File name:

6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0

Full analysis: https://app.any.run/tasks/d30e17a1-ebd5-4622-9cb6-e8feb6ab1b86
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: December 10, 2024, 07:57:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netsupport
unwanted
remote
tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

AEDF7F67CF6D7F8EF348BA681046FE51

SHA1:

707AC1C67E2D569613C1B5CC3F809D6BD3CDDC26

SHA256:

6BA3976F8956DCEB2903DC89B9B66C3D81CEB93566B6244B58C4929A454815C0

SSDEEP:

24576:rHRbi54l24T3qFu42HOJY10Qd9cvchYBa4pprPzpko5DJA95:rHRbi54l24T3qFu42HOJYhd9cviYBa4o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • client32.exe (PID: 6992)

    • NETSUPPORT has been detected (YARA)

      • client32.exe (PID: 6992)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 6992)

    • Changes the autorun value in the registry

      • AddInProcess32.exe (PID: 6864)

    • Executing a file with an untrusted certificate

      • client32.exe (PID: 6992)

    • NETSUPPORT mutex has been found

      • client32.exe (PID: 6992)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • AddInProcess32.exe (PID: 6864)
      • client32.exe (PID: 6992)

    • Checks Windows Trust Settings

      • AddInProcess32.exe (PID: 6864)

    • Drop NetSupport executable file

      • AddInProcess32.exe (PID: 6864)

    • The process drops C-runtime libraries

      • AddInProcess32.exe (PID: 6864)

    • Executable content was dropped or overwritten

      • AddInProcess32.exe (PID: 6864)

    • Potential Corporate Privacy Violation

      • client32.exe (PID: 6992)

    • Contacting a server suspected of hosting an CnC

      • client32.exe (PID: 6992)

    • Connects to unusual port

      • client32.exe (PID: 6992)

    • There is functionality for taking screenshot (YARA)

      • client32.exe (PID: 6992)

    • There is functionality for communication over UDP network (YARA)

      • client32.exe (PID: 6992)

    • Process drops legitimate windows executable

      • AddInProcess32.exe (PID: 6864)

  • INFO

    • Checks supported languages

      • 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe (PID: 6520)
      • AddInProcess32.exe (PID: 6864)
      • client32.exe (PID: 6992)

    • NirSoft software is detected

      • 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe (PID: 6520)

    • The process uses the downloaded file

      • 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe (PID: 6520)

    • Reads the machine GUID from the registry

      • 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe (PID: 6520)
      • AddInProcess32.exe (PID: 6864)

    • Reads the computer name

      • 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe (PID: 6520)
      • AddInProcess32.exe (PID: 6864)
      • client32.exe (PID: 6992)

    • Checks proxy server information

      • AddInProcess32.exe (PID: 6864)
      • client32.exe (PID: 6992)

    • Reads the software policy settings

      • AddInProcess32.exe (PID: 6864)

    • Creates files or folders in the user directory

      • AddInProcess32.exe (PID: 6864)
      • client32.exe (PID: 6992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr | Windows screen saver (12.9)
.dll | Win32 Dynamic Link Library (generic) (6.4)
.exe | Win32 Executable (generic) (4.4)
.exe | Generic Win/DOS Executable (1.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1997:02:24 22:54:52+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 1112576
InitializedDataSize: 15872
UninitializedDataSize: -
EntryPoint: 0x11189e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: NirSoft
FileDescription: TableTextCompare
FileVersion: 1.2
InternalName: TableTextCompare
LegalCopyright: Copyright © 2011 - 2015 Nir Sofer
OriginalFileName: TableTextCompare.exe
ProductName: TableTextCompare
ProductVersion: 1.2
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe no specs addinprocess32.exe #NETSUPPORT client32.exe

Process information

PID
CMD
Path
Indicators
Parent process
6520"C:\Users\admin\AppData\Local\Temp\6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe" C:\Users\admin\AppData\Local\Temp\6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exeexplorer.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
TableTextCompare
Exit code:
0
Version:
1.20
Modules
Images
c:\users\admin\appdata\local\temp\6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6864"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6992C:\Users\admin\AppData\Local\DNScache\client32.exeC:\Users\admin\AppData\Local\DNScache\client32.exe
AddInProcess32.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
CrossTec Client Application
Version:
V11.00
Modules
Images
c:\users\admin\appdata\local\dnscache\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\local\dnscache\pcicl32.dll
Total events
1 514
Read events
1 507
Write events
7
Delete events
0

Modification events

(PID) Process:(6864) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6864) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6864) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6864) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:DNScache
Value:
C:\Users\admin\AppData\Local\DNScache\client32.exe
(PID) Process:(6992) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6992) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6992) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
17
Suspicious files
7
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
6864AddInProcess32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_7770F98A0B57B622C0FB2EBB06E8C767der
MD5:D9FCA358EDAEEEA91772CB76EEC667D4
SHA256:6A06261CE7AB4912310DBCB9CB5E56E94943FD3B9D699C521296A60F2A236E7C
6864AddInProcess32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18159EBD3277736D0444419407768451_0E2F145F1B0DCF346ED6E30455D83B85der
MD5:BA42F02ED50F60E34A0B891FFC44330D
SHA256:854A5DCB851D8F16B8AAEDBBE175761235F363E5E708B47A2C0E2AE4AD1B2204
6864AddInProcess32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_7770F98A0B57B622C0FB2EBB06E8C767binary
MD5:76D894AB35FD5B0B3FEC7CC11385AE03
SHA256:9A354C16B9889CB9A7F851F6C960C32066DBE88A2D392E6BEE70F8FEB8F1D797
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\AudioCapture.dllexecutable
MD5:4182F37B9BA1FA315268C669B5335DDE
SHA256:A74612AE5234D1A8F1263545400668097F9EB6A01DFB8037BC61CA9CAE82C5B8
6864AddInProcess32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\2nd2_3[1].zipcompressed
MD5:6177485D0E1E5E167AB65798E70D44AB
SHA256:7495676881CD5B7D6D09AD43F90529F6E6B2761697E5A24397F8E8E03FAF05DF
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\pcicapi.dllexecutable
MD5:DCDE2248D19C778A41AA165866DD52D0
SHA256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\PCICL32.DLLexecutable
MD5:AD51946B1659ED61B76FF4E599E36683
SHA256:07A191254362664B3993479A277199F7EA5EE723B6C25803914EEDB50250ACF4
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\PCICHEK.DLLexecutable
MD5:A0B9388C5F18E27266A31F8C5765B263
SHA256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\mscpx32r.dLLexecutable
MD5:8C3A464EE6AA2B5AA573564D9BD6541D
SHA256:E5CA3F9B9833184C35AD89F615BF7A5108B7721D685A795CE4019C3D2609FDE6
6864AddInProcess32.exeC:\Users\admin\AppData\Local\DNScache\remcmdstub.exeexecutable
MD5:35DA3B727567FAB0C7C8426F1261C7F5
SHA256:89027F1449BE9BA1E56DD82D13A947CB3CA319ADFE9782F4874FBDC26DC59D09
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
38
DNS requests
21
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3508
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3508
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6636
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3952
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6636
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3508
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3508
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.161:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
www.bing.com
  • 104.126.37.161
  • 104.126.37.160
  • 104.126.37.152
  • 104.126.37.145
  • 104.126.37.170
  • 104.126.37.163
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.153
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.0
  • 20.190.159.73
  • 40.126.31.69
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted

Threats

PID
Process
Class
Message
6992
client32.exe
Potential Corporate Privacy Violation
ET POLICY NetSupport GeoLocation Lookup Request
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Response
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Response
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
6992
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0