Malware analysis Advanced_IP_Scanner_2.5.4594.12.exe Malicious activity

Add for printing

File name:	Advanced_IP_Scanner_2.5.4594.12.exe
Full analysis:	https://app.any.run/tasks/c12d0199-43b4-402a-99bf-19bfbd86abf3
Verdict:	Malicious activity
Threats:	NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. Malware Trends Tracker >>>
Analysis date:	October 31, 2024, 21:05:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	netsupport unwanted arch-exec remote scan
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:	446C29D515104B6752C1E9DA981D4E5E
SHA1:	D52760DF6B22805A4470A6B2E72654CE36577F30
SHA256:	7B13496FB45B51E821771D63BBD1D503F07710F676481FF34962B051283D8033
SSDEEP:	196608:sxYuIulvRJa3OAapG9zIUvXhTMmoIab4okuO6:sikRJmOAtsKRTMmoIab42O6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes powershell execution policy (Bypass)
  - Advanced_IP_Scanner_2.5.4594.12.tmp (PID: 5736)
- NETSUPPORT has been detected (SURICATA)
  - client32.exe (PID: 6812)
- Connects to the CnC server
  - client32.exe (PID: 6812)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 5948)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Advanced_IP_Scanner_2.5.4594.12.exe (PID: 6472)
  - Advanced_IP_Scanner_2.5.4594.12.tmp (PID: 5736)
  - Advanced_IP_Scanner_2.5.4594.12.exe (PID: 5748)
  - powershell.exe (PID: 5948)
- Process drops legitimate windows executable
  - Advanced_IP_Scanner_2.5.4594.12.tmp (PID: 5736)
  - powershell.exe (PID: 5948)
- The process drops C-runtime libraries
  - Advanced_IP_Scanner_2.5.4594.12.tmp (PID: 5736)
  - powershell.exe (PID: 5948)
- Starts POWERSHELL.EXE for commands execution
  - Advanced_IP_Scanner_2.5.4594.12.tmp (PID: 5736)
- The process executes Powershell scripts
  - Advanced_IP_Scanner_2.5.4594.12.tmp (PID: 5736)
- Potential Corporate Privacy Violation
  - client32.exe (PID: 6812)
- Detection of a Network Scan
  - advanced_ip_scanner.exe (PID: 6412)
- Contacting a server suspected of hosting an CnC
  - client32.exe (PID: 6812)
- Connects to unusual port
  - advanced_ip_scanner.exe (PID: 6412)
- Connects to FTP
  - advanced_ip_scanner.exe (PID: 6412)
INFO
- Checks supported languages
  - Advanced_IP_Scanner_2.5.4594.12.exe (PID: 5748)
- The executable file from the user directory is run by the Powershell process
  - client32.exe (PID: 6812)
- Manual execution by a user
  - advanced_ip_scanner.exe (PID: 6412)
- Create files in a temporary directory
  - Advanced_IP_Scanner_2.5.4594.12.exe (PID: 5748)
- Drop NetSupport executable file
  - powershell.exe (PID: 5948)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (67.7)
.exe	\|	Win32 EXE PECompact compressed (generic) (25.6)
.exe	\|	Win32 Executable (generic) (2.7)
.exe	\|	Win16/32 Executable Delphi generic (1.2)
.exe	\|	Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:12 07:26:53+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	685056
InitializedDataSize:	129536
UninitializedDataSize:	-
EntryPoint:	0xa83bc
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	2.5.4594.1
ProductVersionNumber:	2.5.4594.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	Ultimate Tools LLC
FileDescription:	Advanced IP Scanner Setup
FileVersion:	2.5.4594.1
LegalCopyright:	Ultimate Tools, 2024
OriginalFileName:
ProductName:	Advanced IP Scanner
ProductVersion:	2.5.4594.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

139

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1160

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5736

"C:\Users\admin\AppData\Local\Temp\is-PV6OT.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$70264,18032967,815616,C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" /SPAWNWND=$40242 /NOTIFYWND=$8023A

C:\Users\admin\AppData\Local\Temp\is-PV6OT.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Advanced_IP_Scanner_2.5.4594.12.exe

User:

admin

Company:

Ultimate Tools LLC

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-pv6ot.tmp\advanced_ip_scanner_2.5.4594.12.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

5748

"C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"

C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

explorer.exe

User:

admin

Company:

Ultimate Tools LLC

Integrity Level:

MEDIUM

Description:

Advanced IP Scanner Setup

Exit code:

Version:

2.5.4594.1

Modules

Images
c:\users\admin\desktop\advanced_ip_scanner_2.5.4594.12.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll

5948

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\is-MN5U9.tmp\cispn.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Advanced_IP_Scanner_2.5.4594.12.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6412

"C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe"

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe

explorer.exe

User:

admin

Company:

Famatech Corp.

Integrity Level:

MEDIUM

Description:

Advanced IP Scanner

Version:

2.5.4594.1

Modules

Images
c:\program files (x86)\advanced ip scanner\advanced_ip_scanner.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6472

"C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" /SPAWNWND=$40242 /NOTIFYWND=$8023A

C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

Advanced_IP_Scanner_2.5.4594.12.tmp

User:

admin

Company:

Ultimate Tools LLC

Integrity Level:

HIGH

Description:

Advanced IP Scanner Setup

Exit code:

Version:

2.5.4594.1

Modules

Images
c:\users\admin\desktop\advanced_ip_scanner_2.5.4594.12.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll

6584

"C:\Users\admin\AppData\Local\Temp\is-LE9BE.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$8023A,18032967,815616,C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"

C:\Users\admin\AppData\Local\Temp\is-LE9BE.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

—

Advanced_IP_Scanner_2.5.4594.12.exe

User:

admin

Company:

Ultimate Tools LLC

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-le9be.tmp\advanced_ip_scanner_2.5.4594.12.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

6812

"C:\Users\admin\AppData\Roaming\SysHelper\client32.exe"

C:\Users\admin\AppData\Roaming\SysHelper\client32.exe

powershell.exe

User:

admin

Company:

NetSupport Ltd

Integrity Level:

HIGH

Description:

NetSupport Client Application

Version:

V11.41

Modules

Images
c:\users\admin\appdata\roaming\syshelper\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\roaming\syshelper\pcicl32.dll

Add for printing

Total events

12 967

Read events

12 853

Write events

114

Delete events

Modification events


(PID) Process:	(5736) Advanced_IP_Scanner_2.5.4594.12.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 6.3.3
(PID) Process:	(5736) Advanced_IP_Scanner_2.5.4594.12.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Program Files (x86)\Advanced IP Scanner
(PID) Process:	(5736) Advanced_IP_Scanner_2.5.4594.12.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}_is1
Operation:	write	Name:	InstallLocation
Value: C:\Program Files (x86)\Advanced IP Scanner\
(PID) Process:	(5736) Advanced_IP_Scanner_2.5.4594.12.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: Network Tools
(PID) Process:	(5736) Advanced_IP_Scanner_2.5.4594.12.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}_is1
Operation:	write	Name:	Inno Setup: User
Value: admin
(PID) Process:	(5736) Advanced_IP_Scanner_2.5.4594.12.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}_is1
Operation:	write	Name:	Inno Setup: Selected Tasks
Value: desktopicon
(PID) Process:	(5736) Advanced_IP_Scanner_2.5.4594.12.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}_is1
Operation:	write	Name:	Inno Setup: Deselected Tasks
Value:
(PID) Process:	(5736) Advanced_IP_Scanner_2.5.4594.12.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}_is1
Operation:	write	Name:	Inno Setup: Language
Value: english
(PID) Process:	(5736) Advanced_IP_Scanner_2.5.4594.12.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}_is1
Operation:	write	Name:	DisplayName
Value: Advanced IP Scanner version 2.5.4594.1
(PID) Process:	(5736) Advanced_IP_Scanner_2.5.4594.12.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}_is1
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files (x86)\Advanced IP Scanner\Advanced_IP_Scanner.ico

Add for printing

Executable files

128

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5736	Advanced_IP_Scanner_2.5.4594.12.tmp	C:\Program Files (x86)\Advanced IP Scanner\unins000.exe		executable
		MD5:3EAAE4BAD7C2BD8319CDCDFCAAC03B7E	SHA256:938C1F61125871F4A0B8F2382F29C420443DD755F01A596996E444A360CA21A3
5736	Advanced_IP_Scanner_2.5.4594.12.tmp	C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ar_sa.qm		qm
		MD5:6AB50593778FB5BD5D5422BDD90595E6	SHA256:132676D1F5044AE5249B764B0CD4B67993932D121FBDDC13DB2AE75961562F0F
5736	Advanced_IP_Scanner_2.5.4594.12.tmp	C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_bg_bg.qm		binary
		MD5:1D2AAC0633801D7DEF387CF78A968BFF	SHA256:8FDF83BEB8D7E9D3CD0B77DDC636A77A1E4FF591ED10851229ED49BDC78644DF
5736	Advanced_IP_Scanner_2.5.4594.12.tmp	C:\Program Files (x86)\Advanced IP Scanner\is-HL7QJ.tmp		executable
		MD5:B3411927CC7CD05E02BA64B2A789BBDE	SHA256:4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5
5736	Advanced_IP_Scanner_2.5.4594.12.tmp	C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe		executable
		MD5:12BF5F988FF62C112FAC061D9EC97C47	SHA256:BE2B45B7DF8E7DEA6FB6E72D776F41C50686C2C9CFBAF4D456BCC268F10AB083
5748	Advanced_IP_Scanner_2.5.4594.12.exe	C:\Users\admin\AppData\Local\Temp\is-LE9BE.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp		executable
		MD5:597637EDBEBB79D482E762E238209BCD	SHA256:592BEDCC2C1CD3491ED40B3CDB8DD5CA6D248598BDF871145C300028EADAC4CD
5736	Advanced_IP_Scanner_2.5.4594.12.tmp	C:\Users\admin\AppData\Local\Temp\is-MN5U9.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5736	Advanced_IP_Scanner_2.5.4594.12.tmp	C:\Program Files (x86)\Advanced IP Scanner\is-OA3KH.tmp		qm
		MD5:65A1638D5074FA60210BB5B67A4E3DB3	SHA256:23B63D04EEFAE8E50FFC6963C1E45511C7D034D54F94B17C9B1B53F899BFB340
5736	Advanced_IP_Scanner_2.5.4594.12.tmp	C:\Program Files (x86)\Advanced IP Scanner\is-S62F5.tmp		binary
		MD5:7C52599AA9F2C07DCC95378CA4BECD86	SHA256:B495F4FF61EBB88402BCD068BFD3C7EAD171CABE68C9312280F1EBAA32CCEB6F
5736	Advanced_IP_Scanner_2.5.4594.12.tmp	C:\Program Files (x86)\Advanced IP Scanner\Advanced_IP_Scanner.ico		image
		MD5:3511FCBA762713FBC4D83979F300A383	SHA256:AD6B11E0F7B0E9DDD0B3440AA0C9308F18E385C7EBB78452A964F77A104B789E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

127

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5488	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5980	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6424	SIHClient.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6424	SIHClient.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6812	client32.exe	GET	404	172.67.68.212:80	http://geo.netsupportsoftware.com/location/loca.asp	unknown	—	—	malicious
5952	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6812	client32.exe	GET	404	172.67.68.212:80	http://geo.netsupportsoftware.com/location/loca.asp	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
6944	svchost.exe	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4360	SearchApp.exe	2.23.209.140:443	www.bing.com	Akamai International B.V.	GB	whitelisted
5980	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4360	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.32.185.131	whitelisted
google.com	216.58.212.142	whitelisted
www.bing.com	2.23.209.140 2.23.209.149 2.23.209.182 2.23.209.187 2.23.209.189 2.23.209.133 2.23.209.179 2.23.209.130	whitelisted
login.live.com	40.126.32.134 40.126.32.68 40.126.32.76 20.190.160.14 40.126.32.133 40.126.32.72 40.126.32.138 20.190.160.22	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.52.181.141	whitelisted
th.bing.com	2.23.209.130 2.23.209.187 2.23.209.140 2.23.209.149 2.23.209.182 2.23.209.179 2.23.209.189 2.23.209.133	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted

Threats

PID	Process	Class	Message
6812	client32.exe	Potential Corporate Privacy Violation	ET POLICY NetSupport GeoLocation Lookup Request
6812	client32.exe	Potential Corporate Privacy Violation	ET POLICY NetSupport GeoLocation Lookup Request
6812	client32.exe	Potential Corporate Privacy Violation	ET POLICY NetSupport GeoLocation Lookup Request
6812	client32.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
6812	client32.exe	Misc activity	ET INFO NetSupport Remote Admin Response
6812	client32.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
6812	client32.exe	Misc activity	ET INFO NetSupport Remote Admin Checkin
6812	client32.exe	Misc activity	ET INFO NetSupport Remote Admin Checkin
6812	client32.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
6812	client32.exe	Misc activity	ET INFO NetSupport Remote Admin Response

5 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Advanced_IP_Scanner_2.5.4594.12.exe

446C29D515104B6752C1E9DA981D4E5E

D52760DF6B22805A4470A6B2E72654CE36577F30

7B13496FB45B51E821771D63BBD1D503F07710F676481FF34962B051283D8033

196608:sxYuIulvRJa3OAapG9zIUvXhTMmoIab4okuO6:sikRJmOAtsKRTMmoIab42O6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

NETSUPPORT has been detected (SURICATA)

Connects to the CnC server

Bypass execution policy to execute commands

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process drops C-runtime libraries

Starts POWERSHELL.EXE for commands execution

The process executes Powershell scripts

Potential Corporate Privacy Violation

Detection of a Network Scan

Contacting a server suspected of hosting an CnC

Connects to unusual port

Connects to FTP

INFO

Checks supported languages

The executable file from the user directory is run by the Powershell process

Manual execution by a user

Create files in a temporary directory

Drop NetSupport executable file

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings