download:

ldrmgan18011.exe

Full analysis: https://app.any.run/tasks/f64884ff-e947-4929-9d9d-101a2de7340d
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: January 21, 2022, 01:01:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
unwanted
netsupport
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

46FA5C3B6FDF73BEFE0A50031999ECB2

SHA1:

0EDE58F3CFF351439B94E2E81B2E4495340FEED3

SHA256:

3DFD99F196890BA6195F1ED90DA2F3263B5A2F001D313741DF764E7F14606B40

SSDEEP:

49152:PyIWGBEq+uzjqlofFg3/YVrS5zjYOD/bw8mkUuZerutyHBY:PyhGJ+uzjqWtAoW5oOCkLZe0yHBY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • ldrmgan18011.exe (PID: 2068)

    • Writes to a start menu file

      • ldrmgan18011.exe (PID: 2068)

    • Connects to CnC server

      • client32.exe (PID: 1456)

    • Application was dropped or rewritten from another process

      • client32.exe (PID: 1456)

    • Loads dropped or rewritten executable

      • client32.exe (PID: 1456)

  • SUSPICIOUS

    • Reads the computer name

      • ldrmgan18011.exe (PID: 2068)
      • client32.exe (PID: 1456)

    • Checks supported languages

      • ldrmgan18011.exe (PID: 2068)
      • client32.exe (PID: 1456)

    • Creates files in the user directory

      • ldrmgan18011.exe (PID: 2068)

    • Drops a file that was compiled in debug mode

      • ldrmgan18011.exe (PID: 2068)

    • Executable content was dropped or overwritten

      • ldrmgan18011.exe (PID: 2068)

    • Executed via COM

      • DllHost.exe (PID: 2120)

  • INFO

    • Reads the computer name

      • DllHost.exe (PID: 2120)

    • Checks supported languages

      • DllHost.exe (PID: 2120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x9aca
UninitializedDataSize: -
InitializedDataSize: 218624
CodeSize: 52224
LinkerVersion: 9
PEType: PE32
TimeStamp: 2011:03:02 08:40:33+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 02-Mar-2011 07:40:33
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 02-Mar-2011 07:40:33
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000CB8B
0x0000CC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.53498
.rdata
0x0000E000
0x00001B75
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.9646
.data
0x00010000
0x0001D9D8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.31952
.CRT
0x0002E000
0x00000010
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.213101
.rsrc
0x0002F000
0x000335C0
0x00033600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.38085

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.20816
1464
Latin 1 / Western European
English - United States
RT_MANIFEST
2
4.70489
67624
Latin 1 / Western European
Process Default Language
RT_ICON
3
5.06499
38056
Latin 1 / Western European
Process Default Language
RT_ICON
4
5.11564
26600
Latin 1 / Western European
Process Default Language
RT_ICON
5
5.09564
21640
Latin 1 / Western European
Process Default Language
RT_ICON
6
4.82288
16936
Latin 1 / Western European
Process Default Language
RT_ICON
7
3.24143
556
Latin 1 / Western European
English - United States
RT_STRING
8
3.26996
974
Latin 1 / Western European
English - United States
RT_STRING
9
3.04375
530
Latin 1 / Western European
English - United States
RT_STRING
10
3.16254
776
Latin 1 / Western European
English - United States
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start ldrmgan18011.exe client32.exe DllHost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1456"C:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exe" C:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exe
ldrmgan18011.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Exit code:
0
Version:
V12.50
Modules
Images
c:\users\admin\appdata\roaming\winsupupdate\client32.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2068"C:\Users\admin\AppData\Local\Temp\ldrmgan18011.exe" C:\Users\admin\AppData\Local\Temp\ldrmgan18011.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ldrmgan18011.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2120C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
Total events
1 277
Read events
1 255
Write events
22
Delete events
0

Modification events

(PID) Process:(2068) ldrmgan18011.exeKey:HKEY_CURRENT_USER\Software\WinRAR SFX
Operation:writeName:C%%Users%admin%AppData%Roaming
Value:
C:\Users\admin\AppData\Roaming
(PID) Process:(2068) ldrmgan18011.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2068) ldrmgan18011.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2068) ldrmgan18011.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2068) ldrmgan18011.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1456) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1456) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000087000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1456) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1456) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1456) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
9
Suspicious files
4
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
2120DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
MD5:
SHA256:
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunings.ini.lnklnk
MD5:
SHA256:
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\client32.initext
MD5:
SHA256:
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\nsm_vpro.initext
MD5:3BE27483FDCDBF9EBAE93234785235E3
SHA256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\remcmdstub.exeexecutable
MD5:2A77875B08D4D2BB7B654DB33A88F16C
SHA256:8AD9C598C1FDE52DD2BFCED5F953CA0D013B0C65FEB5DED73585CFC420C95A95
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\PCICL32.DLLexecutable
MD5:00587238D16012152C2E951A087F2CC9
SHA256:63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\NSM.inibinary
MD5:88B1DAB8F4FD1AE879685995C90BD902
SHA256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\pcicapi.dllexecutable
MD5:DCDE2248D19C778A41AA165866DD52D0
SHA256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\nskbfltr.infbinary
MD5:26E28C01461F7E65C402BDF09923D435
SHA256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\msvcr100.dllexecutable
MD5:0E37FBFA79D349D672456923EC5FBBE3
SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
2
DNS requests
3
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1456
client32.exe
GET
200
62.172.138.35:80
http://geo.netsupportsoftware.com/location/loca.asp
GB
text
17 b
suspicious
1456
client32.exe
POST
200
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
binary
159 b
suspicious
1456
client32.exe
POST
200
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
binary
61 b
suspicious
1456
client32.exe
POST
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
suspicious
1456
client32.exe
POST
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1456
client32.exe
62.172.138.35:80
geo.netsupportsoftware.com
British Telecommunications PLC
GB
suspicious
1456
client32.exe
23.108.57.114:1998
Jalalymola17.com
Nobis Technology Group, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
Jalalymola11.com
unknown
Jalalymola17.com
  • 23.108.57.114
suspicious
geo.netsupportsoftware.com
  • 62.172.138.35
  • 195.171.92.116
suspicious

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY NetSupport GeoLocation Lookup Request
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ldrmgan18011.exe