download:

/update.php

Full analysis: https://app.any.run/tasks/b5d26e96-95ed-48e5-93fc-299818bee070
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: March 21, 2025, 12:32:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
netsupport
rmm-tool
unwanted
remote
tool
themida
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text
MD5:

96F78187E8FC777EFC3740740DB4FBA5

SHA1:

8E7E3BBCF8D51243462DCA4D03AF1F0CEABB54E6

SHA256:

80B274871E5024DFA9E513219FE3DF82CC8FE4255010BD5D04D23D5833962C10

SSDEEP:

24:f3pladxaRw6G3YclSsdxaRw6G3QlpRdxaRw6uagaXvvr/e8VQl4O5S8pEoFLur3q:fZkbbTbA/pmva8i3Eg0uaa6Jt131PHW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7648)

    • NETSUPPORT mutex has been found

      • client32.exe (PID: 4880)

    • NetSupport is detected

      • client32.exe (PID: 4880)

    • Connects to the CnC server

      • client32.exe (PID: 4880)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 4880)

    • NETSUPPORT has been detected (YARA)

      • client32.exe (PID: 4880)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 7648)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7648)
      • zz.exe (PID: 7212)

    • The process drops C-runtime libraries

      • zz.exe (PID: 7212)

    • Process drops legitimate windows executable

      • zz.exe (PID: 7212)

    • Reads the BIOS version

      • client32.exe (PID: 4880)

    • Drop NetSupport executable file

      • zz.exe (PID: 7212)

    • Reads security settings of Internet Explorer

      • client32.exe (PID: 4880)

    • There is functionality for taking screenshot (YARA)

      • client32.exe (PID: 4880)

    • Potential Corporate Privacy Violation

      • client32.exe (PID: 4880)

    • Connects to the server without a host name

      • client32.exe (PID: 4880)

    • Connects to unusual port

      • client32.exe (PID: 4880)

    • There is functionality for communication over UDP network (YARA)

      • client32.exe (PID: 4880)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 7648)

    • Checks proxy server information

      • powershell.exe (PID: 7648)
      • client32.exe (PID: 4880)
      • slui.exe (PID: 5384)

    • The executable file from the user directory is run by the Powershell process

      • zz.exe (PID: 7212)
      • client32.exe (PID: 4880)

    • Creates files or folders in the user directory

      • zz.exe (PID: 7212)
      • client32.exe (PID: 4880)

    • Reads the computer name

      • zz.exe (PID: 7212)
      • client32.exe (PID: 4880)

    • The sample compiled with english language support

      • zz.exe (PID: 7212)
      • powershell.exe (PID: 7648)

    • Checks supported languages

      • zz.exe (PID: 7212)
      • client32.exe (PID: 4880)

    • Themida protector has been detected

      • client32.exe (PID: 4880)

    • Reads the software policy settings

      • slui.exe (PID: 5384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs zz.exe #NETSUPPORT client32.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4880"C:\Users\admin\AppData\Roaming\Ns\client32.exe" C:\Users\admin\AppData\Roaming\Ns\client32.exe
powershell.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Version:
V14.10
Modules
Images
c:\users\admin\appdata\roaming\ns\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\roaming\ns\pcicl32.dll
5384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7212"C:\Users\admin\AppData\Roaming\zz.exe" x b.vue -pkek -aoa -yC:\Users\admin\AppData\Roaming\zz.exe
powershell.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
24.08
Modules
Images
c:\users\admin\appdata\roaming\zz.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
7648"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\update.php.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 006
Read events
8 002
Write events
4
Delete events
0

Modification events

(PID) Process:(7648) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:My Support
Value:
C:\Users\admin\AppData\Roaming\Ns\client32.exe
(PID) Process:(4880) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4880) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4880) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
11
Suspicious files
5
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
7648powershell.exeC:\Users\admin\AppData\Roaming\b.vue
MD5:
SHA256:
7648powershell.exeC:\Users\admin\AppData\Roaming\zz.exeexecutable
MD5:0B24892597DCB0257CDB78B5ED165218
SHA256:707F415D7D581EDD9BCE99A0429AD4629D3BE0316C329E8B9EBD576F7AB50B71
7648powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c43c.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7648powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:92DFB2FF5CDC3AA7F939557573832EA7
SHA256:2A2EF9ECF3164B6FA42FCC6E440B5B881233C1040B437F125FF4A1110FD9F304
7648powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nhyt2rwm.5bi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7212zz.exeC:\Users\admin\AppData\Roaming\Ns\client32.exeexecutable
MD5:B977728AA9A92B296A84964039CA57E7
SHA256:2C10C711100C7C53F4C62C2F97895DE1292ED899EA953DE61E9F806C8F1A3D9C
7212zz.exeC:\Users\admin\AppData\Roaming\Ns\msvcr100.dllexecutable
MD5:0E37FBFA79D349D672456923EC5FBBE3
SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
7212zz.exeC:\Users\admin\AppData\Roaming\Ns\client32.initext
MD5:7C94B4C32CBCDDFAB7633767B74C3D57
SHA256:E440656118D981A5634F5336126266DF9179FF152D33D737771506173238B8B2
7212zz.exeC:\Users\admin\AppData\Roaming\Ns\AudioCapture.dllexecutable
MD5:619C830BB94F1346F7F3CFBB3F544CDE
SHA256:2B8885221FFF551457A2DC82A3A10EFB4D886B387ADBA94356063A0D70E58814
7212zz.exeC:\Users\admin\AppData\Roaming\Ns\htctl32.dllexecutable
MD5:051CDB6AC8E168D178E35489B6DA4C74
SHA256:6562585009F15155EEA9A489E474CEBC4DD2A01A26D846FDD1B93FDC24B0C269
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
30
DNS requests
21
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7784
backgroundTaskHost.exe
GET
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4880
client32.exe
GET
200
104.26.1.231:80
http://geo.netsupportsoftware.com/location/loca.asp
unknown
malicious
4880
client32.exe
POST
185.149.146.153:9999
http://185.149.146.153/fakeurl.htm
unknown
malicious
4880
client32.exe
POST
200
185.149.146.153:9999
http://185.149.146.153/fakeurl.htm
unknown
malicious
4880
client32.exe
POST
200
185.149.146.153:9999
http://185.149.146.153/fakeurl.htm
unknown
malicious
7596
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7596
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4880
client32.exe
POST
185.149.146.153:9999
http://185.149.146.153/fakeurl.htm
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
20.198.162.76:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6544
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
7648
powershell.exe
45.145.7.76:443
meet-join.us
Zhihua Lu
US
unknown
7784
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.185
  • 23.48.23.180
  • 23.48.23.193
  • 23.48.23.192
  • 23.48.23.137
  • 23.48.23.190
  • 23.48.23.147
  • 23.48.23.183
whitelisted
client.wns.windows.com
  • 20.198.162.76
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.131
  • 20.190.160.64
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.2
  • 40.126.32.74
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
meet-join.us
  • 45.145.7.76
unknown
arc.msn.com
  • 20.223.35.26
whitelisted
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
statns.pro
  • 188.114.97.3
  • 188.114.96.3
unknown
lordxg.net
  • 185.149.146.153
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
4880
client32.exe
Potential Corporate Privacy Violation
ET REMOTE_ACCESS NetSupport GeoLocation Lookup Request
4880
client32.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 31
4880
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
4880
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
4880
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
4880
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Response
4880
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Response
4880
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/update.php