download:

/update.php

Full analysis: https://app.any.run/tasks/b5d26e96-95ed-48e5-93fc-299818bee070
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: March 21, 2025, 12:32:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
netsupport
rmm-tool
unwanted
remote
tool
themida
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text
MD5:

96F78187E8FC777EFC3740740DB4FBA5

SHA1:

8E7E3BBCF8D51243462DCA4D03AF1F0CEABB54E6

SHA256:

80B274871E5024DFA9E513219FE3DF82CC8FE4255010BD5D04D23D5833962C10

SSDEEP:

24:f3pladxaRw6G3YclSsdxaRw6G3QlpRdxaRw6uagaXvvr/e8VQl4O5S8pEoFLur3q:fZkbbTbA/pmva8i3Eg0uaa6Jt131PHW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7648)

    • NETSUPPORT mutex has been found

      • client32.exe (PID: 4880)

    • NetSupport is detected

      • client32.exe (PID: 4880)

    • Connects to the CnC server

      • client32.exe (PID: 4880)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 4880)

    • NETSUPPORT has been detected (YARA)

      • client32.exe (PID: 4880)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 7648)

    • The process drops C-runtime libraries

      • zz.exe (PID: 7212)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7648)
      • zz.exe (PID: 7212)

    • Process drops legitimate windows executable

      • zz.exe (PID: 7212)

    • Reads the BIOS version

      • client32.exe (PID: 4880)

    • Drop NetSupport executable file

      • zz.exe (PID: 7212)

    • Reads security settings of Internet Explorer

      • client32.exe (PID: 4880)

    • Connects to the server without a host name

      • client32.exe (PID: 4880)

    • Potential Corporate Privacy Violation

      • client32.exe (PID: 4880)

    • Connects to unusual port

      • client32.exe (PID: 4880)

    • There is functionality for communication over UDP network (YARA)

      • client32.exe (PID: 4880)

    • There is functionality for taking screenshot (YARA)

      • client32.exe (PID: 4880)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 7648)
      • client32.exe (PID: 4880)
      • slui.exe (PID: 5384)

    • Disables trace logs

      • powershell.exe (PID: 7648)

    • The sample compiled with english language support

      • powershell.exe (PID: 7648)
      • zz.exe (PID: 7212)

    • Creates files or folders in the user directory

      • zz.exe (PID: 7212)
      • client32.exe (PID: 4880)

    • The executable file from the user directory is run by the Powershell process

      • zz.exe (PID: 7212)
      • client32.exe (PID: 4880)

    • Reads the computer name

      • zz.exe (PID: 7212)
      • client32.exe (PID: 4880)

    • Checks supported languages

      • client32.exe (PID: 4880)
      • zz.exe (PID: 7212)

    • Themida protector has been detected

      • client32.exe (PID: 4880)

    • Reads the software policy settings

      • slui.exe (PID: 5384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs zz.exe #NETSUPPORT client32.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4880"C:\Users\admin\AppData\Roaming\Ns\client32.exe" C:\Users\admin\AppData\Roaming\Ns\client32.exe
powershell.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Version:
V14.10
Modules
Images
c:\users\admin\appdata\roaming\ns\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\roaming\ns\pcicl32.dll
5384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7212"C:\Users\admin\AppData\Roaming\zz.exe" x b.vue -pkek -aoa -yC:\Users\admin\AppData\Roaming\zz.exe
powershell.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
24.08
Modules
Images
c:\users\admin\appdata\roaming\zz.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
7648"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\update.php.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 006
Read events
8 002
Write events
4
Delete events
0

Modification events

(PID) Process:(7648) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:My Support
Value:
C:\Users\admin\AppData\Roaming\Ns\client32.exe
(PID) Process:(4880) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4880) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4880) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
11
Suspicious files
5
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
7648powershell.exeC:\Users\admin\AppData\Roaming\b.vue
MD5:
SHA256:
7648powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c43c.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7648powershell.exeC:\Users\admin\AppData\Roaming\7z.dllexecutable
MD5:1143C4905BBA16D8CC02C6BA8F37F365
SHA256:E79DDFB6319DBF9BAC6382035D23597DAD979DB5E71A605D81A61EE817C1E812
7212zz.exeC:\Users\admin\AppData\Roaming\Ns\PCICHEK.DLLexecutable
MD5:751D8C09133FF0F2AD4CBBDF4EE08EBC
SHA256:087B0E5862C9F25E7C517DFDC4387426395CB3203DC531AC61CD713160ADAAAE
7212zz.exeC:\Users\admin\AppData\Roaming\Ns\pcicapi.DLLexecutable
MD5:394FBD2AE1A6CB460F27D6FF7BADF6FC
SHA256:A580826B0CDD59387B77F41015A2C54C8BFCDF359C0EDC72993A50299918F404
7648powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_s2yqfm4x.lck.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7212zz.exeC:\Users\admin\AppData\Roaming\Ns\client32.initext
MD5:7C94B4C32CBCDDFAB7633767B74C3D57
SHA256:E440656118D981A5634F5336126266DF9179FF152D33D737771506173238B8B2
7648powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JPMP9OP3DOBRMGVWFNZZ.tempbinary
MD5:92DFB2FF5CDC3AA7F939557573832EA7
SHA256:2A2EF9ECF3164B6FA42FCC6E440B5B881233C1040B437F125FF4A1110FD9F304
7648powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:92DFB2FF5CDC3AA7F939557573832EA7
SHA256:2A2EF9ECF3164B6FA42FCC6E440B5B881233C1040B437F125FF4A1110FD9F304
7648powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nhyt2rwm.5bi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
30
DNS requests
21
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7784
backgroundTaskHost.exe
GET
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4880
client32.exe
GET
200
104.26.1.231:80
http://geo.netsupportsoftware.com/location/loca.asp
unknown
malicious
4880
client32.exe
POST
200
185.149.146.153:9999
http://185.149.146.153/fakeurl.htm
unknown
malicious
4880
client32.exe
POST
185.149.146.153:9999
http://185.149.146.153/fakeurl.htm
unknown
malicious
4880
client32.exe
POST
200
185.149.146.153:9999
http://185.149.146.153/fakeurl.htm
unknown
malicious
7596
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7596
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4880
client32.exe
POST
185.149.146.153:9999
http://185.149.146.153/fakeurl.htm
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
20.198.162.76:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6544
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
7648
powershell.exe
45.145.7.76:443
meet-join.us
Zhihua Lu
US
unknown
7784
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.185
  • 23.48.23.180
  • 23.48.23.193
  • 23.48.23.192
  • 23.48.23.137
  • 23.48.23.190
  • 23.48.23.147
  • 23.48.23.183
whitelisted
client.wns.windows.com
  • 20.198.162.76
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.131
  • 20.190.160.64
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.2
  • 40.126.32.74
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
meet-join.us
  • 45.145.7.76
unknown
arc.msn.com
  • 20.223.35.26
whitelisted
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
statns.pro
  • 188.114.97.3
  • 188.114.96.3
unknown
lordxg.net
  • 185.149.146.153
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
4880
client32.exe
Potential Corporate Privacy Violation
ET REMOTE_ACCESS NetSupport GeoLocation Lookup Request
4880
client32.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 31
4880
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
4880
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
4880
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
4880
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Response
4880
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Response
4880
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/update.php