download:

/Cldflr

Full analysis: https://app.any.run/tasks/bc92c776-15c6-4af2-a252-42a915201e65
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: January 30, 2026, 14:03:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netsupport
remote
rmm-tool
tool
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65536), with no line terminators
MD5:

702E660A3A1B188C1EB9A944413749A9

SHA1:

1E8C2034423521011495AC477CC5DAAB19A96EBE

SHA256:

5C5A411E685B7A9E86282089A815E5AE7CB199FAE4EABBC565E6C6EBAE1A7C0F

SSDEEP:

49152:jQle5k6B9ghmHjMpdKc3BGGVdTFfIMPxfLhT734ssDy:Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6540)

    • NETSUPPORT has been found (auto)

      • powershell.exe (PID: 6540)

    • Create files in the Startup directory

      • powershell.exe (PID: 6540)

    • Proxy execution via Explorer

      • powershell.exe (PID: 6540)

    • NETSUPPORT mutex has been found

      • client32.exe (PID: 3088)

    • Connects to the CnC server

      • client32.exe (PID: 3088)

    • NETSUPPORT has been detected (YARA)

      • client32.exe (PID: 3088)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 3088)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6540)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 6540)

    • Creates a directory (POWERSHELL)

      • powershell.exe (PID: 6540)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 6540)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6540)

    • Drop NetSupport executable file

      • powershell.exe (PID: 6540)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6540)

    • There is functionality for communication over UDP network (YARA)

      • client32.exe (PID: 3088)

    • Contacting a server suspected of hosting an CnC

      • client32.exe (PID: 3088)

  • INFO

    • Drops script file

      • powershell.exe (PID: 6540)

    • The sample compiled with english language support

      • powershell.exe (PID: 6540)

    • Creates files in the program directory

      • powershell.exe (PID: 6540)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6540)

    • Launching a file from the Startup directory

      • powershell.exe (PID: 6540)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 8624)
      • client32.exe (PID: 3088)

    • Checks supported languages

      • client32.exe (PID: 3088)

    • Reads the computer name

      • client32.exe (PID: 3088)

    • There is functionality for taking screenshot (YARA)

      • client32.exe (PID: 3088)

    • Checks proxy server information

      • client32.exe (PID: 3088)
      • slui.exe (PID: 8240)

    • Creates files or folders in the user directory

      • client32.exe (PID: 3088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NETSUPPORT powershell.exe conhost.exe no specs explorer.exe no specs explorer.exe no specs #NETSUPPORT client32.exe slui.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3088"C:\Users\admin\Desktop\cJhx4Wie\client32.exe" C:\Users\admin\Desktop\cJhx4Wie\client32.exe
explorer.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Version:
V14.10
Modules
Images
c:\users\admin\desktop\cjhx4wie\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\desktop\cjhx4wie\pcicl32.dll
3400"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6072"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a4,0x2a8,0x2ac,0xd0,0x2b0,0x139c460,0x139c46c,0x139c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6540"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\Cldflr.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
8240C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8412"C:\WINDOWS\explorer.exe" C:\ProgramData\3eQKnD6qat\cJhx4Wie.urlC:\Windows\explorer.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\aepic.dll
8432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8624C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
Total events
9 979
Read events
9 974
Write events
5
Delete events
0

Modification events

(PID) Process:(8624) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214E4-0000-0000-C000-000000000046} 0xFFFF
Value:
0100000000000000CE2CBB46F191DC01
(PID) Process:(6540) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3088) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3088) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3088) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
8
Suspicious files
8
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6540powershell.exeC:\Users\admin\Desktop\cJhx4Wie\NSM.inibinary
MD5:88B1DAB8F4FD1AE879685995C90BD902
SHA256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
6540powershell.exeC:\Users\admin\Desktop\cJhx4Wie\HTCTL32.DLLexecutable
MD5:2D3B207C8A48148296156E5725426C7F
SHA256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
6540powershell.exeC:\Users\admin\Desktop\cJhx4Wie\msvcr100.dllexecutable
MD5:0E37FBFA79D349D672456923EC5FBBE3
SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
6540powershell.exeC:\Users\admin\Desktop\cJhx4Wie\client32.exeexecutable
MD5:EE75B57B9300AAB96530503BFAE8A2F2
SHA256:06A0A243811E9C4738A9D413597659CA8D07B00F640B74ADC9CB351C179B3268
6540powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e4e3d.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
6540powershell.exeC:\Users\admin\Desktop\cJhx4Wie\nskbfltr.infbinary
MD5:26E28C01461F7E65C402BDF09923D435
SHA256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
6540powershell.exeC:\Users\admin\Desktop\cJhx4Wie\NSM.LICtext
MD5:12B8CC1D0A34012BBBBE86880333C567
SHA256:9C48AB2790281FCA8D75ABC805E6091F1B8133898852E6C09657D66F3DD0C48F
6540powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_t2yq3ieu.log.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6540powershell.exeC:\Users\admin\Desktop\cJhx4Wie\PCICL32.DLLexecutable
MD5:00587238D16012152C2E951A087F2CC9
SHA256:63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
6540powershell.exeC:\Users\admin\Desktop\cJhx4Wie\client32.initext
MD5:309D1E78119191A3D24493780C495D01
SHA256:CF2C86CA1455ABCA3F528FBC4DC4ED5D7C208ADDB4D6BC3F36889D9EE6E7811A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
29
DNS requests
22
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
5512
svchost.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WaaS/FeatureManagement?IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&CurrentBranch=vb_release&AccountFirstChar=&ActivationChannel=Retail&OEMModel=DELL&FlightRing=Retail&AttrDataVer=186&InstallLanguage=en-US&OSUILocale=en-US&WebExperience=1&FlightingBranchName=&ChassisTypeId=1&OSSkuId=48&App=CDM&InstallDate=1661339444&AppVer=&OSArchitecture=AMD64&DefaultUserRegion=244&TelemetryLevel=1&OSVersion=10.0.19045.4046&DeviceFamily=Windows.Desktop
unknown
whitelisted
8328
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
8328
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
8328
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
8328
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
356
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3088
client32.exe
GET
200
104.26.0.231:80
http://geo.netsupportsoftware.com/location/loca.asp
unknown
whitelisted
3088
client32.exe
POST
200
144.31.207.32:443
http://144.31.207.32/fakeurl.htm
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5512
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4256
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3412
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3088
client32.exe
104.26.0.231:80
geo.netsupportsoftware.com
CLOUDFLARENET
US
whitelisted
3088
client32.exe
144.31.207.32:443
borecas.com
PLAY2GO-NET
GB
unknown
356
svchost.exe
20.190.160.65:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
356
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.201.78
whitelisted
self.events.data.microsoft.com
  • 20.50.73.4
  • 20.42.73.28
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
borecas.com
  • 144.31.207.32
unknown
geo.netsupportsoftware.com
  • 104.26.0.231
  • 104.26.1.231
  • 172.67.68.212
whitelisted
login.live.com
  • 20.190.160.65
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.136
  • 20.190.160.64
  • 20.190.160.5
  • 20.190.160.2
  • 20.190.160.3
  • 20.190.159.128
  • 20.190.159.23
  • 20.190.159.4
  • 40.126.31.69
  • 40.126.31.128
  • 40.126.31.3
  • 40.126.31.73
  • 40.126.31.129
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.35
whitelisted
www.bing.com
  • 92.123.104.66
  • 92.123.104.63
  • 92.123.104.67
  • 92.123.104.12
  • 92.123.104.61
  • 92.123.104.62
  • 92.123.104.9
  • 92.123.104.5
  • 92.123.104.65
whitelisted

Threats

PID
Process
Class
Message
3088
client32.exe
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
3088
client32.exe
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
3088
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
3088
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Response
3088
client32.exe
Potential Corporate Privacy Violation
ET REMOTE_ACCESS NetSupport GeoLocation Lookup Request
3088
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
3088
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
3088
client32.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/NetSupport CnC Activity observed (fakeurl.htm)
3088
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
3088
client32.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/NetSupport CnC Activity observed (fakeurl.htm)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/Cldflr