Malware analysis Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe Malicious activity

Add for printing

File name:	Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe
Full analysis:	https://app.any.run/tasks/8169a7c7-3cfe-4c92-9b0b-7fe7833d0a8c
Verdict:	Malicious activity
Analysis date:	July 26, 2024, 05:36:08
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	installer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	961795E6F576C203ACF26756248B1061
SHA1:	2A1EBF419DE2B5B5E4B7F34BFB9C4FBEB2A060F2
SHA256:	FB7D9A5CF6AE1B52786827AB9357062EC5A7A9B49D1FAAAAEBC4B2E2B1C5F182
SSDEEP:	196608:BozgrggXBBj7QlBWIf+qivj62uKjMaaEusDCB3djS/YP0IAHIWyfuEZLNjdT1c/N:KgkgMMyXivjCKbavsDM3qqFAoW6uEZJ2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 2692)
  - TiWorker.exe (PID: 5124)
  - drvinst.exe (PID: 5024)
  - drvinst.exe (PID: 7816)
  - drvinst.exe (PID: 7952)
  - drvinst.exe (PID: 8032)
SUSPICIOUS
- Executes as Windows Service
  - SSUService.exe (PID: 7780)
  - WUDFHost.exe (PID: 8056)
- Executing commands from a ".bat" file
  - Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 2692)
- Starts CMD.EXE for commands execution
  - Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 2692)
- Executable content was dropped or overwritten
  - drvinst.exe (PID: 5024)
  - TiWorker.exe (PID: 5124)
  - drvinst.exe (PID: 7816)
  - drvinst.exe (PID: 7952)
  - drvinst.exe (PID: 8032)
  - Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 2692)
- Process drops legitimate windows executable
  - TiWorker.exe (PID: 5124)
- The process drops C-runtime libraries
  - TiWorker.exe (PID: 5124)
- Drops a system driver (possible attempt to evade defenses)
  - drvinst.exe (PID: 7816)
  - drvinst.exe (PID: 7952)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	NSIS - Nullsoft Scriptable Install System (61.2)
.ax	\|	DirectShow filter (14.5)
.exe	\|	Win32 EXE PECompact compressed (v2.x) (4.2)
.exe	\|	InstallShield setup (3.1)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:12:14 15:13:03+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	158720
InitializedDataSize:	219136
UninitializedDataSize:	-
EntryPoint:	0x105b2
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.58.9.6924
ProductVersionNumber:	1.5.8.3
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Splashtop Inc.
FileDescription:	Splashtop® Wired XDisplay Agent
FileVersion:	1.58.9.6924
LegalCopyright:	Copyright © Splashtop Inc. All Rights Reserved.
ProductName:	Splashtop® Wired XDisplay - Extend & Mirror
ProductVersion:	1.5.8.3

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

208

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1544	"C:\WINDOWS\sysnative\cmd.exe" /c run.bat > C:\Users\admin\AppData\Local\Temp\unpack.log.txt	C:\Windows\System32\cmd.exe	—	Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
2120	PreVerCheck.exe	C:\Users\admin\AppData\Local\Temp\unpack\PreVerCheck.exe	—	cmd.exe
User: admin Company: Splashtop Inc. Integrity Level: HIGH Description: Splashtop® Wired XDisplay Agent Installer Exit code: 0 Version: 1.58.9.6924
2692	"C:\Users\admin\AppData\Local\Temp\Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe"	C:\Users\admin\AppData\Local\Temp\Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe		explorer.exe
User: admin Company: Splashtop Inc. Integrity Level: HIGH Description: Splashtop® Wired XDisplay Agent Exit code: 0 Version: 1.58.9.6924
5024	DrvInst.exe "4" "1" "C:\Program Files (x86)\Splashtop\Splashtop Wired XDisplay\Agent\Driver\win10\lci_iddcx.inf" "9" "4a1e2747b" "00000000000001C0" "WinSta0\Default" "00000000000001DC" "208" "C:\Program Files (x86)\Splashtop\Splashtop Wired XDisplay\Agent\Driver\win10"	C:\Windows\System32\drvinst.exe		svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800)
5124	C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -Embedding	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe		svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Modules Installer Worker Version: 10.0.19041.3989 (WinBuild.160101.0800)
6668	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
7780	"C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe"	C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe	—	services.exe
User: SYSTEM Company: Splashtop Inc. Integrity Level: SYSTEM Description: Splashtop Software Updater Service Version: 1.5.5.7
7816	DrvInst.exe "4" "1" "c:\program files (x86)\splashtop\splashtop wired xdisplay\agent\driver\win10\lci_proxywddm.inf" "9" "4a8a251e7" "00000000000001EC" "WinSta0\Default" "00000000000001E8" "208" "c:\program files (x86)\splashtop\splashtop wired xdisplay\agent\driver\win10"	C:\Windows\System32\drvinst.exe		svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800)
7952	DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\WINDOWS\INF\oem6.inf" "oem6.inf:c276d4b8d1e66062:lci_proxywddm.Install:1.0.2018.1204:root\lci_proxywddm," "4a8a251e7" "00000000000001D4"	C:\Windows\System32\drvinst.exe		svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800)
8032	DrvInst.exe "1" "0" "LCI\IDDCX\1&79f5d87&0&WHO_CARE" "" "" "48ef22a9f" "0000000000000000"	C:\Windows\System32\drvinst.exe		svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800)

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2692	Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe	C:\Users\admin\AppData\Local\Temp\unpack\setup.msi		—
		MD5:—	SHA256:—
2692	Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe	C:\Users\admin\AppData\Local\Temp\unpack.log		text
		MD5:33EAEDC6D8B93A47BBB3C2282C22FAC0	SHA256:07A1B233DCB67C9D1735B570BB5609C9C514AAF74E479119F0F70EBCC0AB029A
2692	Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe	C:\Users\admin\AppData\Local\Temp\unpack\run.bat		text
		MD5:56884732C1B8ABCBA0A31746DF533D97	SHA256:A6212DAAA9A377B202A9436D80AB97BC9B0050DC7E174FCD35F255B34500CFAB
2692	Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe	C:\Users\admin\AppData\Local\Temp\unpack\setup.ini		text
		MD5:CE3FB3221DF283E1B86F1D6E448907F7	SHA256:253D4FECB0901274851EC461A555A5AB4CCB2718EFB1E4650AD8FAC63F4A3C1E
2692	Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe	C:\Users\admin\AppData\Local\Temp\unpack\PreVerCheck.exe		executable
		MD5:950C5BB6CBB6F2C23A0D40297BF05C74	SHA256:A2792F3E3839877EF48469E6E2B52363CF31E4BFF322933DEB73B9E4046636D1
5024	drvinst.exe	C:\Windows\System32\DriverStore\Temp\{c3d03072-b2de-0048-b642-94985792cd3d}\x64\SETA7C1.tmp		executable
		MD5:01E8BC64139D6B74467330B11331858D	SHA256:148359A84C637D05C20A58F5038D8B2C5390F99A5A229BE8ECCBB5F85E969438
5024	drvinst.exe	C:\Windows\System32\DriverStore\Temp\{c3d03072-b2de-0048-b642-94985792cd3d}\lci_iddcx.cat		cat
		MD5:62458E58313475C9A3642A392363E359	SHA256:85620D87874F27D1AAF1743C0CA47E210C51D9AFD0C9381FC0CD8ACCA3854562
5024	drvinst.exe	C:\Windows\System32\DriverStore\Temp\{c3d03072-b2de-0048-b642-94985792cd3d}\x64\lci_iddcx.dll		executable
		MD5:01E8BC64139D6B74467330B11331858D	SHA256:148359A84C637D05C20A58F5038D8B2C5390F99A5A229BE8ECCBB5F85E969438
5024	drvinst.exe	C:\Windows\System32\DriverStore\Temp\{c3d03072-b2de-0048-b642-94985792cd3d}\SETA7C2.tmp		cat
		MD5:62458E58313475C9A3642A392363E359	SHA256:85620D87874F27D1AAF1743C0CA47E210C51D9AFD0C9381FC0CD8ACCA3854562
5024	drvinst.exe	C:\Windows\INF\oem1.inf		txt
		MD5:1CEC22CA85E1B5A8615774FCA59A420B	SHA256:60A018F46D17B7640FC34587667CD852A16FA8E82F957A69522637F22E5FE5CF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4424	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	152.199.19.74:80	http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D	unknown	—	—	whitelisted
—	—	GET	200	152.199.19.74:80	http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://s1.symcb.com/pca3-g5.crl	unknown	—	—	whitelisted
—	—	GET	200	152.199.19.74:80	http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEGckCjWz8v0dOem1RVnx2jQ%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3392	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6412	slui.exe	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	184.86.251.25:443	www.bing.com	Akamai International B.V.	DE	unknown
5080	slui.exe	40.91.76.224:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6012	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
t-ring-fdv2.msedge.net	13.107.237.254	unknown
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	184.86.251.25 184.86.251.27 184.86.251.4 184.86.251.29 184.86.251.5 184.86.251.31 184.86.251.26 184.86.251.24 184.86.251.30 92.123.104.33 92.123.104.59 92.123.104.34 92.123.104.32 92.123.104.31	whitelisted
google.com	142.250.186.174	whitelisted
login.live.com	20.190.160.14 40.126.32.76 40.126.32.134 40.126.32.74 20.190.160.17 40.126.32.138 40.126.32.136 40.126.32.133	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
fp-afd-nocache-ccp.azureedge.net	13.107.246.45	whitelisted
fd.api.iris.microsoft.com	20.103.156.88	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)

Add for printing

No debug info

General Info

Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe

961795E6F576C203ACF26756248B1061

2A1EBF419DE2B5B5E4B7F34BFB9C4FBEB2A060F2

FB7D9A5CF6AE1B52786827AB9357062EC5A7A9B49D1FAAAAEBC4B2E2B1C5F182

196608:BozgrggXBBj7QlBWIf+qivj62uKjMaaEusDCB3djS/YP0IAHIWyfuEZLNjdT1c/N:KgkgMMyXivjCKbavsDM3qqFAoW6uEZJ2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executes as Windows Service

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process drops C-runtime libraries

Drops a system driver (possible attempt to evade defenses)

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings