URL:

tt.ca

Full analysis: https://app.any.run/tasks/5ba3a9bd-e4e2-4079-8ba0-1482d0b49a02
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: September 03, 2025, 16:29:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-clipboard
clickfix
auto
netsupport
rat
rmm-tool
remote
Indicators:
MD5:

6AEA42B2DD910F4A9368829D3CBFDBB7

SHA1:

DCBA8805DDD3041E2002E8B54D4B16889FF3DFF4

SHA256:

DEFF083149F28C1081472141479982B17F113386F2A9A2263FFE403BE1000246

SSDEEP:

3:7GE:CE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 1236)

    • PowerShell executes remote file download (POWERSHELL)

      • powershell.exe (PID: 7048)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 7048)

    • NETSUPPORT has been found (auto)

      • powershell.exe (PID: 1236)

    • Executing a file with an untrusted certificate

      • client32.exe (PID: 7636)

    • NetSupport is detected

      • client32.exe (PID: 7636)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 7636)

    • Connects to the CnC server

      • client32.exe (PID: 7636)

    • NETSUPPORT mutex has been found

      • client32.exe (PID: 7636)

  • SUSPICIOUS

    • Suspicious clipboard command

      • [System Process] (PID: 0)

    • Executes script without checking the security policy

      • powershell.exe (PID: 7048)

    • Manipulates environment variables

      • powershell.exe (PID: 7048)

    • Found IP address in command line

      • powershell.exe (PID: 7048)

    • The process executes Powershell scripts

      • powershell.exe (PID: 7048)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 72)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 1236)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 7048)

    • Drop NetSupport executable file

      • powershell.exe (PID: 1236)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1236)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1236)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 1236)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 1236)

    • Likely accesses (executes) a file from the Public directory

      • explorer.exe (PID: 72)
      • client32.exe (PID: 7636)

    • Application launched itself

      • powershell.exe (PID: 7048)

    • Contacting a server suspected of hosting an CnC

      • client32.exe (PID: 7636)

    • Reads security settings of Internet Explorer

      • client32.exe (PID: 7636)

    • Potential Corporate Privacy Violation

      • client32.exe (PID: 7636)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 7708)
      • identity_helper.exe (PID: 7352)
      • client32.exe (PID: 7636)

    • Application launched itself

      • msedge.exe (PID: 6212)
      • msedge.exe (PID: 8020)

    • Reads Environment values

      • identity_helper.exe (PID: 7352)
      • identity_helper.exe (PID: 7708)

    • Reads the computer name

      • identity_helper.exe (PID: 7352)
      • identity_helper.exe (PID: 7708)
      • client32.exe (PID: 7636)

    • Manual execution by a user

      • powershell.exe (PID: 7048)
      • Taskmgr.exe (PID: 7228)
      • Taskmgr.exe (PID: 7736)

    • Checks proxy server information

      • powershell.exe (PID: 7048)
      • client32.exe (PID: 7636)

    • Disables trace logs

      • powershell.exe (PID: 7048)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 7228)
      • explorer.exe (PID: 6292)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1236)

    • The sample compiled with english language support

      • powershell.exe (PID: 1236)

    • Creates files or folders in the user directory

      • client32.exe (PID: 7636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
177
Monitored processes
40
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs powershell.exe conhost.exe no specs taskmgr.exe no specs taskmgr.exe #NETSUPPORT powershell.exe explorer.exe no specs explorer.exe no specs #NETSUPPORT client32.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe no specs #SUSP-CLIPBOARD [system process] no specs

Process information

PID
CMD
Path
Indicators
Parent process
0[System Process]
[System Process]
Integrity Level:
UNKNOWN
72"C:\WINDOWS\explorer.exe" C:\Users\Public\xElOASK5CJ\client32.exe C:\Windows\explorer.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
320"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2112,i,4004356075716317450,10042813510356988210,262144 --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
592"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2380,i,10291034377031764351,16827727423334782482,262144 --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1236"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3584,i,10291034377031764351,16827727423334782482,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1236"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -ep bypass -f C:\Users\admin\Documents\vhisc.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2200,i,10291034377031764351,16827727423334782482,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2620"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffc43e6f208,0x7ffc43e6f214,0x7ffc43e6f220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2804"C:\Program Files\Internet Explorer\iexplore.exe" "tt.ca"C:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3400"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=4972,i,4004356075716317450,10042813510356988210,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 715
Read events
18 681
Write events
33
Delete events
1

Modification events

(PID) Process:(2804) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2804) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2804) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2804) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2804) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2804) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(6212) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6212) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6212) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6212) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\525018
Operation:writeName:WindowTabManagerFileMappingId
Value:
{F55A35EE-88E8-4F43-89CA-B72D74F29739}
Executable files
19
Suspicious files
259
Text files
81
Unknown types
0

Dropped files

PID
Process
Filename
Type
6212msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF18cfce.TMP
MD5:
SHA256:
6212msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
6212msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF18cfde.TMP
MD5:
SHA256:
6212msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF18cfde.TMP
MD5:
SHA256:
6212msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF18cffd.TMP
MD5:
SHA256:
6212msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF18cfde.TMP
MD5:
SHA256:
6212msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6212msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
6212msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6212msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
64
DNS requests
66
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2096
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:2erkviagX8scxIjL5JJOHvxCqXnliIrEpRIv_cx6JYw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
99 b
whitelisted
7636
client32.exe
GET
200
104.26.0.231:80
http://geo.netsupportsoftware.com/location/loca.asp
US
text
15 b
malicious
3836
SIHClient.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
407 b
whitelisted
3836
SIHClient.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
6176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
7048
powershell.exe
GET
200
80.71.229.25:80
http://80.71.229.25/prepare_answer.php
IT
text
9.27 Mb
unknown
7636
client32.exe
POST
200
194.0.234.17:443
http://194.0.234.17/fakeurl.htm
NL
binary
69 b
unknown
7636
client32.exe
POST
200
194.0.234.17:443
http://194.0.234.17/fakeurl.htm
NL
binary
161 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7076
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2096
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2096
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2096
msedge.exe
172.104.149.86:80
tt.ca
Linode, LLC
DE
unknown
2096
msedge.exe
172.104.149.86:443
tt.ca
Linode, LLC
DE
unknown
2096
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.206
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
tt.ca
  • 172.104.149.86
  • 139.162.174.209
  • 139.162.181.76
  • 172.104.251.198
unknown
copilot.microsoft.com
  • 92.123.104.45
  • 92.123.104.53
whitelisted
www.google.com
  • 142.250.185.196
whitelisted
www.bing.com
  • 92.123.104.19
  • 92.123.104.20
  • 92.123.104.21
  • 92.123.104.16
  • 92.123.104.13
  • 92.123.104.17
  • 92.123.104.22
  • 92.123.104.7
  • 92.123.104.12
whitelisted
syndicatedsearch.goog
  • 172.217.18.14
whitelisted
partner.googleadservices.com
  • 142.250.184.226
whitelisted

Threats

PID
Process
Class
Message
7636
client32.exe
Potential Corporate Privacy Violation
ET REMOTE_ACCESS NetSupport GeoLocation Lookup Request
7636
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
7636
client32.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 41
7636
client32.exe
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
7636
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Response
7636
client32.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/NetSupport CnC Activity observed (fakeurl.htm)
7636
client32.exe
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
7636
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
7636
client32.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/NetSupport CnC Activity observed (fakeurl.htm)
7636
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
No debug info