File name:

all.php

Full analysis: https://app.any.run/tasks/1bd42159-8d4d-4f12-baac-8fe7c1152158
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: June 26, 2025, 16:20:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netsupport
rmm-tool
remote
auto
tool
arch-exec
arch-doc
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

A0C01DCD2F0D7F9DAD5EABC9B26E7996

SHA1:

971D29BDBB383123004E494A3A5AAF9054797080

SHA256:

BD39F32177DC7A20F5087C5460EBF589035D9051336C69F07A26398F76AEC40E

SSDEEP:

48:DDRLxTWe/y0qrTVXqpkZUqrKQWqf9RK75krG6/CJuj6oMLGq/yc8e:D3nyPrRmgKQWErqGr/2oMyoyc8e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6860)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 6860)

    • NETSUPPORT has been found (auto)

      • powershell.exe (PID: 6860)

    • Connects to the CnC server

      • client32.exe (PID: 4552)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 4552)

    • NETSUPPORT has been detected (YARA)

      • client32.exe (PID: 4552)

    • NETSUPPORT mutex has been found

      • client32.exe (PID: 1612)
      • client32.exe (PID: 4552)

  • SUSPICIOUS

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 4372)

    • Writes data to a memory stream (POWERSHELL)

      • powershell.exe (PID: 6860)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 4372)
      • powershell.exe (PID: 6860)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6860)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 6860)

    • Drop NetSupport executable file

      • powershell.exe (PID: 6860)

    • Drops a system driver (possible attempt to evade defenses)

      • powershell.exe (PID: 6860)

    • Connects to the server without a host name

      • client32.exe (PID: 4552)

  • INFO

    • Checks supported languages

      • csc.exe (PID: 4372)
      • cvtres.exe (PID: 5172)
      • client32.exe (PID: 4552)
      • client32.exe (PID: 1612)
      • remcmdstub.exe (PID: 1520)

    • Create files in a temporary directory

      • cvtres.exe (PID: 5172)
      • csc.exe (PID: 4372)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 4372)

    • Disables trace logs

      • powershell.exe (PID: 6860)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6860)

    • Checks proxy server information

      • powershell.exe (PID: 6860)
      • slui.exe (PID: 6364)

    • Creates files in the program directory

      • powershell.exe (PID: 6860)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6860)

    • The sample compiled with english language support

      • powershell.exe (PID: 6860)

    • Reads the computer name

      • client32.exe (PID: 4552)
      • client32.exe (PID: 1612)

    • Manual execution by a user

      • client32.exe (PID: 1612)
      • client32.exe (PID: 424)
      • remcmdstub.exe (PID: 1520)
      • notepad.exe (PID: 4412)
      • notepad.exe (PID: 4648)
      • notepad.exe (PID: 4700)
      • notepad.exe (PID: 2032)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 4648)
      • notepad.exe (PID: 2032)
      • notepad.exe (PID: 4412)
      • notepad.exe (PID: 4700)

    • Reads the software policy settings

      • slui.exe (PID: 6364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
15
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NETSUPPORT powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs #NETSUPPORT client32.exe #NETSUPPORT client32.exe no specs client32.exe no specs remcmdstub.exe no specs conhost.exe no specs slui.exe notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
424"C:\Users\admin\Desktop\client32.exe" C:\Users\admin\Desktop\client32.exeexplorer.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Exit code:
3221225781
Version:
V14.10
Modules
Images
c:\users\admin\desktop\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1520"C:\Users\admin\Desktop\remcmdstub.exe" C:\Users\admin\Desktop\remcmdstub.exeexplorer.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Remote Command Prompt
Exit code:
0
Version:
V14.10
Modules
Images
c:\users\admin\desktop\remcmdstub.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1612C:\ProgramData\U7POu2j9\client32.exeC:\ProgramData\U7POu2j9\client32.exe
explorer.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Exit code:
255
Version:
V14.10
Modules
Images
c:\programdata\u7pou2j9\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\programdata\u7pou2j9\pcicl32.dll
c:\windows\syswow64\user32.dll
2032"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\NSM.iniC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3688C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3908\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4372"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\zoyo24dr.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
4412"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\openh264_license.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
4552"C:\ProgramData\U7POu2j9\client32.exe" C:\ProgramData\U7POu2j9\client32.exe
powershell.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Version:
V14.10
Modules
Images
c:\programdata\u7pou2j9\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\programdata\u7pou2j9\pcicl32.dll
4648"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\nskbfltr.infC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
11 206
Read events
11 205
Write events
1
Delete events
0

Modification events

(PID) Process:(6860) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MySoftware
Value:
C:\ProgramData\U7POu2j9\client32.exe
Executable files
24
Suspicious files
6
Text files
8
Unknown types
2

Dropped files

PID
Process
Filename
Type
6860powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MPKUCRVARZSMLMCQA9RA.tempbinary
MD5:2136079232334C32E10DD1D67BDE23AB
SHA256:2D3E7DE66C3ED84DA99CD9FB4618FC0395679F4CC8F534221BACFBB3429B8A49
6860powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:2136079232334C32E10DD1D67BDE23AB
SHA256:2D3E7DE66C3ED84DA99CD9FB4618FC0395679F4CC8F534221BACFBB3429B8A49
5172cvtres.exeC:\Users\admin\AppData\Local\Temp\RES63BB.tmpo
MD5:79AE24D66D3BC212F4DA600EE501CA35
SHA256:D62C56D6ED3FC0EBD7B1775B181F1B0FE949798101FCD89D4218E506A9114DEC
6860powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jmy1cegi.ohd.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6860powershell.exeC:\Users\admin\AppData\Local\Temp\zoyo24dr.0.cstext
MD5:338ACD03C5D66C9F3AA9B699A4899ADD
SHA256:0BB732370D33D9FD3A3D257DAC741771D6E2F795B4BA6AE0AF6A57F476BDF391
4372csc.exeC:\Users\admin\AppData\Local\Temp\zoyo24dr.dllexecutable
MD5:414F4E5299CB08180156BCCDEE4BCF92
SHA256:64C45D2A2D05988FA6CD2BD093690799B6B161995B833ACE02E20A0E8032F51F
4372csc.exeC:\Users\admin\AppData\Local\Temp\CSC65CAFFD223354BB7999967B7C4F386CC.TMPres
MD5:BB0CE30AF45C1C8F6D128FA188FE925A
SHA256:F0B6CB5AD07ABF318DC0259C4374957C8AC3A579480AAA14760B87CDE1C5A5D8
6860powershell.exeC:\ProgramData\U7POu2j9\PCICHEK.DLLexecutable
MD5:A0B9388C5F18E27266A31F8C5765B263
SHA256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
4372csc.exeC:\Users\admin\AppData\Local\Temp\zoyo24dr.outtext
MD5:87348575B331545E3C02F63E268B706F
SHA256:85E3BB27AAAE5AFA41910FCDE74A8738A0A73E377C674FC4AA79CE11ACEB71F4
6860powershell.exeC:\ProgramData\U7POu2j9\HTCTL32.DLLexecutable
MD5:2D3B207C8A48148296156E5725426C7F
SHA256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
51
DNS requests
18
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
592
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
82.112.239.77:443
https://certifiedhackerindia.com/jiwr.zip?lp=2524
unknown
compressed
9.42 Mb
unknown
592
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.32.74:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
4552
client32.exe
POST
502
185.163.45.30:443
http://185.163.45.30/fakeurl.htm
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
592
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
592
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
592
RUXIMICS.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
certifiedhackerindia.com
  • 82.112.239.77
unknown
login.live.com
  • 20.190.160.130
  • 20.190.160.20
  • 40.126.32.68
  • 20.190.160.66
  • 20.190.160.64
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.4
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
4552
client32.exe
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
4552
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
4552
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
all.php