File name:

0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe

Full analysis: https://app.any.run/tasks/ac26a2f9-c3fe-47c9-b93c-3a198d6e7965
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: June 24, 2024, 18:10:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netsupport
unwanted
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BC40D343632F54712A794D8B699925A9

SHA1:

103E982C4767C799894152E0A58A59D55971052C

SHA256:

0BB16506D1F5C422644435A7DAFD379C96F136F4E68703A45266066694EDE59E

SSDEEP:

49152:FhxzgPF4W65VfA38gE32DEs10GjLZyAae5Th/Bo947Z3/6vOeiCAR3NYJSGNvnj9:qPFK7wTEGzLoidBdhJtNJW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • MSTeamsSetup_c_l_.exe (PID: 4896)
      • Update.exe (PID: 3724)

    • Changes the autorun value in the registry

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Teams.exe (PID: 1540)

    • Connects to the CnC server

      • client32.exe (PID: 524)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 524)

    • The DLL Hijacking

      • Teams.exe (PID: 1740)
      • Teams.exe (PID: 6764)

    • Registers / Runs the DLL via REGSVR32.EXE

      • Update.exe (PID: 3724)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • client32.exe (PID: 524)
      • Update.exe (PID: 3724)
      • Teams.exe (PID: 1540)

    • Process drops legitimate windows executable

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • MSTeamsSetup_c_l_.exe (PID: 4896)
      • Update.exe (PID: 3724)

    • Starts a Microsoft application from unusual location

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)

    • Executable content was dropped or overwritten

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • MSTeamsSetup_c_l_.exe (PID: 4896)
      • Update.exe (PID: 3724)

    • The process drops C-runtime libraries

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Update.exe (PID: 3724)

    • Checks Windows Trust Settings

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Update.exe (PID: 3724)

    • Connects to the server without a host name

      • client32.exe (PID: 524)

    • Potential Corporate Privacy Violation

      • client32.exe (PID: 524)

    • Contacting a server suspected of hosting an CnC

      • client32.exe (PID: 524)

    • Reads the date of Windows installation

      • Update.exe (PID: 3724)

    • Application launched itself

      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 1540)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 6972)
      • regsvr32.exe (PID: 7008)

    • Creates a software uninstall entry

      • Update.exe (PID: 3724)

    • Searches for installed software

      • Update.exe (PID: 3724)

  • INFO

    • Checks supported languages

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • client32.exe (PID: 524)
      • MSTeamsSetup_c_l_.exe (PID: 4896)
      • Update.exe (PID: 3724)
      • Squirrel.exe (PID: 6348)
      • Teams.exe (PID: 5244)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1740)
      • Teams.exe (PID: 3656)
      • Teams.exe (PID: 1540)
      • Teams.exe (PID: 6764)
      • Teams.exe (PID: 6796)
      • Teams.exe (PID: 1644)
      • Teams.exe (PID: 3124)
      • Teams.exe (PID: 2012)
      • Teams.exe (PID: 3324)

    • Checks proxy server information

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • client32.exe (PID: 524)
      • Update.exe (PID: 3724)
      • Teams.exe (PID: 5244)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1540)
      • Squirrel.exe (PID: 6348)

    • Reads the computer name

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • client32.exe (PID: 524)
      • Update.exe (PID: 3724)
      • Squirrel.exe (PID: 6348)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 3656)
      • Teams.exe (PID: 1740)
      • Teams.exe (PID: 1540)
      • Teams.exe (PID: 6764)
      • Teams.exe (PID: 6796)
      • Teams.exe (PID: 2012)

    • Reads the machine GUID from the registry

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Update.exe (PID: 3724)
      • Squirrel.exe (PID: 6348)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1540)

    • Creates files or folders in the user directory

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • MSTeamsSetup_c_l_.exe (PID: 4896)
      • client32.exe (PID: 524)
      • Update.exe (PID: 3724)
      • Squirrel.exe (PID: 6348)
      • Teams.exe (PID: 5244)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1540)
      • Teams.exe (PID: 6796)

    • Reads the software policy settings

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)
      • Update.exe (PID: 3724)
      • Update.exe (PID: 5968)
      • Squirrel.exe (PID: 6348)
      • Teams.exe (PID: 1540)

    • Drop NetSupport executable file

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)

    • Reads Environment values

      • client32.exe (PID: 524)
      • Update.exe (PID: 3724)
      • Squirrel.exe (PID: 6348)
      • Teams.exe (PID: 5244)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1540)

    • Creates files in the program directory

      • 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe (PID: 2100)

    • Reads Microsoft Office registry keys

      • Update.exe (PID: 3724)
      • Squirrel.exe (PID: 6348)
      • Teams.exe (PID: 5244)
      • Update.exe (PID: 5968)
      • Teams.exe (PID: 1540)

    • Disables trace logs

      • Update.exe (PID: 3724)
      • Update.exe (PID: 5968)
      • Squirrel.exe (PID: 6348)

    • Create files in a temporary directory

      • Update.exe (PID: 3724)
      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 1540)

    • Process checks computer location settings

      • Update.exe (PID: 3724)
      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 1540)
      • Teams.exe (PID: 1644)
      • Teams.exe (PID: 3124)
      • Teams.exe (PID: 3324)

    • Reads product name

      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 1540)

    • Reads CPU info

      • Teams.exe (PID: 5244)
      • Teams.exe (PID: 1540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (53)
.exe | Win64 Executable (generic) (34)
.exe | Win32 Executable (generic) (5.5)
.exe | Clipper DOS Executable (2.4)
.exe | Generic Win/DOS Executable (2.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:06:27 10:41:20+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 910848
InitializedDataSize: 1087488
UninitializedDataSize: -
EntryPoint: 0x8415f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.7.0.3315
ProductVersionNumber: 1.7.0.3315
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Microsoft Teams
FileVersion: 1.7.00.3315
InternalName: Setup.exe
LegalCopyright: Copyright (C) 2016 Microsoft. All rights reserved.
OriginalFileName: Setup.exe
ProductName: Microsoft Teams
ProductVersion: 1.7.00.3315
SquirrelAwareVersion: 1
CompanyName: Microsoft Corporation
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
19
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe #NETSUPPORT client32.exe msteamssetup_c_l_.exe update.exe squirrel.exe teams.exe no specs update.exe teams.exe no specs teams.exe no specs teams.exe teams.exe no specs teams.exe teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524C:\Users\admin\AppData\Roaming\CSCOClient\client32.exeC:\Users\admin\AppData\Roaming\CSCOClient\client32.exe
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
CrossTec Client Application
Version:
V11.00
Modules
Images
c:\users\admin\appdata\roaming\cscoclient\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\roaming\cscoclient\pcicl32.dll
696"C:\WINDOWS\system32\regsvr32.exe" /s /n /i:user "C:\Users\admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll"C:\Windows\SysWOW64\regsvr32.exeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1540"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrunC:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe
Update.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\microsoft\teams\current\ffmpeg.dll
c:\windows\system32\combase.dll
1644"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3088 --field-trial-handle=1768,i,10586532359877148706,7950061265204521334,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=notificationsManager /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1740"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1824,i,16580625892607865916,12414982192320007570,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2012"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=3724 --field-trial-handle=1768,i,10586532359877148706,7950061265204521334,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2100"C:\Users\admin\AppData\Local\Temp\0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe" C:\Users\admin\AppData\Local\Temp\0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.3315
Modules
Images
c:\users\admin\appdata\local\temp\0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3124"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2496 --field-trial-handle=1768,i,10586532359877148706,7950061265204521334,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=loadingWindow /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3324"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4600 --field-trial-handle=1768,i,10586532359877148706,7950061265204521334,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=accountSelectWindow /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3656"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2148 --field-trial-handle=1824,i,16580625892607865916,12414982192320007570,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.15969
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\teams\current\ffmpeg.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\uiautomationcore.dll
Total events
28 854
Read events
28 151
Write events
684
Delete events
19

Modification events

(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2100) 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CSCOClient
Value:
C:\Users\admin\AppData\Roaming\CSCOClient\client32.exe
(PID) Process:(524) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(524) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
373
Suspicious files
49
Text files
147
Unknown types
135

Dropped files

PID
Process
Filename
Type
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:D25B08B9F367C8E2083609DAE835D68B
SHA256:6DD04AC8BAC5048AB62E64E52CB0A717DFFD41894125B036F88D95F7F2AE87B4
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77Bder
MD5:9142D02C3B94057CE8292EF7B5AC9EB1
SHA256:6360C1CDCA116BF3921605BA039AA71192E4DB26FCAD75F5474B68E62F9772F8
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\ka[1].zipcompressed
MD5:311E0D848AA1037E8177C13BB4CD5DB7
SHA256:D7F28424185E75FD9B8DB809C1B7178782EB17683BBB1862AF4B6435A5783CDC
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77Bbinary
MD5:6AA659C5031CBDE54152BE2E9ADBF637
SHA256:77D3FE6BE5433B824A5A51A3B2A72B0CA7DF9A85EF8AE66CA010ADFFD99E78AD
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:8A0820C606BC4F335034A5E0A6AADA24
SHA256:87489A9405FCD56318DA771F565441F840500DBD80B995BE81EED2B38F23016D
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Roaming\CSCOClient\KBDA2.DLLexecutable
MD5:214AA73291F6AB887EF26A66BCE94AED
SHA256:BA86BF23A8B6FBAA94749D572D9DF0C1E8BBE50F709B8179B52F8FDFFDB5429D
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Roaming\CSCOClient\client32.initext
MD5:58F6DE6B53D8118B02987F869D8E2543
SHA256:6C73A60110764EEF51CA3EE1DF1E03D6E53B9F9513805C3948E947A7F49690D8
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Roaming\CSCOClient\KBDARME.DLLexecutable
MD5:7F5AD86B9F7CCC7F7CE9D4E5170A94E6
SHA256:415CE966256939094BB504556D27DA6578C31B7E95CC2C8FF2FE7EDEA3A2A28B
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\kc[1].zipcompressed
MD5:EC5417308B4F15D20CC50BC1FFB0A4C2
SHA256:EAE19BEE545EC136BC707F7B4113B33DF96CE52E36059FC394797D7169DF9634
21000bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exeC:\Users\admin\AppData\Roaming\CSCOClient\NSM.lictext
MD5:B9956282A0FED076ED083892E498AC69
SHA256:FCC6AFD664A8045BD61C398BE3C37A97536A199A48D277E11977F93868AE1ACC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
75
DNS requests
30
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
544
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
unknown
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEGxVq9vQB5LHnQcM2BGe1r8%3D
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
524
client32.exe
GET
200
172.67.68.212:80
http://geo.netsupportsoftware.com/location/loca.asp
unknown
unknown
524
client32.exe
POST
200
91.202.5.209:443
http://91.202.5.209/fakeurl.htm
unknown
unknown
524
client32.exe
POST
200
91.202.5.209:443
http://91.202.5.209/fakeurl.htm
unknown
unknown
524
client32.exe
POST
91.202.5.209:443
http://91.202.5.209/fakeurl.htm
unknown
unknown
524
client32.exe
POST
91.202.5.209:443
http://91.202.5.209/fakeurl.htm
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
3776
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3872
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
91.108.101.4:443
whispry.com
DE
unknown
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
2520
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4656
SearchApp.exe
2.23.209.176:443
www.bing.com
Akamai International B.V.
GB
unknown
4656
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
whispry.com
  • 91.108.101.4
unknown
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
www.bing.com
  • 2.23.209.176
  • 2.23.209.158
  • 2.23.209.182
  • 2.23.209.149
  • 2.23.209.181
  • 2.23.209.160
  • 2.23.209.154
  • 2.23.209.150
  • 2.23.209.177
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
nld360.com
  • 91.202.5.209
unknown
login.live.com
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.2
  • 20.190.159.64
  • 20.190.159.71
  • 40.126.31.73
  • 40.126.31.69
whitelisted
geo.netsupportsoftware.com
  • 172.67.68.212
  • 104.26.0.231
  • 104.26.1.231
unknown
r.bing.com
  • 2.23.209.176
  • 2.23.209.182
  • 2.23.209.154
  • 2.23.209.150
  • 2.23.209.158
  • 2.23.209.160
  • 2.23.209.149
  • 2.23.209.177
  • 2.23.209.181
  • 104.126.37.171
  • 104.126.37.155
  • 104.126.37.163
  • 104.126.37.152
  • 104.126.37.162
  • 104.126.37.168
  • 104.126.37.161
  • 104.126.37.153
  • 104.126.37.170
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted

Threats

PID
Process
Class
Message
2100
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
524
client32.exe
Potential Corporate Privacy Violation
ET POLICY NetSupport GeoLocation Lookup Request
524
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
524
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
524
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
524
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Response
524
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
524
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Response
524
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
524
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
4 ETPRO signatures available at the full report
Process
Message
Update.exe
Update.exe Information: 0 :
Update.exe
Starting TelemetryManager constructor
Update.exe
Update.exe Information: 0 :
Update.exe
TelemetryManagerImpl creation started
Update.exe
Update.exe Information: 0 :
Update.exe
Performance counters are disabled. Skipping creation of counters category.
Update.exe
Update.exe Information: 0 :
Update.exe
RecordBatcherTask with ID 4 started.
Update.exe
Update.exe Information: 0 :
Update.exe
DataPackageSender with UserAgent name: AST-exe-C#, version: 3.3.15.0, [Ast_Default_Source]
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e.exe