File name:

6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0

Full analysis: https://app.any.run/tasks/d30e17a1-ebd5-4622-9cb6-e8feb6ab1b86
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: December 10, 2024, 07:57:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netsupport
unwanted
remote
tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

AEDF7F67CF6D7F8EF348BA681046FE51

SHA1:

707AC1C67E2D569613C1B5CC3F809D6BD3CDDC26

SHA256:

6BA3976F8956DCEB2903DC89B9B66C3D81CEB93566B6244B58C4929A454815C0

SSDEEP:

24576:rHRbi54l24T3qFu42HOJY10Qd9cvchYBa4pprPzpko5DJA95:rHRbi54l24T3qFu42HOJYhd9cviYBa4o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • client32.exe (PID: 6992)

    • Changes the autorun value in the registry

      • AddInProcess32.exe (PID: 6864)

    • NETSUPPORT mutex has been found

      • client32.exe (PID: 6992)

    • NETSUPPORT has been detected (YARA)

      • client32.exe (PID: 6992)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 6992)

    • Connects to the CnC server

      • client32.exe (PID: 6992)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • AddInProcess32.exe (PID: 6864)
      • client32.exe (PID: 6992)

    • Drop NetSupport executable file

      • AddInProcess32.exe (PID: 6864)

    • Process drops legitimate windows executable

      • AddInProcess32.exe (PID: 6864)

    • Checks Windows Trust Settings

      • AddInProcess32.exe (PID: 6864)

    • The process drops C-runtime libraries

      • AddInProcess32.exe (PID: 6864)

    • Executable content was dropped or overwritten

      • AddInProcess32.exe (PID: 6864)

    • Contacting a server suspected of hosting an CnC

      • client32.exe (PID: 6992)

    • Connects to unusual port

      • client32.exe (PID: 6992)

    • There is functionality for taking screenshot (YARA)

      • client32.exe (PID: 6992)

    • There is functionality for communication over UDP network (YARA)

      • client32.exe (PID: 6992)

    • Potential Corporate Privacy Violation

      • client32.exe (PID: 6992)

  • INFO

    • Reads the computer name

      • 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe (PID: 6520)
      • client32.exe (PID: 6992)
      • AddInProcess32.exe (PID: 6864)

    • Checks supported languages

      • 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe (PID: 6520)
      • client32.exe (PID: 6992)
      • AddInProcess32.exe (PID: 6864)

    • NirSoft software is detected

      • 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe (PID: 6520)

    • Reads the machine GUID from the registry

      • 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe (PID: 6520)
      • AddInProcess32.exe (PID: 6864)

    • The process uses the downloaded file

      • 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe (PID: 6520)

    • Checks proxy server information

      • client32.exe (PID: 6992)
      • AddInProcess32.exe (PID: 6864)

    • Reads the software policy settings

      • AddInProcess32.exe (PID: 6864)

    • Creates files or folders in the user directory

      • AddInProcess32.exe (PID: 6864)
      • client32.exe (PID: 6992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr | Windows screen saver (12.9)
.dll | Win32 Dynamic Link Library (generic) (6.4)
.exe | Win32 Executable (generic) (4.4)
.exe | Generic Win/DOS Executable (1.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1997:02:24 22:54:52+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 1112576
InitializedDataSize: 15872
UninitializedDataSize: -
EntryPoint: 0x11189e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: NirSoft
FileDescription: TableTextCompare
FileVersion: 1.2
InternalName: TableTextCompare
LegalCopyright: Copyright © 2011 - 2015 Nir Sofer
OriginalFileName: TableTextCompare.exe
ProductName: TableTextCompare
ProductVersion: 1.2
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe no specs addinprocess32.exe #NETSUPPORT client32.exe

Process information

PID
CMD
Path
Indicators
Parent process
6520"C:\Users\admin\AppData\Local\Temp\6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe" C:\Users\admin\AppData\Local\Temp\6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exeexplorer.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
TableTextCompare
Exit code:
0
Version:
1.20
Modules
Images
c:\users\admin\appdata\local\temp\6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6864"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6992C:\Users\admin\AppData\Local\DNScache\client32.exeC:\Users\admin\AppData\Local\DNScache\client32.exe
AddInProcess32.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
CrossTec Client Application
Version:
V11.00
Modules
Images
c:\users\admin\appdata\local\dnscache\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\local\dnscache\pcicl32.dll
Total events
1 514
Read events
1 507
Write events
7
Delete events
0

Modification events

(PID) Process:(6864) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6864) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6864) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6864) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:DNScache
Value:
C:\Users\admin\AppData\Local\DNScache\client32.exe
(PID) Process:(6992) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6992) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6992) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
17
Suspicious files
7
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
6864AddInProcess32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18159EBD3277736D0444419407768451_0E2F145F1B0DCF346ED6E30455D83B85binary
MD5:B30A5636B36C9C71E0DBBAF918B18FC2
SHA256:6AF6AAF624DCB098938EC02C81B86AFEF22C9F0DCDF2FDEE52E98EFF0F605EBB
6864AddInProcess32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_7770F98A0B57B622C0FB2EBB06E8C767der
MD5:D9FCA358EDAEEEA91772CB76EEC667D4
SHA256:6A06261CE7AB4912310DBCB9CB5E56E94943FD3B9D699C521296A60F2A236E7C
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\client32.exeexecutable
MD5:9497AECE91E1CCC495CA26AE284600B9
SHA256:1B63F83F06DBD9125A6983A36E0DBD64026BB4F535E97C5DF67C1563D91EFF89
6864AddInProcess32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_7770F98A0B57B622C0FB2EBB06E8C767binary
MD5:76D894AB35FD5B0B3FEC7CC11385AE03
SHA256:9A354C16B9889CB9A7F851F6C960C32066DBE88A2D392E6BEE70F8FEB8F1D797
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\msauserext.dllexecutable
MD5:C4029309233F46F89C99EECA439B279F
SHA256:AD1712FD9634521ADF14DF34D49234B87731BA87D347F5D1A7E08F356531AD67
6864AddInProcess32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18159EBD3277736D0444419407768451_0E2F145F1B0DCF346ED6E30455D83B85der
MD5:BA42F02ED50F60E34A0B891FFC44330D
SHA256:854A5DCB851D8F16B8AAEDBBE175761235F363E5E708B47A2C0E2AE4AD1B2204
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\mscat32.dllexecutable
MD5:E1E14A4208F014B12732E596AF8B497B
SHA256:3044365184CFBFBA62EC55C013D66B1CD8A7F5BCBAAA1E68D58F998FE5A27B44
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\mscpxl32.dLLexecutable
MD5:0DD075E74F248AEBC50F5A2DCB5BF42B
SHA256:432B1BF04B68942BD54A8DFCE2799D733881351AC9B1FF2F0C4D2EF49F8C3613
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\nsm_vpro.initext
MD5:3BE27483FDCDBF9EBAE93234785235E3
SHA256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\pcicapi.dllexecutable
MD5:DCDE2248D19C778A41AA165866DD52D0
SHA256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
38
DNS requests
21
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3508
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3508
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6636
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3952
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6636
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3508
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3508
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.161:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
www.bing.com
  • 104.126.37.161
  • 104.126.37.160
  • 104.126.37.152
  • 104.126.37.145
  • 104.126.37.170
  • 104.126.37.163
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.153
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.0
  • 20.190.159.73
  • 40.126.31.69
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted

Threats

PID
Process
Class
Message
6992
client32.exe
Potential Corporate Privacy Violation
ET POLICY NetSupport GeoLocation Lookup Request
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Response
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Response
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0