URL:

https://jstusa-my.sharepoint.com/:u:/g/personal/twestcoat_jstpower_com/ERgMc2P5UOxFoPcC3nMsAUYBSg1RKDG9WKFzqQfeNuHL9g?e=Do54jH

Full analysis: https://app.any.run/tasks/1a0da027-c19a-4c99-880e-20ea17b852fd
Verdict: Malicious activity
Analysis date: November 03, 2022, 17:27:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

13B99735FFF0752458D0AE001828DA6B

SHA1:

ED2B92B39D6C597739E45AF629521143EDCED7A2

SHA256:

CE919D032154CD421E0CABDEA98E2B12BD2D1B0664B482B97E660B4390EE3B82

SSDEEP:

3:N8pUhjArL5kKVFSR6gfR6u273rA1QxLLi2CScBfx/b29cmtn:2uAfz8JR8k1QNm2t9can

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • EasyConnectInstaller (1).exe (PID: 576)
      • EasyConnectInstallerRaw.exe (PID: 2236)
      • EasyConnectInstaller (1).exe (PID: 3628)
      • EasyConnectInstallerRaw.exe (PID: 1832)
      • Uninstall.exe (PID: 3708)
      • SangforCSClientInstaller.exe (PID: 3156)
      • TcpDriverInstaller.exe (PID: 668)
      • DnsDriverInstaller.exe (PID: 2744)
      • SuperExeInstaller.exe (PID: 3380)
      • EasyConnectUIInstaller.exe (PID: 528)
      • Install.exe (PID: 2312)
      • Remove.exe (PID: 3592)
      • Remove.exe (PID: 3580)
      • Install.exe (PID: 1616)
      • SangforServiceClientInstaller.exe (PID: 3100)
      • VC2010RedistX86UInstaller.exe (PID: 2228)
      • SJobberInstaller.exe (PID: 3064)
      • SangforUpdateInstaller.exe (PID: 668)
      • SangforRAppInstaller.exe (PID: 3344)
      • SangforPWInstaller.exe (PID: 2380)
      • SangforUDProtect.exe (PID: 3840)
      • DataParserInstaller.exe (PID: 3676)
      • SangforPW.exe (PID: 532)
      • SangforPW.exe (PID: 1556)
      • InstallControl.exe (PID: 2248)
      • VNICInstaller.exe (PID: 3072)
      • vacon.exe (PID: 3068)
      • ndiscleanup.x86.exe (PID: 2640)
      • SetIPTime.exe (PID: 2536)
      • ECBaseInstaller.exe (PID: 2464)
      • ECAgentInstaller.exe (PID: 2776)
      • SuperServiceInstaller.exe (PID: 1068)
      • SangforHelperToolInstaller.exe (PID: 3728)
      • EasyConnect.exe (PID: 320)
      • SangforCSClient.exe (PID: 124)
      • SangforPromote.exe (PID: 3260)
      • EasyConnect.exe (PID: 2452)
      • EasyConnect.exe (PID: 3900)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)
      • EasyConnect.exe (PID: 2916)
      • EasyConnect.exe (PID: 3860)
      • EasyConnect.exe (PID: 3028)
      • DoTask.EXE (PID: 2964)
      • DoTask.EXE (PID: 3028)
      • DoTask.EXE (PID: 3056)
      • DoTask.EXE (PID: 2268)
      • DoTask.EXE (PID: 2424)
      • DoTask.EXE (PID: 4048)
      • DoTask.EXE (PID: 2568)

    • Drops the executable file immediately after the start

      • EasyConnectInstaller (1).exe (PID: 576)
      • EasyConnectInstaller (1).exe (PID: 3628)
      • EasyConnectInstallerRaw.exe (PID: 1832)
      • SangforCSClientInstaller.exe (PID: 3156)
      • TcpDriverInstaller.exe (PID: 668)
      • DnsDriverInstaller.exe (PID: 2744)
      • SuperExeInstaller.exe (PID: 3380)
      • EasyConnectUIInstaller.exe (PID: 528)
      • SangforServiceClientInstaller.exe (PID: 3100)
      • VC2010RedistX86UInstaller.exe (PID: 2228)
      • SJobberInstaller.exe (PID: 3064)
      • SangforUpdateInstaller.exe (PID: 668)
      • SangforRAppInstaller.exe (PID: 3344)
      • SangforPWInstaller.exe (PID: 2380)
      • DataParserInstaller.exe (PID: 3676)
      • InstallControl.exe (PID: 2248)
      • VNICInstaller.exe (PID: 3072)
      • DrvInst.exe (PID: 2132)
      • vacon.exe (PID: 3068)
      • DrvInst.exe (PID: 824)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)
      • SangforHelperTool.exe (PID: 1652)
      • DoTask.EXE (PID: 2964)

    • Creates a writable file the system directory

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • SangforCSClientInstaller.exe (PID: 3156)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • ECAgentInstaller.exe (PID: 2776)

    • Loads dropped or rewritten executable

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • svchost.exe (PID: 868)
      • chrome.exe (PID: 1984)
      • DnsDriverInstaller.exe (PID: 2744)
      • TcpDriverInstaller.exe (PID: 668)
      • SangforCSClientInstaller.exe (PID: 3156)
      • SangforUpdateInstaller.exe (PID: 668)
      • SangforPWInstaller.exe (PID: 2380)
      • iexplore.exe (PID: 3864)
      • iexplore.exe (PID: 3256)
      • chrome.exe (PID: 1788)
      • SangforUDProtect.exe (PID: 3840)
      • chrome.exe (PID: 2088)
      • Explorer.EXE (PID: 1100)
      • DllHost.exe (PID: 3736)
      • VNICInstaller.exe (PID: 3072)
      • DataParserInstaller.exe (PID: 3676)
      • InstallControl.exe (PID: 2248)
      • svchost.exe (PID: 1440)
      • svchost.exe (PID: 712)
      • ECAgent.exe (PID: 3752)
      • ECAgentInstaller.exe (PID: 2776)
      • ctfmon.exe (PID: 736)
      • SangforPromoteService.exe (PID: 3392)
      • ECAgent.exe (PID: 3360)
      • ECAgent.exe (PID: 3112)
      • chrome.exe (PID: 2204)
      • DllHost.exe (PID: 3212)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)
      • EasyConnect.exe (PID: 320)
      • SangforCSClient.exe (PID: 124)
      • SangforPromote.exe (PID: 3260)
      • DllHost.exe (PID: 1132)
      • DllHost.exe (PID: 3768)
      • EasyConnect.exe (PID: 2452)
      • EasyConnect.exe (PID: 3900)
      • SangforHelperTool.exe (PID: 1652)
      • EasyConnect.exe (PID: 2916)
      • ECAgent.exe (PID: 2780)
      • EasyConnect.exe (PID: 3860)
      • DllHost.exe (PID: 1776)
      • EasyConnect.exe (PID: 3028)
      • DoTask.EXE (PID: 4048)
      • DllHost.exe (PID: 2392)
      • DoTask.EXE (PID: 3056)
      • DoTask.EXE (PID: 2268)
      • ECAgent.exe (PID: 2636)
      • explorer.exe (PID: 2768)
      • taskhost.exe (PID: 1172)
      • Dwm.exe (PID: 1412)
      • taskeng.exe (PID: 664)
      • DllHost.exe (PID: 3812)
      • NOTEPAD.EXE (PID: 2544)
      • ECAgent.exe (PID: 4056)
      • NOTEPAD.EXE (PID: 1032)
      • WinRAR.exe (PID: 708)
      • NOTEPAD.EXE (PID: 412)
      • ECAgent.exe (PID: 2972)

    • Changes the autorun value in the registry

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • svchost.exe (PID: 868)
      • DrvInst.exe (PID: 824)
      • X86-all-rootsupd.exe (PID: 3068)

    • Steals credentials from Web Browsers

      • ECAgent.exe (PID: 3112)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • Explorer.EXE (PID: 1100)
      • SangforPW.exe (PID: 1556)
      • vacon.exe (PID: 3068)
      • DrvInst.exe (PID: 2132)
      • SangforPromoteService.exe (PID: 3392)
      • ECAgent.exe (PID: 3360)
      • consent.exe (PID: 2176)
      • SangforCSClient.exe (PID: 124)
      • updroots.exe (PID: 1304)
      • updroots.exe (PID: 4028)
      • updroots.exe (PID: 2468)
      • ECAgent.exe (PID: 2780)
      • consent.exe (PID: 2972)
      • updroots.exe (PID: 2636)
      • ECAgent.exe (PID: 4056)
      • SangforUDProtect.exe (PID: 3840)
      • DrvInst.exe (PID: 824)

    • Drops a file with too old compile date

      • EasyConnectInstaller (1).exe (PID: 576)
      • EasyConnectInstaller (1).exe (PID: 3628)
      • EasyConnectInstallerRaw.exe (PID: 1832)
      • SangforCSClientInstaller.exe (PID: 3156)
      • TcpDriverInstaller.exe (PID: 668)
      • DnsDriverInstaller.exe (PID: 2744)
      • SuperExeInstaller.exe (PID: 3380)
      • EasyConnectUIInstaller.exe (PID: 528)
      • SangforServiceClientInstaller.exe (PID: 3100)
      • SJobberInstaller.exe (PID: 3064)
      • SangforUpdateInstaller.exe (PID: 668)
      • SangforPWInstaller.exe (PID: 2380)
      • SangforRAppInstaller.exe (PID: 3344)
      • DataParserInstaller.exe (PID: 3676)
      • VNICInstaller.exe (PID: 3072)

    • Executable content was dropped or overwritten

      • EasyConnectInstaller (1).exe (PID: 576)
      • EasyConnectInstaller (1).exe (PID: 3628)
      • EasyConnectInstallerRaw.exe (PID: 1832)
      • SangforCSClientInstaller.exe (PID: 3156)
      • TcpDriverInstaller.exe (PID: 668)
      • DnsDriverInstaller.exe (PID: 2744)
      • SuperExeInstaller.exe (PID: 3380)
      • EasyConnectUIInstaller.exe (PID: 528)
      • VC2010RedistX86UInstaller.exe (PID: 2228)
      • SangforServiceClientInstaller.exe (PID: 3100)
      • SJobberInstaller.exe (PID: 3064)
      • SangforUpdateInstaller.exe (PID: 668)
      • SangforRAppInstaller.exe (PID: 3344)
      • SangforPWInstaller.exe (PID: 2380)
      • DataParserInstaller.exe (PID: 3676)
      • InstallControl.exe (PID: 2248)
      • VNICInstaller.exe (PID: 3072)
      • vacon.exe (PID: 3068)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)
      • SangforHelperTool.exe (PID: 1652)
      • DoTask.EXE (PID: 2964)

    • Creates files in the Windows directory

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • SangforCSClientInstaller.exe (PID: 3156)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • ECAgentInstaller.exe (PID: 2776)

    • Creates a directory in Program Files

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • SangforCSClientInstaller.exe (PID: 3156)
      • TcpDriverInstaller.exe (PID: 668)
      • DnsDriverInstaller.exe (PID: 2744)
      • SuperExeInstaller.exe (PID: 3380)
      • EasyConnectUIInstaller.exe (PID: 528)
      • SangforServiceClientInstaller.exe (PID: 3100)
      • SJobberInstaller.exe (PID: 3064)
      • SangforUpdateInstaller.exe (PID: 668)
      • SangforPWInstaller.exe (PID: 2380)
      • SangforRAppInstaller.exe (PID: 3344)
      • DataParserInstaller.exe (PID: 3676)
      • InstallControl.exe (PID: 2248)
      • VNICInstaller.exe (PID: 3072)
      • ECBaseInstaller.exe (PID: 2464)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)

    • Removes files from Windows the directory

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • ECAgentInstaller.exe (PID: 2776)

    • Creates/Modifies COM task schedule object

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • InstallControl.exe (PID: 2248)

    • The process checks if it is being run in the virtual environment

      • TcpDriverInstaller.exe (PID: 668)
      • DnsDriverInstaller.exe (PID: 2744)

    • Process drops SQLite DLL files

      • EasyConnectUIInstaller.exe (PID: 528)

    • Creates a software uninstall entry

      • EasyConnectUIInstaller.exe (PID: 528)
      • VNICInstaller.exe (PID: 3072)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)

    • Starts application with an unusual extension

      • SangforUpdateInstaller.exe (PID: 668)
      • SangforPWInstaller.exe (PID: 2380)
      • VNICInstaller.exe (PID: 3072)

    • Uses TASKKILL.EXE to kill process

      • ns7617.tmp (PID: 3440)

    • Starts SC.EXE for service management

      • ns753A.tmp (PID: 3972)
      • ns75A8.tmp (PID: 3292)
      • ns78E7.tmp (PID: 3556)
      • ns7956.tmp (PID: 3220)
      • ns79C4.tmp (PID: 3976)

    • Executes as Windows Service

      • SangforPW.exe (PID: 1556)
      • vssvc.exe (PID: 2076)
      • SangforPromoteService.exe (PID: 3392)

    • Checks Windows Trust Settings

      • SangforPW.exe (PID: 1556)
      • SangforUDProtect.exe (PID: 3840)
      • vacon.exe (PID: 3068)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • SangforPromoteService.exe (PID: 3392)
      • SangforCSClient.exe (PID: 124)

    • Creates or modifies Windows services

      • SangforPW.exe (PID: 1556)

    • Reads security settings of Internet Explorer

      • vacon.exe (PID: 3068)
      • SangforCSClient.exe (PID: 124)

    • Adds/modifies Windows certificates

      • vacon.exe (PID: 3068)
      • ECAgent.exe (PID: 3360)
      • updroots.exe (PID: 4028)
      • updroots.exe (PID: 1304)
      • ECAgent.exe (PID: 2780)
      • ECAgent.exe (PID: 4056)
      • updroots.exe (PID: 2636)
      • SangforPromoteService.exe (PID: 3392)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)

    • Uses NETSH.EXE for network configuration

      • SetIPTime.exe (PID: 2536)

    • Reads Internet Settings

      • EasyConnect.exe (PID: 320)
      • SangforCSClient.exe (PID: 124)
      • SangforHelperTool.exe (PID: 1652)
      • ECAgent.exe (PID: 2636)

    • Changes internet zones settings

      • ECAgent.exe (PID: 2972)
      • SangforHelperTool.exe (PID: 1652)
      • ECAgent.exe (PID: 2636)

  • INFO

    • Starts Internet Explorer

      • Explorer.EXE (PID: 1100)

    • Manual execution by user

      • chrome.exe (PID: 2088)
      • EasyConnectInstaller (1).exe (PID: 576)
      • EasyConnectInstaller (1).exe (PID: 3628)

    • Application launched itself

      • chrome.exe (PID: 2088)
      • iexplore.exe (PID: 3256)

    • Drops the executable file immediately after the start

      • chrome.exe (PID: 2088)
      • iexplore.exe (PID: 3256)
      • chrome.exe (PID: 1984)
      • iexplore.exe (PID: 3864)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3864)
      • chrome.exe (PID: 2088)
      • iexplore.exe (PID: 3256)
      • chrome.exe (PID: 1984)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3256)

    • Drops a file that was compiled in debug mode

      • iexplore.exe (PID: 3256)
      • EasyConnectInstallerRaw.exe (PID: 1832)
      • SangforCSClientInstaller.exe (PID: 3156)
      • TcpDriverInstaller.exe (PID: 668)
      • DnsDriverInstaller.exe (PID: 2744)
      • SuperExeInstaller.exe (PID: 3380)
      • EasyConnectUIInstaller.exe (PID: 528)
      • SangforServiceClientInstaller.exe (PID: 3100)
      • VC2010RedistX86UInstaller.exe (PID: 2228)
      • SangforUpdateInstaller.exe (PID: 668)
      • SangforPWInstaller.exe (PID: 2380)
      • SangforRAppInstaller.exe (PID: 3344)
      • DataParserInstaller.exe (PID: 3676)
      • VNICInstaller.exe (PID: 3072)
      • InstallControl.exe (PID: 2248)
      • vacon.exe (PID: 3068)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • SangforHelperTool.exe (PID: 1652)
      • DoTask.EXE (PID: 2964)

    • Creates files in the user directory

      • EasyConnectInstaller (1).exe (PID: 576)
      • EasyConnectInstaller (1).exe (PID: 3628)
      • ECAgent.exe (PID: 3112)
      • SangforHelperToolInstaller.exe (PID: 3728)
      • EasyConnect.exe (PID: 320)
      • SangforCSClient.exe (PID: 124)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)
      • SangforHelperTool.exe (PID: 1652)
      • CheckFolderPermission.exe (PID: 3884)

    • Reads security settings of Internet Explorer

      • Explorer.EXE (PID: 1100)
      • consent.exe (PID: 2176)
      • consent.exe (PID: 2972)

    • Checks supported languages

      • EasyConnectInstaller (1).exe (PID: 576)
      • EasyConnectInstallerRaw.exe (PID: 1832)
      • EasyConnectInstaller (1).exe (PID: 3628)
      • SangforCSClientInstaller.exe (PID: 3156)
      • Uninstall.exe (PID: 3708)
      • TcpDriverInstaller.exe (PID: 668)
      • Remove.exe (PID: 3592)
      • Install.exe (PID: 2312)
      • DnsDriverInstaller.exe (PID: 2744)
      • Install.exe (PID: 1616)
      • SuperExeInstaller.exe (PID: 3380)
      • Remove.exe (PID: 3580)
      • EasyConnectUIInstaller.exe (PID: 528)
      • VC2010RedistX86UInstaller.exe (PID: 2228)
      • SJobberInstaller.exe (PID: 3064)
      • SangforServiceClientInstaller.exe (PID: 3100)
      • SangforUpdateInstaller.exe (PID: 668)
      • SangforPWInstaller.exe (PID: 2380)
      • ns753A.tmp (PID: 3972)
      • ns7617.tmp (PID: 3440)
      • ns75A8.tmp (PID: 3292)
      • ns74CD.tmp (PID: 3304)
      • ns77FC.tmp (PID: 1152)
      • SangforPW.exe (PID: 532)
      • ns78E7.tmp (PID: 3556)
      • SangforPW.exe (PID: 1556)
      • ns7956.tmp (PID: 3220)
      • SangforRAppInstaller.exe (PID: 3344)
      • SangforUDProtect.exe (PID: 3840)
      • ns79C4.tmp (PID: 3976)
      • DataParserInstaller.exe (PID: 3676)
      • InstallControl.exe (PID: 2248)
      • VNICInstaller.exe (PID: 3072)
      • ndiscleanup.x86.exe (PID: 2640)
      • ns80B4.tmp (PID: 3816)
      • vacon.exe (PID: 3068)
      • ns8152.tmp (PID: 3780)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • SetIPTime.exe (PID: 2536)
      • nsC7D1.tmp (PID: 3664)
      • ECBaseInstaller.exe (PID: 2464)
      • ECAgent.exe (PID: 3752)
      • ECAgentInstaller.exe (PID: 2776)
      • SuperServiceInstaller.exe (PID: 1068)
      • SangforPromoteService.exe (PID: 3188)
      • SangforPromoteService.exe (PID: 2884)
      • ECAgent.exe (PID: 3360)
      • SangforPromoteService.exe (PID: 3392)
      • ECAgent.exe (PID: 3112)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)
      • SangforHelperToolInstaller.exe (PID: 3728)
      • EasyConnect.exe (PID: 320)
      • SangforCSClient.exe (PID: 124)
      • SangforPromote.exe (PID: 3260)
      • X86-all-rootsupd.exe (PID: 3068)
      • updroots.exe (PID: 1304)
      • updroots.exe (PID: 4028)
      • updroots.exe (PID: 2468)
      • updroots.exe (PID: 2636)
      • EasyConnect.exe (PID: 2452)
      • SangforHelperTool.exe (PID: 1652)
      • EasyConnect.exe (PID: 2916)
      • EasyConnect.exe (PID: 3900)
      • ECAgent.exe (PID: 2972)
      • ECAgent.exe (PID: 2780)
      • EasyConnect.exe (PID: 3860)
      • EasyConnect.exe (PID: 3028)
      • DoTask.EXE (PID: 4048)
      • DoTask.EXE (PID: 3028)
      • DoTask.EXE (PID: 2568)
      • DoTask.EXE (PID: 3056)
      • DoTask.EXE (PID: 2268)
      • CheckFolderPermission.exe (PID: 3884)
      • DoTask.EXE (PID: 2424)
      • ECAgent.exe (PID: 4056)
      • ECAgent.exe (PID: 2636)
      • DoTask.EXE (PID: 2964)

    • Reads the computer name

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • Uninstall.exe (PID: 3708)
      • SangforCSClientInstaller.exe (PID: 3156)
      • Install.exe (PID: 2312)
      • DnsDriverInstaller.exe (PID: 2744)
      • Install.exe (PID: 1616)
      • SuperExeInstaller.exe (PID: 3380)
      • EasyConnectUIInstaller.exe (PID: 528)
      • TcpDriverInstaller.exe (PID: 668)
      • SangforServiceClientInstaller.exe (PID: 3100)
      • SJobberInstaller.exe (PID: 3064)
      • SangforUpdateInstaller.exe (PID: 668)
      • SangforPWInstaller.exe (PID: 2380)
      • SangforPW.exe (PID: 1556)
      • SangforPW.exe (PID: 532)
      • SangforRAppInstaller.exe (PID: 3344)
      • SangforUDProtect.exe (PID: 3840)
      • DataParserInstaller.exe (PID: 3676)
      • VNICInstaller.exe (PID: 3072)
      • vacon.exe (PID: 3068)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • ECBaseInstaller.exe (PID: 2464)
      • ECAgentInstaller.exe (PID: 2776)
      • SuperServiceInstaller.exe (PID: 1068)
      • SangforPromoteService.exe (PID: 3188)
      • SangforPromoteService.exe (PID: 2884)
      • SangforPromoteService.exe (PID: 3392)
      • ECAgent.exe (PID: 3112)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)
      • EasyConnect.exe (PID: 320)
      • X86-all-rootsupd.exe (PID: 3068)
      • SangforHelperTool.exe (PID: 1652)
      • ECAgent.exe (PID: 2972)
      • DoTask.EXE (PID: 4048)
      • DoTask.EXE (PID: 2964)
      • DoTask.EXE (PID: 2568)
      • DoTask.EXE (PID: 3056)
      • DoTask.EXE (PID: 2268)
      • DoTask.EXE (PID: 2424)
      • ECAgent.exe (PID: 2636)
      • SangforCSClient.exe (PID: 124)
      • DoTask.EXE (PID: 3028)

    • Creates a file in a temporary directory

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • SangforCSClientInstaller.exe (PID: 3156)
      • TcpDriverInstaller.exe (PID: 668)
      • DnsDriverInstaller.exe (PID: 2744)
      • SangforPWInstaller.exe (PID: 2380)
      • SangforUpdateInstaller.exe (PID: 668)
      • VNICInstaller.exe (PID: 3072)
      • vacon.exe (PID: 3068)
      • ECAgentInstaller.exe (PID: 2776)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)
      • X86-all-rootsupd.exe (PID: 3068)
      • SangforHelperTool.exe (PID: 1652)
      • CheckFolderPermission.exe (PID: 3884)

    • Process checks LSA protection

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • SangforCSClientInstaller.exe (PID: 3156)
      • TcpDriverInstaller.exe (PID: 668)
      • DnsDriverInstaller.exe (PID: 2744)
      • SuperExeInstaller.exe (PID: 3380)
      • EasyConnectUIInstaller.exe (PID: 528)
      • SangforServiceClientInstaller.exe (PID: 3100)
      • SangforUpdateInstaller.exe (PID: 668)
      • SJobberInstaller.exe (PID: 3064)
      • SangforPWInstaller.exe (PID: 2380)
      • SangforPW.exe (PID: 1556)
      • SangforRAppInstaller.exe (PID: 3344)
      • SangforUDProtect.exe (PID: 3840)
      • DataParserInstaller.exe (PID: 3676)
      • VNICInstaller.exe (PID: 3072)
      • vacon.exe (PID: 3068)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • ECBaseInstaller.exe (PID: 2464)
      • ECAgentInstaller.exe (PID: 2776)
      • SuperServiceInstaller.exe (PID: 1068)
      • ECAgent.exe (PID: 3360)
      • SangforPromoteService.exe (PID: 3392)
      • ECAgent.exe (PID: 3112)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)
      • EasyConnect.exe (PID: 320)
      • SangforCSClient.exe (PID: 124)
      • SangforHelperTool.exe (PID: 1652)
      • ECAgent.exe (PID: 2780)
      • ECAgent.exe (PID: 4056)

    • Creates files in the program directory

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • SangforCSClientInstaller.exe (PID: 3156)
      • DnsDriverInstaller.exe (PID: 2744)
      • SuperExeInstaller.exe (PID: 3380)
      • EasyConnectUIInstaller.exe (PID: 528)
      • TcpDriverInstaller.exe (PID: 668)
      • SangforServiceClientInstaller.exe (PID: 3100)
      • SJobberInstaller.exe (PID: 3064)
      • SangforUpdateInstaller.exe (PID: 668)
      • SangforPWInstaller.exe (PID: 2380)
      • SangforRAppInstaller.exe (PID: 3344)
      • DataParserInstaller.exe (PID: 3676)
      • InstallControl.exe (PID: 2248)
      • VNICInstaller.exe (PID: 3072)
      • ECAgentInstaller.exe (PID: 2776)
      • ECBaseInstaller.exe (PID: 2464)
      • SuperServiceInstaller.exe (PID: 1068)
      • DoTask.EXE (PID: 2964)
      • SangforHelperToolInstallerRaw.exe (PID: 1372)

    • Reads Environment values

      • EasyConnectInstallerRaw.exe (PID: 1832)
      • TcpDriverInstaller.exe (PID: 668)
      • DnsDriverInstaller.exe (PID: 2744)
      • EasyConnectUIInstaller.exe (PID: 528)
      • DrvInst.exe (PID: 824)

    • Reads the machine GUID from the registry

      • SangforPW.exe (PID: 1556)
      • SangforUDProtect.exe (PID: 3840)
      • VNICInstaller.exe (PID: 3072)
      • vacon.exe (PID: 3068)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • SangforPromoteService.exe (PID: 3392)
      • ECAgent.exe (PID: 3360)
      • ECAgent.exe (PID: 3112)
      • SangforCSClient.exe (PID: 124)
      • EasyConnect.exe (PID: 320)
      • SangforHelperTool.exe (PID: 1652)
      • ECAgent.exe (PID: 2780)
      • ECAgent.exe (PID: 4056)

    • Process checks SAM and SYSTEM backups

      • SangforPW.exe (PID: 1556)
      • SangforUDProtect.exe (PID: 3840)
      • DrvInst.exe (PID: 2132)
      • DrvInst.exe (PID: 824)
      • SangforPromoteService.exe (PID: 3392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
196
Monitored processes
145
Malicious processes
56
Suspicious processes
10

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs easyconnectinstaller (1).exe easyconnectinstallerraw.exe no specs chrome.exe no specs chrome.exe no specs easyconnectinstaller (1).exe easyconnectinstallerraw.exe uninstall.exe sangforcsclientinstaller.exe svchost.exe tcpdriverinstaller.exe remove.exe install.exe dnsdriverinstaller.exe remove.exe install.exe superexeinstaller.exe easyconnectuiinstaller.exe sangforserviceclientinstaller.exe vc2010redistx86uinstaller.exe sjobberinstaller.exe sangforupdateinstaller.exe ns74cd.tmp no specs sangforpwinstaller.exe ns753a.tmp no specs sc.exe no specs ns75a8.tmp no specs sc.exe no specs ns7617.tmp no specs taskkill.exe no specs ns77fc.tmp no specs sangforpw.exe ns78e7.tmp no specs sc.exe no specs sangforpw.exe ns7956.tmp no specs sc.exe no specs ns79c4.tmp no specs sc.exe no specs sangforrappinstaller.exe sangforudprotect.exe chrome.exe no specs dataparserinstaller.exe installcontrol.exe vnicinstaller.exe ns80b4.tmp no specs ndiscleanup.x86.exe no specs explorer.exe no specs ns8152.tmp no specs vacon.exe Thumbnail Cache Class Factory for Out of Proc Server no specs chrome.exe no specs drvinst.exe vssvc.exe no specs drvinst.exe rundll32.exe no specs svchost.exe nsc7d1.tmp no specs setiptime.exe no specs netsh.exe no specs ecbaseinstaller.exe no specs ecagentinstaller.exe svchost.exe no specs ecagent.exe superserviceinstaller.exe no specs sangforpromoteservice.exe sangforpromoteservice.exe sangforpromoteservice.exe ctfmon.exe no specs ecagent.exe no specs ecagent.exe chrome.exe no specs consent.exe no specs PSIProfileNotify no specs sangforhelpertoolinstaller.exe sangforhelpertoolinstallerraw.exe easyconnect.exe sangforcsclient.exe sangforpromote.exe DllHost.exe no specs Thumbnail Cache Class Factory for Out of Proc Server no specs x86-all-rootsupd.exe updroots.exe no specs updroots.exe no specs updroots.exe no specs updroots.exe no specs easyconnect.exe no specs sangforhelpertool.exe chrome.exe no specs easyconnect.exe no specs easyconnect.exe no specs ecagent.exe no specs ecagent.exe no specs easyconnect.exe no specs consent.exe no specs PSIProfileNotify no specs easyconnect.exe dotask.exe dotask.exe DllHost.exe no specs dotask.exe dotask.exe dotask.exe dotask.exe checkfolderpermission.exe no specs dotask.exe explorer.exe no specs explorer.exe taskeng.exe no specs taskhost.exe no specs dwm.exe no specs Thumbnail Cache Class Factory for Out of Proc Server no specs notepad.exe no specs ecagent.exe no specs ecagent.exe no specs winrar.exe no specs notepad.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\Sangfor\SSL\SangforCSClient\SangforCSClient.exe" ECC:\Program Files\Sangfor\SSL\SangforCSClient\SangforCSClient.exe
EasyConnect.exe
User:
admin
Company:
Sangfor Technologies Inc.
Integrity Level:
MEDIUM
Description:
SangforCSClient
Exit code:
0
Version:
7,6,7,208
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\sangfor\ssl\sangforcsclient\sangforcsclient.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
320"C:\Program Files\Sangfor\SSL\EasyConnect\EasyConnect.exe" /ShortCutAutoLoginC:\Program Files\Sangfor\SSL\EasyConnect\EasyConnect.exe
Explorer.EXE
User:
admin
Company:
Sangfor Technologies Inc.
Integrity Level:
MEDIUM
Description:
EasyConnect
Exit code:
0
Version:
7,6,7,201
Modules
Images
c:\program files\sangfor\ssl\easyconnect\easyconnect.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
348"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,8576645175113029103,3874309503420664113,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
412"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa708.43279\EasyConnect.exe.logC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
528"C:\Program Files\Sangfor\SSL\ClientComponent\EasyConnectUIInstaller.exe" -SessionId=-1C:\Program Files\Sangfor\SSL\ClientComponent\EasyConnectUIInstaller.exe
EasyConnectInstallerRaw.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\sangfor\ssl\clientcomponent\easyconnectuiinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
528sc start SangforPWC:\Windows\system32\sc.exens78E7.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
532"C:\Program Files\Sangfor\SSL\SangforPW\SangforPW.exe" /ServiceC:\Program Files\Sangfor\SSL\SangforPW\SangforPW.exe
ns77FC.tmp
User:
admin
Company:
Sangfor Technologies Inc.
Integrity Level:
HIGH
Description:
Sangfor Easyconnect Security Protect Service
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\sangfor\ssl\sangforpw\sangforpw.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
576"C:\Users\admin\Downloads\EasyConnectInstaller (1).exe" C:\Users\admin\Downloads\EasyConnectInstaller (1).exe
Explorer.EXE
User:
admin
Company:
Sangfor Technologies Inc.
Integrity Level:
MEDIUM
Description:
EasyConnect
Exit code:
0
Version:
7, 6, 7, 0
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\users\admin\downloads\easyconnectinstaller (1).exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\users\admin\appdata\roaming\easyconnect_21459\easyconnectinstallerraw.exe
664taskeng.exe {DB91E8D7-977A-400E-BA2C-A8ECB4D7B036}C:\Windows\system32\taskeng.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Engine
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskeng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
668"C:\Program Files\Sangfor\SSL\ClientComponent\TcpDriverInstaller.exe" -SessionId=-1C:\Program Files\Sangfor\SSL\ClientComponent\TcpDriverInstaller.exe
EasyConnectInstallerRaw.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\sangfor\ssl\clientcomponent\tcpdriverinstaller.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
118 401
Read events
113 817
Write events
3 999
Delete events
585

Modification events

(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30994345
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30994345
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
159
Suspicious files
606
Text files
754
Unknown types
72

Dropped files

PID
Process
Filename
Type
1172taskhost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
MD5:
SHA256:
712svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\~FontCache-S-1-5-21-1302019708-1500728564-335382590-1000.dat
MD5:
SHA256:
1172taskhost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.logbinary
MD5:
SHA256:
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_1941775A515122A167E3FBACF08992E1der
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:
SHA256:
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6der
MD5:
SHA256:
3864iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\onedrive[1].htmhtml
MD5:
SHA256:
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_1941775A515122A167E3FBACF08992E1binary
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
115
DNS requests
46
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
868
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
whitelisted
3256
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3864
iexplore.exe
GET
200
188.114.98.236:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRSHuNsR4EZqcsD%2BrdOV%2BEZevGBiwQUtXYMMBHOx5JCTUzHXCzIqQzoC2QCExIAID0mTAYs5VcQIg4AAAAgPSY%3D
NL
der
1.70 Kb
whitelisted
3864
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
3864
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
3864
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
868
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
9.66 Kb
whitelisted
3864
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA8XGkjG8iOAkhjNLtbdwOg%3D
US
der
471 b
whitelisted
868
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
9.66 Kb
whitelisted
3864
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1984
chrome.exe
142.250.186.142:443
clients2.google.com
GOOGLE
US
whitelisted
3864
iexplore.exe
13.107.136.9:443
jstusa-my.sharepoint.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3864
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3864
iexplore.exe
67.27.158.254:80
ctldl.windowsupdate.com
LEVEL3
US
malicious
3256
iexplore.exe
23.36.162.73:443
www.bing.com
Akamai International B.V.
DE
suspicious
3256
iexplore.exe
13.107.136.9:443
jstusa-my.sharepoint.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3256
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3864
iexplore.exe
23.35.237.204:443
shell.cdn.office.net
AKAMAI-AS
DE
unknown
3864
iexplore.exe
188.114.98.236:80
ocsp.msocsp.com
CLOUDFLARENET
NL
whitelisted
3864
iexplore.exe
23.36.163.230:443
res-1.cdn.office.net
Akamai International B.V.
DE
suspicious

DNS requests

Domain
IP
Reputation
jstusa-my.sharepoint.com
  • 13.107.136.9
  • 13.107.138.9
unknown
ctldl.windowsupdate.com
  • 67.27.158.254
  • 8.248.117.254
  • 8.241.123.126
  • 8.238.36.254
  • 8.248.139.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 23.36.162.73
  • 23.36.162.71
  • 23.36.162.85
  • 23.36.162.68
  • 23.36.162.84
  • 23.36.162.80
whitelisted
shell.cdn.office.net
  • 23.35.237.204
  • 2.19.104.202
whitelisted
ocsp.msocsp.com
  • 188.114.98.236
  • 188.114.99.236
whitelisted
res-1.cdn.office.net
  • 23.36.163.230
  • 23.36.163.238
  • 2.19.96.193
  • 2.19.97.11
whitelisted
res-2.cdn.office.net
  • 152.199.21.175
whitelisted
browser.pipe.aria.microsoft.com
  • 20.189.173.4
  • 20.189.173.10
whitelisted

Threats

PID
Process
Class
Message
3864
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3864
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3864
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3864
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3864
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3864
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3864
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3864
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3864
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
Process
Message
EasyConnectInstaller (1).exe
[EasyConnectInstallWrapper] [ExecCommand] ExecCommand "C:\Users\admin\AppData\Roaming\EasyConnect_21459\EasyConnectInstallerRaw.exe"
EasyConnectInstaller (1).exe
[EasyConnectInstallWrapper] [ExecCommand] CreateProcess "C:\Users\admin\AppData\Roaming\EasyConnect_21459\EasyConnectInstallerRaw.exe" failed:740
EasyConnectInstaller (1).exe
[EasyConnectInstallWrapper] [main] ExecCommand C:\Users\admin\AppData\Roaming\EasyConnect_21459\EasyConnectInstallerRaw.exe failed Exit
EasyConnectInstaller (1).exe
[EasyConnectInstallWrapper] [DeleteTempFilePath] RemoveDirectoryA szFilePath C:\Users\admin\AppData\Roaming\EasyConnect_21459 failed:145
EasyConnectInstaller (1).exe
[EasyConnectInstallWrapper] [ExecCommand] ExecCommand "C:\Users\admin\AppData\Roaming\EasyConnect_21479\EasyConnectInstallerRaw.exe"
EasyConnectInstallerRaw.exe
In UninstallAllSessionControls
EasyConnectInstallerRaw.exe
open registry(SOFTWARE\Sangfor\SSL\VPN\Sessions) failed, errcode = 2
EasyConnectInstallerRaw.exe
Out UninstallAllSessionControls
EasyConnectInstallerRaw.exe
open registry(SOFTWARE\Sangfor\SSL\VPN\Sessions\IDTable) failed, errcode = 2
EasyConnectInstallerRaw.exe
open registry(SOFTWARE\Sangfor\SSL\SangforCSClient) failed, errcode = 2
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://jstusa-my.sharepoint.com/:u:/g/personal/twestcoat_jstpower_com/ERgMc2P5UOxFoPcC3nMsAUYBSg1RKDG9WKFzqQfeNuHL9g?e=Do54jH