Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

HTCTL32.dll

windows7-x64

1

HTCTL32.dll

windows10-2004-x64

3

PCICHEK.dll

windows7-x64

1

PCICHEK.dll

windows10-2004-x64

1

PCICL32.dll

windows7-x64

1

PCICL32.dll

windows10-2004-x64

1

TCCTL32.dll

windows7-x64

1

TCCTL32.dll

windows10-2004-x64

1

client32.exe

windows7-x64

10

client32.exe

windows10-2004-x64

10

msvcr100.dll

windows7-x64

3

msvcr100.dll

windows10-2004-x64

3

pcicapi.dll

windows7-x64

1

pcicapi.dll

windows10-2004-x64

1

remcmdstub.exe

windows7-x64

1

remcmdstub.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/06/2024, 14:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client32.exe

  • Size

    101KB

  • MD5

    c4f1b50e3111d29774f7525039ff7086

  • SHA1

    57539c95cba0986ec8df0fcdea433e7c71b724c6

  • SHA256

    18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

  • SHA512

    005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

  • SSDEEP

    768:q78j0+RH6e6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDU:qwpHLiLniepfxP91/bQxnu

Score
10/10
netsupportrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\client32.exe
    "C:\Users\Admin\AppData\Local\Temp\client32.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3604

Network

  • flag-us
    DNS
    geo.netsupportsoftware.com
    client32.exe
    Remote address:
    8.8.8.8:53
    Request
    geo.netsupportsoftware.com
    IN A
    Response
    geo.netsupportsoftware.com
    IN A
    104.26.1.231
    geo.netsupportsoftware.com
    IN A
    172.67.68.212
    geo.netsupportsoftware.com
    IN A
    104.26.0.231
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    client32.exe
    Remote address:
    104.26.1.231:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Mon, 17 Jun 2024 14:25:09 GMT
    Content-Type: text/html; Charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8953b512ea3579b8-LHR
    CF-Cache-Status: DYNAMIC
    Access-Control-Allow-Origin: *
    Cache-Control: private
    Set-Cookie: ASPSESSIONIDQSCADSQD=OOJNIGIDDKCKPJCABEKNEONH; path=/
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Vary: Accept-Encoding
    cf-apo-via: origin,host
    Referrer-Policy: strict-origin-when-cross-origin
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QOvZis%2B9%2Ff9M7SYNNumViIez0JTsofJPIq661mW%2B5CA2mQSLDEYnkp6zpEt1W%2FQCvcm7WGwKbDFDuCh7r90cieY0SLQU2JYzHlX19lZHiDSiG76xrHSvoyk94EGY1PSe1LdVyWaypN6T6u3c"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=083c9c12f5ee45f4b1a88b330533b459&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=083c9c12f5ee45f4b1a88b330533b459&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=38FC6DD225456C99003A797324626D27; domain=.bing.com; expires=Sat, 12-Jul-2025 14:25:10 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 059E46DCDEFE4514A52147EDD1F5A483 Ref B: LON04EDGE0612 Ref C: 2024-06-17T14:25:10Z
    date: Mon, 17 Jun 2024 14:25:09 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=083c9c12f5ee45f4b1a88b330533b459&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=083c9c12f5ee45f4b1a88b330533b459&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=38FC6DD225456C99003A797324626D27
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=VJUFQ89d3FTD8keP7JplCe_llmEELjIWwb1Y6nJpDXg; domain=.bing.com; expires=Sat, 12-Jul-2025 14:25:10 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6B8A325590AF4C3994F3396A6D924538 Ref B: LON04EDGE0612 Ref C: 2024-06-17T14:25:10Z
    date: Mon, 17 Jun 2024 14:25:09 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=083c9c12f5ee45f4b1a88b330533b459&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=083c9c12f5ee45f4b1a88b330533b459&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=38FC6DD225456C99003A797324626D27; MSPTC=VJUFQ89d3FTD8keP7JplCe_llmEELjIWwb1Y6nJpDXg
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 17D60F5CBE384025B07E0B4CAC57C3CD Ref B: LON04EDGE0612 Ref C: 2024-06-17T14:25:10Z
    date: Mon, 17 Jun 2024 14:25:09 GMT
  • flag-us
    DNS
    103.245.158.94.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.245.158.94.in-addr.arpa
    IN PTR
    Response
    103.245.158.94.in-addr.arpa
    IN PTR
    no-rdns mivocloudcom
  • flag-us
    DNS
    231.1.26.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    231.1.26.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.21.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.21.107.13.in-addr.arpa
    IN PTR
    Response
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    88.221.83.203:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=38FC6DD225456C99003A797324626D27; MSPTC=VJUFQ89d3FTD8keP7JplCe_llmEELjIWwb1Y6nJpDXg
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Mon, 17 Jun 2024 14:25:11 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.c753dd58.1718634311.41a88ae
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    203.83.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    203.83.221.88.in-addr.arpa
    IN PTR
    Response
    203.83.221.88.in-addr.arpa
    IN PTR
    a88-221-83-203deploystaticakamaitechnologiescom
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.204.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.204.248.87.in-addr.arpa
    IN PTR
    Response
    0.204.248.87.in-addr.arpa
    IN PTR
    https-87-248-204-0lhrllnwnet
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.56.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.56.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 94.158.245.103:443
    http
    client32.exe
    2.0kB
     813 B
     8
    7
  • 104.26.1.231:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    client32.exe
    440 B
     1.1kB
     7
    5

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    200
  • 13.107.21.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=083c9c12f5ee45f4b1a88b330533b459&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=
    tls, http2
    2.0kB
     9.2kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=083c9c12f5ee45f4b1a88b330533b459&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=083c9c12f5ee45f4b1a88b330533b459&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=083c9c12f5ee45f4b1a88b330533b459&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=

    HTTP Response

    204
  • 88.221.83.203:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
     6.4kB
     17
    12

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 8.8.8.8:53
    geo.netsupportsoftware.com
    dns
    client32.exe
    72 B
     120 B
     1
    1

    DNS Request

    geo.netsupportsoftware.com

    DNS Response

    104.26.1.231
    172.67.68.212
    104.26.0.231

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    13.107.21.237
    204.79.197.237

  • 8.8.8.8:53
    103.245.158.94.in-addr.arpa
    dns
    73 B
     108 B
     1
    1

    DNS Request

    103.245.158.94.in-addr.arpa

  • 8.8.8.8:53
    231.1.26.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    231.1.26.104.in-addr.arpa

  • 8.8.8.8:53
    237.21.107.13.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    237.21.107.13.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    203.83.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    203.83.221.88.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    0.204.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.204.248.87.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    43.56.20.217.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    43.56.20.217.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.