File name:

Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe

Full analysis: https://app.any.run/tasks/8169a7c7-3cfe-4c92-9b0b-7fe7833d0a8c
Verdict: Malicious activity
Analysis date: July 26, 2024, 05:36:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

961795E6F576C203ACF26756248B1061

SHA1:

2A1EBF419DE2B5B5E4B7F34BFB9C4FBEB2A060F2

SHA256:

FB7D9A5CF6AE1B52786827AB9357062EC5A7A9B49D1FAAAAEBC4B2E2B1C5F182

SSDEEP:

196608:BozgrggXBBj7QlBWIf+qivj62uKjMaaEusDCB3djS/YP0IAHIWyfuEZLNjdT1c/N:KgkgMMyXivjCKbavsDM3qqFAoW6uEZJ2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 2692)
      • drvinst.exe (PID: 5024)
      • TiWorker.exe (PID: 5124)
      • drvinst.exe (PID: 7816)
      • drvinst.exe (PID: 8032)
      • drvinst.exe (PID: 7952)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 2692)

    • Executes as Windows Service

      • SSUService.exe (PID: 7780)
      • WUDFHost.exe (PID: 8056)

    • Executable content was dropped or overwritten

      • TiWorker.exe (PID: 5124)
      • Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 2692)
      • drvinst.exe (PID: 5024)
      • drvinst.exe (PID: 7952)
      • drvinst.exe (PID: 8032)
      • drvinst.exe (PID: 7816)

    • Starts CMD.EXE for commands execution

      • Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 2692)

    • The process drops C-runtime libraries

      • TiWorker.exe (PID: 5124)

    • Drops a system driver (possible attempt to evade defenses)

      • drvinst.exe (PID: 7952)
      • drvinst.exe (PID: 7816)

    • Process drops legitimate windows executable

      • TiWorker.exe (PID: 5124)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (61.2)
.ax | DirectShow filter (14.5)
.exe | Win32 EXE PECompact compressed (v2.x) (4.2)
.exe | InstallShield setup (3.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:14 15:13:03+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 158720
InitializedDataSize: 219136
UninitializedDataSize: -
EntryPoint: 0x105b2
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.58.9.6924
ProductVersionNumber: 1.5.8.3
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Splashtop Inc.
FileDescription: Splashtop® Wired XDisplay Agent
FileVersion: 1.58.9.6924
LegalCopyright: Copyright © Splashtop Inc. All Rights Reserved.
ProductName: Splashtop® Wired XDisplay - Extend & Mirror
ProductVersion: 1.5.8.3
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
208
Monitored processes
11
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start splashtop_wired_xdisplay_agent_v1.5.8.3.exe cmd.exe no specs conhost.exe no specs prevercheck.exe no specs ssuservice.exe no specs tiworker.exe drvinst.exe drvinst.exe drvinst.exe drvinst.exe wudfhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1544"C:\WINDOWS\sysnative\cmd.exe" /c run.bat > C:\Users\admin\AppData\Local\Temp\unpack.log.txtC:\Windows\System32\cmd.exeSplashtop_Wired_XDisplay_Agent_v1.5.8.3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2120PreVerCheck.exeC:\Users\admin\AppData\Local\Temp\unpack\PreVerCheck.execmd.exe
User:
admin
Company:
Splashtop Inc.
Integrity Level:
HIGH
Description:
Splashtop® Wired XDisplay Agent Installer
Exit code:
0
Version:
1.58.9.6924
2692"C:\Users\admin\AppData\Local\Temp\Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe" C:\Users\admin\AppData\Local\Temp\Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe
explorer.exe
User:
admin
Company:
Splashtop Inc.
Integrity Level:
HIGH
Description:
Splashtop® Wired XDisplay Agent
Exit code:
0
Version:
1.58.9.6924
5024DrvInst.exe "4" "1" "C:\Program Files (x86)\Splashtop\Splashtop Wired XDisplay\Agent\Driver\win10\lci_iddcx.inf" "9" "4a1e2747b" "00000000000001C0" "WinSta0\Default" "00000000000001DC" "208" "C:\Program Files (x86)\Splashtop\Splashtop Wired XDisplay\Agent\Driver\win10"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
5124C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
6668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
7780"C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe"C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exeservices.exe
User:
SYSTEM
Company:
Splashtop Inc.
Integrity Level:
SYSTEM
Description:
Splashtop Software Updater Service
Version:
1.5.5.7
7816DrvInst.exe "4" "1" "c:\program files (x86)\splashtop\splashtop wired xdisplay\agent\driver\win10\lci_proxywddm.inf" "9" "4a8a251e7" "00000000000001EC" "WinSta0\Default" "00000000000001E8" "208" "c:\program files (x86)\splashtop\splashtop wired xdisplay\agent\driver\win10"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
7952DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\WINDOWS\INF\oem6.inf" "oem6.inf:c276d4b8d1e66062:lci_proxywddm.Install:1.0.2018.1204:root\lci_proxywddm," "4a8a251e7" "00000000000001D4"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
8032DrvInst.exe "1" "0" "LCI\IDDCX\1&79f5d87&0&WHO_CARE" "" "" "48ef22a9f" "0000000000000000"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
25
Suspicious files
11
Text files
8
Unknown types
2

Dropped files

PID
Process
Filename
Type
2692Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exeC:\Users\admin\AppData\Local\Temp\unpack\setup.msi
MD5:
SHA256:
5024drvinst.exeC:\Windows\System32\DriverStore\Temp\{c3d03072-b2de-0048-b642-94985792cd3d}\x64\lci_iddcx.dllexecutable
MD5:01E8BC64139D6B74467330B11331858D
SHA256:148359A84C637D05C20A58F5038D8B2C5390F99A5A229BE8ECCBB5F85E969438
5024drvinst.exeC:\Windows\System32\DriverStore\Temp\{c3d03072-b2de-0048-b642-94985792cd3d}\x64\SETA7C1.tmpexecutable
MD5:01E8BC64139D6B74467330B11331858D
SHA256:148359A84C637D05C20A58F5038D8B2C5390F99A5A229BE8ECCBB5F85E969438
5024drvinst.exeC:\Windows\INF\oem1.inftxt
MD5:1CEC22CA85E1B5A8615774FCA59A420B
SHA256:60A018F46D17B7640FC34587667CD852A16FA8E82F957A69522637F22E5FE5CF
5024drvinst.exeC:\Windows\System32\DriverStore\Temp\{c3d03072-b2de-0048-b642-94985792cd3d}\SETA7E2.tmptxt
MD5:1CEC22CA85E1B5A8615774FCA59A420B
SHA256:60A018F46D17B7640FC34587667CD852A16FA8E82F957A69522637F22E5FE5CF
5124TiWorker.exeC:\Windows\WinSxS\Temp\InFlight\c42e4bd41ddfda01030000000414341c\9df94fd41ddfda01060000000414341c_msvcm90.dllexecutable
MD5:7B37F8EC25C9AD853E8126C1D0992201
SHA256:866F51D4416B6A0BFBE8442CC8C1716152E4C3EE3137C375D05185E8171096A7
5124TiWorker.exeC:\Windows\WinSxS\Temp\InFlight\c42e4bd41ddfda01030000000414341c\6c924dd41ddfda01050000000414341c_msvcp90.dllexecutable
MD5:871F979D70414C900B35E56222932DAF
SHA256:91FD46D7335C9990A20F215B9F6F53BC59551420A9C99AD8110AE2F9FF7598F0
2692Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exeC:\Users\admin\AppData\Local\Temp\unpack.logtext
MD5:33EAEDC6D8B93A47BBB3C2282C22FAC0
SHA256:07A1B233DCB67C9D1735B570BB5609C9C514AAF74E479119F0F70EBCC0AB029A
5124TiWorker.exeC:\Windows\WinSxS\Temp\InFlight\4aca48d41ddfda01010000000414341c\70fb6ed41ddfda01070000000414341c_catalogcat
MD5:EBDE33DA7A45279EFB57896E2B65DD78
SHA256:F948FF1F6A705C5B399FC49B9492A9EF288F34D7F31B24B9AB6451ECDB1C1AD2
5024drvinst.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C7F163ED126D5C3CB9457F68EC64E9Ebinary
MD5:057CDF2467E623E5B68FB5C2CE0DC4CB
SHA256:67BCA24338C549FD14F6A261321F9CAF5EC1E18228733C54867375F2E9F591EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
52
DNS requests
26
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
GET
200
152.199.19.74:80
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://s1.symcb.com/pca3-g5.crl
unknown
whitelisted
GET
200
152.199.19.74:80
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
unknown
whitelisted
GET
200
152.199.19.74:80
http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEGckCjWz8v0dOem1RVnx2jQ%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3392
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6412
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.86.251.25:443
www.bing.com
Akamai International B.V.
DE
unknown
5080
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6012
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 184.86.251.25
  • 184.86.251.27
  • 184.86.251.4
  • 184.86.251.29
  • 184.86.251.5
  • 184.86.251.31
  • 184.86.251.26
  • 184.86.251.24
  • 184.86.251.30
  • 92.123.104.33
  • 92.123.104.59
  • 92.123.104.34
  • 92.123.104.32
  • 92.123.104.31
whitelisted
google.com
  • 142.250.186.174
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.76
  • 40.126.32.134
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.45
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe