 3156)
      • netsh.exe (PID: 2288)
      • netsh.exe (PID: 2676)
      • netsh.exe (PID: 2524)
      • netsh.exe (PID: 2372)
      • netsh.exe (PID: 1368)
      • netsh.exe (PID: 2184)
      • netsh.exe (PID: 1556)
      • netsh.exe (PID: 3408)
      • netsh.exe (PID: 2968)
      • netsh.exe (PID: 3616)
      • netsh.exe (PID: 3704)
      • netsh.exe (PID: 996)
      • netsh.exe (PID: 3456)
      • netsh.exe (PID: 3076)
      • netsh.exe (PID: 2928)
      • netsh.exe (PID: 2872)
      • netsh.exe (PID: 1148)
      • netsh.exe (PID: 3956)
      • netsh.exe (PID: 2216)
      • netsh.exe (PID: 2708)
      • netsh.exe (PID: 2972)
      • netsh.exe (PID: 4052)
      • netsh.exe (PID: 3792)
      • netsh.exe (PID: 712)
      • netsh.exe (PID: 2640)
      • netsh.exe (PID: 3900)
      • netsh.exe (PID: 4716)
      • netsh.exe (PID: 3248)
      • netsh.exe (PID: 3992)
      • netsh.exe (PID: 2236)
      • netsh.exe (PID: 3180)
      • netsh.exe (PID: 776)
      • netsh.exe (PID: 3176)
      • netsh.exe (PID: 2588)
      • netsh.exe (PID: 676)
      • netsh.exe (PID: 4064)
      • netsh.exe (PID: 3728)
      • netsh.exe (PID: 3696)
      • netsh.exe (PID: 2148)
      • netsh.exe (PID: 3824)
      • netsh.exe (PID: 2920)
      • netsh.exe (PID: 1160)
      • netsh.exe (PID: 2544)
      • netsh.exe (PID: 2840)
      • netsh.exe (PID: 5468)
      • netsh.exe (PID: 3332)
      • netsh.exe (PID: 3500)
      • netsh.exe (PID: 2476)
      • netsh.exe (PID: 3336)
      • netsh.exe (PID: 3300)
      • netsh.exe (PID: 3872)
      • netsh.exe (PID: 5020)
      • netsh.exe (PID: 4884)
      • netsh.exe (PID: 964)
      • netsh.exe (PID: 5780)
      • netsh.exe (PID: 1424)
      • netsh.exe (PID: 3304)
      • netsh.exe (PID: 5344)
      • netsh.exe (PID: 3736)
      • netsh.exe (PID: 516)
      • netsh.exe (PID: 3440)
      • netsh.exe (PID: 3012)
      • netsh.exe (PID: 3324)
      • netsh.exe (PID: 3528)
      • netsh.exe (PID: 3016)
      • netsh.exe (PID: 2240)
      • netsh.exe (PID: 5672)
      • netsh.exe (PID: 3976)
      • netsh.exe (PID: 2944)
      • netsh.exe (PID: 4864)
      • netsh.exe (PID: 5652)
      • netsh.exe (PID: 3044)
      • netsh.exe (PID: 5452)
      • netsh.exe (PID: 5580)
      • netsh.exe (PID: 4332)
      • netsh.exe (PID: 6064)
      • netsh.exe (PID: 4668)
      • netsh.exe (PID: 4576)
      • netsh.exe (PID: 4140)
      • netsh.exe (PID: 3060)
      • netsh.exe (PID: 496)
      • net1.exe (PID: 4740)
      • netsh.exe (PID: 4448)
      • sc.exe (PID: 2200)
      • taskkill.exe (PID: 4080)
      • netsh.exe (PID: 4996)
      • netsh.exe (PID: 1088)
      • netsh.exe (PID: 3712)
      • netsh.exe (PID: 4536)
      • taskkill.exe (PID: 5492)
      • taskkill.exe (PID: 5440)
      • net1.exe (PID: 3552)
      • explorer.exe (PID: 6092)
      • explorer.exe (PID: 4648)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 612)
      • iexplore.exe (PID: 1748)

    • Application launched itself

      • iexplore.exe (PID: 612)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1748)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1748)
      • iexplore.exe (PID: 612)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 612)

    • Changes internet zones settings

      • iexplore.exe (PID: 612)

    • Creates files in the user directory

      • iexplore.exe (PID: 612)

    • Changes settings of System certificates

      • iexplore.exe (PID: 612)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 612)

    • Manual execution by user

      • ScreenSharePro.exe (PID: 4124)
      • ScreenSharePro.exe (PID: 6044)

    • Dropped object may contain Bitcoin addresses

      • EasiUpdate.exe (PID: 832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
301
Monitored processes
161
Malicious processes
15
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe screenshare_windows_3.1.0.2422(20210126110300).exe no specs screenshare_windows_3.1.0.2422(20210126110300).exe ns69d7.tmp no specs cmd.exe no specs taskkill.exe no specs ns6b3f.tmp no specs cmd.exe no specs taskkill.exe no specs ns6c1b.tmp no specs cmd.exe no specs taskkill.exe no specs ns6d07.tmp no specs cmd.exe no specs net.exe no specs net1.exe no specs ns6df2.tmp no specs cmd.exe no specs sc.exe no specs easiupdatesetup.exe nsc257.tmp no specs cmd.exe no specs net.exe no specs net1.exe no specs sc.exe no specs easiupdate.exe no specs easiupdate.exe cmd.exe no specs cacls.exe no specs cacls.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs nscd16.tmp no specs cmd.exe no specs nsceb1.tmp no specs cmd.exe no specs cmd.exe no specs swstaudiocontroller.exe no specs devtool.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs nsdd96.tmp no specs nse77a.tmp no specs cmd.exe no specs net.exe no specs net1.exe no specs sc.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs swstclientservice.exe no specs swstclientservice.exe net.exe no specs net1.exe no specs swstclientservice.exe no specs cmd.exe no specs swstremotecontrolservice.exe no specs swextendscreen.exe no specs explorer.exe no specs explorer.exe no specs screensharepro.exe no specs screensharepro.exe screensharepro.exe

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Users\admin\AppData\Local\Temp\nsh6801.tmp\nsE77A.tmp" C:\Program Files\ScreenShare Pro\ScreenShare Pro\swstclientservice_install.batC:\Users\admin\AppData\Local\Temp\nsh6801.tmp\nsE77A.tmpScreenShare_windows_3.1.0.2422(20210126110300).exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsh6801.tmp\nse77a.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
148C:\Windows\system32\cmd.exe /c C:\ProgramData\Seewo\Easiupdate\easi_update_install.batC:\Windows\system32\cmd.exensC257.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
188taskkill /f /im SWSTClientService.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
276net stop EasiUpdateC:\Windows\system32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll
496netsh advfirewall firewall add rule name="SWSTAudioController" dir=out action=allow program="C:\Program Files\ScreenShare Pro\ScreenShare Pro_3.1.0.2422\SWSTAudioController.exe"C:\Windows\system32\netsh.exeScreenShare_windows_3.1.0.2422(20210126110300).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
516netsh advfirewall firewall add rule name="certmgr" dir=out action=allow program="C:\Program Files\ScreenShare Pro\ScreenShare Pro_3.1.0.2422\tool\amd64\certmgr.exe"C:\Windows\system32\netsh.exeScreenShare_windows_3.1.0.2422(20210126110300).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
564net stop SWSTClientServiceC:\Windows\system32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
612"C:\Program Files\Internet Explorer\iexplore.exe" "http://dss.r302.cc/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
628CACLS "C:\Users\admin\AppData\Roaming"\EasiUpdate /C /P everyone:F /TC:\Windows\system32\cacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
676netsh advfirewall firewall add rule name="devtool" dir=in action=allow program="C:\Program Files\ScreenShare Pro\ScreenShare Pro_3.1.0.2422\Main\SupportFiles\Drivers\tool\x86\devtool.exe"C:\Windows\system32\netsh.exeScreenShare_windows_3.1.0.2422(20210126110300).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
Total events
72 859
Read events
68 035
Write events
4 820
Delete events
4

Modification events

(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30926764
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30926764
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(612) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
146
Suspicious files
28
Text files
206
Unknown types
60

Dropped files

PID
Process
Filename
Type
612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dder
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B0D23D3C898C896396B1808A378B9A19_F6C703C201F067691E0EDDA8D9EE1B97binary
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771der
MD5:
SHA256:
612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B0D23D3C898C896396B1808A378B9A19_F6C703C201F067691E0EDDA8D9EE1B97der
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3EB21F054565AC12ED9350FD0AD354F6_C1FFFEE91E89F15C6572BDA561A1685Abinary
MD5:
SHA256:
1748iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
55
DNS requests
23
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1748
iexplore.exe
GET
54.203.29.115:80
http://dss.r302.cc/static/images/browser-redirect-d70b975a00.png
US
unknown
1748
iexplore.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQDKqHKUi65qEw%3D%3D
US
der
1.74 Kb
whitelisted
612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
832
EasiUpdate.exe
POST
200
121.37.142.222:80
http://myou.cvte.com/api/v1/analyze
CN
binary
33 b
suspicious
612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
832
EasiUpdate.exe
POST
200
121.37.142.222:80
http://myou.cvte.com/api/v1/analyze
CN
binary
33 b
suspicious
612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
832
EasiUpdate.exe
GET
200
54.203.29.115:80
http://iwbota.com/api/v1/update?appKey=7df84e741e7c6ced38b628e9fd9d64c0074ece7e&versionCode=3.1.0.2422&platform=windows_app&deviceMac=12:A9:86:6C:77:DE
US
binary
547 b
unknown
612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
1748
iexplore.exe
GET
200
54.203.29.115:80
http://dss.r302.cc/
US
html
1.34 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1748
iexplore.exe
47.102.226.149:443
e.seewo.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
1748
iexplore.exe
180.97.64.41:443
imlizhi-store-https.seewo.com
AS Number for CHINANET jiangsu province backbone
CN
malicious
1748
iexplore.exe
192.124.249.24:80
ocsp.godaddy.com
Sucuri
US
suspicious
1748
iexplore.exe
2.16.186.81:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
612
iexplore.exe
2.16.186.81:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
612
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
612
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
832
EasiUpdate.exe
54.203.29.115:443
dss.r302.cc
Amazon.com, Inc.
US
unknown
1748
iexplore.exe
2.16.186.56:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
832
EasiUpdate.exe
54.203.29.115:80
dss.r302.cc
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
dss.r302.cc
  • 54.203.29.115
unknown
dn-growing.qbox.me
  • 101.226.28.200
  • 101.226.28.198
  • 101.226.28.203
  • 101.226.28.202
  • 101.226.28.205
  • 101.226.28.199
  • 101.226.28.201
  • 101.226.28.204
unknown
hm.baidu.com
  • 103.235.46.191
whitelisted
friday.cvte.com
  • 163.171.128.150
suspicious
api.bing.com
  • 13.107.13.80
whitelisted
e.seewo.com
  • 47.102.226.149
unknown
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 2.16.186.81
  • 2.16.186.56
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.godaddy.com
  • 192.124.249.24
  • 192.124.249.22
  • 192.124.249.36
  • 192.124.249.41
  • 192.124.249.23
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .cc TLD
832
EasiUpdate.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
832
EasiUpdate.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
832
EasiUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
EasiUpdate.exe
[ERROR 2021-12-02 18:44:52.879 1260 EnvManager.cpp (88) EnvManager::QueryRestoreSoftwareList] QueryRestoreSoftwareList error: catched
SWSTClientService.exe
[ERROR 2021-12-02 18:45:05.707 3732 SWDongleService.cpp (272) wWinMain] create mutex failed: 0
ScreenSharePro.exe
[ERROR 2021-12-02 18:45:53.269 4708 main.cpp (104) main] Client is running, quit now
ScreenSharePro.exe
[ERROR 2021-12-02 18:46:05.894 1808 main.cpp (104) main] Client is running, quit now
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://dss.r302.cc/