File name:

_5e99311e08775c742b4f8b765210a4a36d655483500c570a232cc6d495e2cc06.txt

Full analysis: https://app.any.run/tasks/6e52ad1a-28f9-49d2-a62a-ca9d7f286a8e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 10, 2026, 15:14:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
netsupport
rmm-tool
remote
loader
tool
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

8230B85DCC562211711F73723E0FF1A5

SHA1:

B1CB293A2928C544862570627B69C1D8A2840F75

SHA256:

5E99311E08775C742B4F8B765210A4A36D655483500C570A232CC6D495E2CC06

SSDEEP:

24:1y2A4s9+NdgfW2aBtZP70da2A4Mx2Ag0qG+cTKvu2AQ2AK:1lIBWJh0bM6PAKu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Proxy execution via Explorer

      • powershell.exe (PID: 8392)

    • NETSUPPORT mutex has been found

      • neservice.exe (PID: 7020)

    • NETSUPPORT has been detected (SURICATA)

      • neservice.exe (PID: 7020)

    • NETSUPPORT has been detected (YARA)

      • neservice.exe (PID: 7020)

    • Create files in the Startup directory

      • 7z.exe (PID: 508)

  • SUSPICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8392)

    • The process drops C-runtime libraries

      • 7z.exe (PID: 7680)

    • Executable content was dropped or overwritten

      • 7z.exe (PID: 7680)
      • powershell.exe (PID: 8392)

    • Process drops legitimate windows executable

      • 7z.exe (PID: 7680)

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 8392)

    • Drop NetSupport executable file

      • 7z.exe (PID: 7680)

    • Explorer used for Indirect Command Execution

      • explorer.exe (PID: 1868)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 8392)

    • There is functionality for communication over UDP network (YARA)

      • neservice.exe (PID: 7020)

    • Contacting a server suspected of hosting an CnC

      • neservice.exe (PID: 7020)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 8392)

    • The executable file from the user directory is run by the Powershell process

      • 7z.exe (PID: 508)
      • 7z.exe (PID: 7680)

    • Drops script file

      • powershell.exe (PID: 8392)

    • Checks proxy server information

      • powershell.exe (PID: 8392)
      • slui.exe (PID: 7728)

    • The sample compiled with english language support

      • powershell.exe (PID: 8392)
      • 7z.exe (PID: 7680)

    • Checks supported languages

      • 7z.exe (PID: 7680)
      • 7z.exe (PID: 508)
      • neservice.exe (PID: 7020)

    • Reads the computer name

      • 7z.exe (PID: 7680)
      • neservice.exe (PID: 7020)
      • 7z.exe (PID: 508)

    • Creates files or folders in the user directory

      • 7z.exe (PID: 7680)
      • 7z.exe (PID: 508)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 8792)

    • Launching a file from the Startup directory

      • 7z.exe (PID: 508)

    • There is functionality for taking screenshot (YARA)

      • neservice.exe (PID: 7020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
8
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs 7z.exe explorer.exe no specs explorer.exe no specs 7z.exe #NETSUPPORT neservice.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
508"C:\Users\admin\AppData\Local\Nfservice\7z.exe" x C:\Users\admin\AppData\Local\Nfservice\lnk.7z -pppp -aoa -y "-oC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"C:\Users\admin\AppData\Local\Nfservice\7z.exe
powershell.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
19.00
Modules
Images
c:\users\admin\appdata\local\nfservice\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
1868"C:\WINDOWS\explorer.exe" "C:\Users\admin\AppData\Local\Nfservice\neservice.exe" C:\Windows\explorer.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\twinapi.dll
7020"C:\Users\admin\AppData\Local\Nfservice\neservice.exe" C:\Users\admin\AppData\Local\Nfservice\neservice.exe
explorer.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Version:
V14.12
Modules
Images
c:\users\admin\appdata\local\nfservice\neservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\local\nfservice\pcicl32.dll
7392\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7680"C:\Users\admin\AppData\Local\Nfservice\7z.exe" x at.7z -pppp -aoa -yC:\Users\admin\AppData\Local\Nfservice\7z.exe
powershell.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
19.00
Modules
Images
c:\users\admin\appdata\local\nfservice\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
7728C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8392"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\_5e99311e08775c742b4f8b765210a4a36d655483500c570a232cc6d495e2cc06.txt.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8792C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
Total events
9 823
Read events
9 823
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
8
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
8392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vi300udb.wjf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8392powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e5f64.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
76807z.exeC:\Users\admin\AppData\Local\Nfservice\NSM.initext
MD5:99F493DCE7FAB330DC47F0CAB8FE6172
SHA256:E0ED36C897EAA5352FAB181C20020B60DF4C58986193D6AAF5BF3E3ECDC4C05D
76807z.exeC:\Users\admin\AppData\Local\Nfservice\nskbfltr.infbinary
MD5:26E28C01461F7E65C402BDF09923D435
SHA256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
76807z.exeC:\Users\admin\AppData\Local\Nfservice\NSM.LICtext
MD5:5D7445EFA8A5560842C868369127CD79
SHA256:E09980D1B1C508EB29D2931AC92F8D0A7E49CA5FE6AB6277FABF097A0B033B63
76807z.exeC:\Users\admin\AppData\Local\Nfservice\nsm_vpro.initext
MD5:3BE27483FDCDBF9EBAE93234785235E3
SHA256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
76807z.exeC:\Users\admin\AppData\Local\Nfservice\HTCTL32.DLLexecutable
MD5:051CDB6AC8E168D178E35489B6DA4C74
SHA256:6562585009F15155EEA9A489E474CEBC4DD2A01A26D846FDD1B93FDC24B0C269
76807z.exeC:\Users\admin\AppData\Local\Nfservice\msvcr100.dllexecutable
MD5:0E37FBFA79D349D672456923EC5FBBE3
SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
76807z.exeC:\Users\admin\AppData\Local\Nfservice\client32.initext
MD5:7601D633A64309146C7386DC2CAEB59D
SHA256:AED0C1800B1A2A9CF588A894DFBC3F903EBB45BCAEC9C4BF6A3AF656D705BAB5
8392powershell.exeC:\Users\admin\AppData\Local\Nfservice\7z.exeexecutable
MD5:58712AACF6B0F8149C066BDA3A034FC3
SHA256:43907E54CF3D1258F695D1112759B5457576481072CC76A679B8477CFEB3DB87
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
44
DNS requests
20
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7244
RUXIMICS.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
8392
powershell.exe
GET
200
77.90.15.227:80
http://mysrvcs.com/at.7z
DE
compressed
1.44 Mb
unknown
8756
svchost.exe
GET
200
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
US
text
3.41 Kb
whitelisted
7948
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
7244
RUXIMICS.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
8756
svchost.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
unknown
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
400 b
whitelisted
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
US
binary
813 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
8756
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7244
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.204.156:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
8756
svchost.exe
23.216.77.19:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7244
RUXIMICS.exe
23.216.77.19:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6712
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8392
powershell.exe
77.90.15.227:80
mysrvcs.com
THREATOFF
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 13.89.179.14
  • 20.42.73.26
whitelisted
www.bing.com
  • 2.16.204.156
  • 2.16.204.150
  • 2.16.204.153
  • 2.16.204.146
  • 2.16.204.147
  • 2.16.204.149
  • 2.16.204.148
  • 2.16.204.151
  • 2.16.204.155
whitelisted
google.com
  • 142.251.37.14
whitelisted
crl.microsoft.com
  • 23.216.77.19
  • 23.216.77.6
  • 23.216.77.13
  • 23.216.77.11
  • 23.216.77.29
  • 23.216.77.28
  • 23.216.77.22
  • 23.216.77.27
  • 23.216.77.25
  • 23.216.77.10
  • 23.216.77.41
  • 23.216.77.5
  • 23.216.77.7
  • 23.216.77.42
  • 23.216.77.38
  • 23.216.77.43
  • 23.216.77.39
whitelisted
mysrvcs.com
  • 77.90.15.227
unknown
hotelservicemonitor.com
  • 37.77.150.202
unknown
channelmanagerpms.com
  • 37.77.150.202
unknown
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.59.18.102
whitelisted

Threats

PID
Process
Class
Message
8756
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
8392
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8392
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8392
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8392
powershell.exe
Misc activity
ET INFO Request for EXE via Powershell
8392
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7020
neservice.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 3
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/NetSupport CnC Activity observed (fakeurl.htm)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_5e99311e08775c742b4f8b765210a4a36d655483500c570a232cc6d495e2cc06.txt