File name:

0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe

Full analysis: https://app.any.run/tasks/ac26a2f9-c3fe-47c9-b93c-3a198d6e7965
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: June 24, 2024, 18:10:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netsupport
unwanted
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BC40D343632F54712A794D8B699925A9

SHA1:

103E982C4767C799894152E0A58A59D55971052C

SHA256:

0BB16506D1F5C422644435A7DAFD379C96F136F4E68703A45266066694EDE59E

SSDEEP:

49152:FhxzgPF4W65VfA38gE32DEs10GjLZyAae5Th/Bo947Z3/6vOeiCAR3NYJSGNvnj9:qPFK7wTEGzLoidBdhJtNJW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Teams.exe (PID: 1540)

    • Drops the executable file immediately after the start

      • MSTeamsSetup_c_l_.exe (PID: 4896)
      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Update.exe (PID: 3724)

    • Connects to the CnC server

      • client32.exe (PID: 524)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 524)

    • The DLL Hijacking

      • Teams.exe (PID: 1740)
      • Teams.exe (PID: 6764)

    • Registers / Runs the DLL via REGSVR32.EXE

      • Update.exe (PID: 3724)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • client32.exe (PID: 524)
      • Update.exe (PID: 3724)
      • Teams.exe (PID: 1540)

    • Starts a Microsoft application from unusual location

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)

    • Process drops legitimate windows executable

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • MSTeamsSetup_c_l_.exe (PID: 4896)
      • Update.exe (PID: 3724)

    • Checks Windows Trust Settings

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Update.exe (PID: 3724)

    • Executable content was dropped or overwritten

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • MSTeamsSetup_c_l_.exe (PID: 4896)
      • Update.exe (PID: 3724)

    • The process drops C-runtime libraries

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Update.exe (PID: 3724)

    • Potential Corporate Privacy Violation

      • client32.exe (PID: 524)

    • Connects to the server without a host name

      • client32.exe (PID: 524)

    • Contacting a server suspected of hosting an CnC

      • client32.exe (PID: 524)

    • Reads the date of Windows installation

      • Update.exe (PID: 3724)

    • Application launched itself

      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 1540)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 7008)
      • regsvr32.exe (PID: 6972)

    • Creates a software uninstall entry

      • Update.exe (PID: 3724)

    • Searches for installed software

      • Update.exe (PID: 3724)

  • INFO

    • Checks supported languages

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • client32.exe (PID: 524)
      • MSTeamsSetup_c_l_.exe (PID: 4896)
      • Update.exe (PID: 3724)
      • Squirrel.exe (PID: 6348)
      • Teams.exe (PID: 5244)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1740)
      • Teams.exe (PID: 3656)
      • Teams.exe (PID: 1540)
      • Teams.exe (PID: 6764)
      • Teams.exe (PID: 6796)
      • Teams.exe (PID: 3124)
      • Teams.exe (PID: 1644)
      • Teams.exe (PID: 3324)
      • Teams.exe (PID: 2012)

    • Reads the computer name

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • client32.exe (PID: 524)
      • Update.exe (PID: 3724)
      • Squirrel.exe (PID: 6348)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1740)
      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 3656)
      • Teams.exe (PID: 1540)
      • Teams.exe (PID: 6764)
      • Teams.exe (PID: 6796)
      • Teams.exe (PID: 2012)

    • Checks proxy server information

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • client32.exe (PID: 524)
      • Update.exe (PID: 3724)
      • Teams.exe (PID: 5244)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1540)
      • Squirrel.exe (PID: 6348)

    • Reads the machine GUID from the registry

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Update.exe (PID: 3724)
      • Squirrel.exe (PID: 6348)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1540)

    • Creates files or folders in the user directory

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • MSTeamsSetup_c_l_.exe (PID: 4896)
      • Update.exe (PID: 3724)
      • client32.exe (PID: 524)
      • Squirrel.exe (PID: 6348)
      • Teams.exe (PID: 5244)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1540)
      • Teams.exe (PID: 6796)

    • Drop NetSupport executable file

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)

    • Reads the software policy settings

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Update.exe (PID: 3724)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1540)
      • Squirrel.exe (PID: 6348)

    • Reads Environment values

      • client32.exe (PID: 524)
      • Update.exe (PID: 3724)
      • Teams.exe (PID: 5244)
      • Squirrel.exe (PID: 6348)
      • Teams.exe (PID: 1540)
      • Update.exe (PID: 5968)

    • Reads Microsoft Office registry keys

      • Update.exe (PID: 3724)
      • Teams.exe (PID: 5244)
      • Squirrel.exe (PID: 6348)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1540)

    • Disables trace logs

      • Update.exe (PID: 3724)
      • Update.exe (PID: 5968)
      • Squirrel.exe (PID: 6348)

    • Creates files in the program directory

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)

    • Create files in a temporary directory

      • Update.exe (PID: 3724)
      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 1540)

    • Process checks computer location settings

      • Update.exe (PID: 3724)
      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 1540)
      • Teams.exe (PID: 3124)
      • Teams.exe (PID: 1644)
      • Teams.exe (PID: 3324)

    • Reads product name

      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 1540)

    • Reads CPU info

      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 1540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (53)
.exe | Win64 Executable (generic) (34)
.exe | Win32 Executable (generic) (5.5)
.exe | Clipper DOS Executable (2.4)
.exe | Generic Win/DOS Executable (2.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:06:27 10:41:20+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 910848
InitializedDataSize: 1087488
UninitializedDataSize: -
EntryPoint: 0x8415f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.7.0.3315
ProductVersionNumber: 1.7.0.3315
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Microsoft Teams
FileVersion: 1.7.00.3315
InternalName: Setup.exe
LegalCopyright: Copyright (C) 2016 Microsoft. All rights reserved.
OriginalFileName: Setup.exe
ProductName: Microsoft Teams
ProductVersion: 1.7.00.3315
SquirrelAwareVersion: 1
CompanyName: Microsoft Corporation
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
19
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe #NETSUPPORT client32.exe msteamssetup_c_l_.exe update.exe squirrel.exe teams.exe no specs update.exe teams.exe no specs teams.exe no specs teams.exe teams.exe no specs teams.exe teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524C:\Users\admin\AppData\Roaming\CSCOClient\client32.exeC:\Users\admin\AppData\Roaming\CSCOClient\client32.exe
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
CrossTec Client Application
Version:
V11.00
Modules
Images
c:\users\admin\appdata\roaming\cscoclient\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\roaming\cscoclient\pcicl32.dll
696"C:\WINDOWS\system32\regsvr32.exe" /s /n /i:user "C:\Users\admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll"C:\Windows\SysWOW64\regsvr32.exeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1540"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrunC:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe
Update.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\microsoft\teams\current\ffmpeg.dll
c:\windows\system32\combase.dll
1644"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3088 --field-trial-handle=1768,i,10586532359877148706,7950061265204521334,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=notificationsManager /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1740"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1824,i,16580625892607865916,12414982192320007570,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2012"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=3724 --field-trial-handle=1768,i,10586532359877148706,7950061265204521334,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2100"C:\Users\admin\AppData\Local\Temp\0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe" C:\Users\admin\AppData\Local\Temp\0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.3315
Modules
Images
c:\users\admin\appdata\local\temp\0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3124"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2496 --field-trial-handle=1768,i,10586532359877148706,7950061265204521334,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=loadingWindow /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3324"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4600 --field-trial-handle=1768,i,10586532359877148706,7950061265204521334,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=accountSelectWindow /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3656"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2148 --field-trial-handle=1824,i,16580625892607865916,12414982192320007570,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\teams\current\ffmpeg.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\uiautomationcore.dll
Total events
28 854
Read events
28 151
Write events
684
Delete events
19

Modification events

(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CSCOClient
Value:
C:\Users\admin\AppData\Roaming\CSCOClient\client32.exe
(PID) Process:(524) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(524) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
373
Suspicious files
49
Text files
147
Unknown types
135

Dropped files

PID
Process
Filename
Type
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77Bder
MD5:9142D02C3B94057CE8292EF7B5AC9EB1
SHA256:6360C1CDCA116BF3921605BA039AA71192E4DB26FCAD75F5474B68E62F9772F8
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Roaming\CSCOClient\kbd106n.dllexecutable
MD5:8C6585286D4F6794FB388BDF842DF1E4
SHA256:FCBA03F56190EE7D8E37375FD0D3B5DEA987B040B8AD91B0E83F53D6E8ADC52E
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Roaming\CSCOClient\KBDARME.DLLexecutable
MD5:7F5AD86B9F7CCC7F7CE9D4E5170A94E6
SHA256:415CE966256939094BB504556D27DA6578C31B7E95CC2C8FF2FE7EDEA3A2A28B
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Roaming\CSCOClient\nskbfltr.infbinary
MD5:26E28C01461F7E65C402BDF09923D435
SHA256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Roaming\CSCOClient\kbdarmph.dllexecutable
MD5:EDC488CADC3155607C374599F7C7B8AC
SHA256:30A73F927A7F6EE55E936583D5AB8CDF43E59A413D47CF6824AA10BAF9FE482F
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Roaming\CSCOClient\AudioCapture.dllexecutable
MD5:2A82792F7B45D537EDFE58EB758C1197
SHA256:05AA13A6C1D18F691E552F04A996960917202A322D0DACFD330E553AD56978ED
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Roaming\CSCOClient\KBDA2.DLLexecutable
MD5:214AA73291F6AB887EF26A66BCE94AED
SHA256:BA86BF23A8B6FBAA94749D572D9DF0C1E8BBE50F709B8179B52F8FDFFDB5429D
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:8A0820C606BC4F335034A5E0A6AADA24
SHA256:87489A9405FCD56318DA771F565441F840500DBD80B995BE81EED2B38F23016D
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\kc[1].zipcompressed
MD5:EC5417308B4F15D20CC50BC1FFB0A4C2
SHA256:EAE19BEE545EC136BC707F7B4113B33DF96CE52E36059FC394797D7169DF9634
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\kb[1].zipcompressed
MD5:03A490BDD1140B08C2EF80E023F1ECED
SHA256:849FEEA61CA27ECD7B1951AB7C7B3D68F7A4A0D20A844B7CBC15BE473E68FDD0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
75
DNS requests
30
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEGxVq9vQB5LHnQcM2BGe1r8%3D
unknown
unknown
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
524
client32.exe
GET
200
172.67.68.212:80
http://geo.netsupportsoftware.com/location/loca.asp
unknown
unknown
524
client32.exe
POST
200
91.202.5.209:443
http://91.202.5.209/fakeurl.htm
unknown
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
524
client32.exe
POST
200
91.202.5.209:443
http://91.202.5.209/fakeurl.htm
unknown
unknown
524
client32.exe
POST
91.202.5.209:443
http://91.202.5.209/fakeurl.htm
unknown
unknown
524
client32.exe
POST
91.202.5.209:443
http://91.202.5.209/fakeurl.htm
unknown
unknown
2520
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
3776
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3872
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
91.108.101.4:443
whispry.com
DE
unknown
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
2520
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4656
SearchApp.exe
2.23.209.176:443
www.bing.com
Akamai International B.V.
GB
unknown
4656
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
whispry.com
  • 91.108.101.4
unknown
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
www.bing.com
  • 2.23.209.176
  • 2.23.209.158
  • 2.23.209.182
  • 2.23.209.149
  • 2.23.209.181
  • 2.23.209.160
  • 2.23.209.154
  • 2.23.209.150
  • 2.23.209.177
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
nld360.com
  • 91.202.5.209
unknown
login.live.com
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.2
  • 20.190.159.64
  • 20.190.159.71
  • 40.126.31.73
  • 40.126.31.69
whitelisted
geo.netsupportsoftware.com
  • 172.67.68.212
  • 104.26.0.231
  • 104.26.1.231
unknown
r.bing.com
  • 2.23.209.176
  • 2.23.209.182
  • 2.23.209.154
  • 2.23.209.150
  • 2.23.209.158
  • 2.23.209.160
  • 2.23.209.149
  • 2.23.209.177
  • 2.23.209.181
  • 104.126.37.171
  • 104.126.37.155
  • 104.126.37.163
  • 104.126.37.152
  • 104.126.37.162
  • 104.126.37.168
  • 104.126.37.161
  • 104.126.37.153
  • 104.126.37.170
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted

Threats

PID
Process
Class
Message
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
524
client32.exe
Potential Corporate Privacy Violation
ET POLICY NetSupport GeoLocation Lookup Request
524
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
524
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
524
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
524
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Response
524
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
524
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Response
524
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
524
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
4 ETPRO signatures available at the full report
Process
Message
Update.exe
Update.exe Information: 0 :
Update.exe
Starting TelemetryManager constructor
Update.exe
Update.exe Information: 0 :
Update.exe
TelemetryManagerImpl creation started
Update.exe
Update.exe Information: 0 :
Update.exe
Performance counters are disabled. Skipping creation of counters category.
Update.exe
Update.exe Information: 0 :
Update.exe
RecordBatcherTask with ID 4 started.
Update.exe
Update.exe Information: 0 :
Update.exe
DataPackageSender with UserAgent name: AST-exe-C#, version: 3.3.15.0, [Ast_Default_Source]
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe