| File name: | all.php |
| Full analysis: | https://app.any.run/tasks/1bd42159-8d4d-4f12-baac-8fe7c1152158 |
| Verdict: | Malicious activity |
| Threats: | NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. |
| Analysis date: | June 26, 2025, 16:20:41 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text |
| MD5: | A0C01DCD2F0D7F9DAD5EABC9B26E7996 |
| SHA1: | 971D29BDBB383123004E494A3A5AAF9054797080 |
| SHA256: | BD39F32177DC7A20F5087C5460EBF589035D9051336C69F07A26398F76AEC40E |
| SSDEEP: | 48:DDRLxTWe/y0qrTVXqpkZUqrKQWqf9RK75krG6/CJuj6oMLGq/yc8e:D3nyPrRmgKQWErqGr/2oMyoyc8e |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 6860)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 6860)
NETSUPPORT has been found (auto)
- powershell.exe (PID: 6860)
NETSUPPORT mutex has been found
- client32.exe (PID: 4552)
- client32.exe (PID: 1612)
Connects to the CnC server
- client32.exe (PID: 4552)
NETSUPPORT has been detected (YARA)
- client32.exe (PID: 4552)
NETSUPPORT has been detected (SURICATA)
- client32.exe (PID: 4552)
SUSPICIOUS
CSC.EXE is used to compile C# code
- csc.exe (PID: 4372)
Writes data to a memory stream (POWERSHELL)
- powershell.exe (PID: 6860)
Executable content was dropped or overwritten
- powershell.exe (PID: 6860)
- csc.exe (PID: 4372)
The process drops C-runtime libraries
- powershell.exe (PID: 6860)
Process drops legitimate windows executable
- powershell.exe (PID: 6860)
Drops a system driver (possible attempt to evade defenses)
- powershell.exe (PID: 6860)
Drop NetSupport executable file
- powershell.exe (PID: 6860)
Connects to the server without a host name
- client32.exe (PID: 4552)
INFO
Checks supported languages
- csc.exe (PID: 4372)
- cvtres.exe (PID: 5172)
- client32.exe (PID: 4552)
- client32.exe (PID: 1612)
- remcmdstub.exe (PID: 1520)
Reads the machine GUID from the registry
- csc.exe (PID: 4372)
Create files in a temporary directory
- cvtres.exe (PID: 5172)
- csc.exe (PID: 4372)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 6860)
Checks proxy server information
- powershell.exe (PID: 6860)
- slui.exe (PID: 6364)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6860)
Disables trace logs
- powershell.exe (PID: 6860)
Creates files in the program directory
- powershell.exe (PID: 6860)
The sample compiled with english language support
- powershell.exe (PID: 6860)
Reads the computer name
- client32.exe (PID: 4552)
- client32.exe (PID: 1612)
Manual execution by a user
- client32.exe (PID: 1612)
- remcmdstub.exe (PID: 1520)
- client32.exe (PID: 424)
- notepad.exe (PID: 4412)
- notepad.exe (PID: 4700)
- notepad.exe (PID: 2032)
- notepad.exe (PID: 4648)
Reads security settings of Internet Explorer
- notepad.exe (PID: 4412)
- notepad.exe (PID: 4700)
- notepad.exe (PID: 4648)
- notepad.exe (PID: 2032)
Reads the software policy settings
- slui.exe (PID: 6364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
149
Monitored processes
15
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 424 | "C:\Users\admin\Desktop\client32.exe" | C:\Users\admin\Desktop\client32.exe | — | explorer.exe | |||||||||||
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Client Application Exit code: 3221225781 Version: V14.10 Modules
| |||||||||||||||
| 1520 | "C:\Users\admin\Desktop\remcmdstub.exe" | C:\Users\admin\Desktop\remcmdstub.exe | — | explorer.exe | |||||||||||
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Remote Command Prompt Exit code: 0 Version: V14.10 Modules
| |||||||||||||||
| 1612 | C:\ProgramData\U7POu2j9\client32.exe | C:\ProgramData\U7POu2j9\client32.exe | explorer.exe | ||||||||||||
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Client Application Exit code: 255 Version: V14.10 Modules
| |||||||||||||||
| 2032 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\NSM.ini | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3688 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3908 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4372 | "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\zoyo24dr.cmdline" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 4412 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\openh264_license.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4552 | "C:\ProgramData\U7POu2j9\client32.exe" | C:\ProgramData\U7POu2j9\client32.exe | powershell.exe | ||||||||||||
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Client Application Version: V14.10 Modules
| |||||||||||||||
| 4648 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\nskbfltr.inf | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
11 206
Read events
11 205
Write events
1
Delete events
0
Modification events
| (PID) Process: | (6860) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | MySoftware |
Value: C:\ProgramData\U7POu2j9\client32.exe | |||
Executable files
24
Suspicious files
6
Text files
8
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6860 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lx2whhs4.aqa.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4372 | csc.exe | C:\Users\admin\AppData\Local\Temp\zoyo24dr.dll | executable | |
MD5:414F4E5299CB08180156BCCDEE4BCF92 | SHA256:64C45D2A2D05988FA6CD2BD093690799B6B161995B833ACE02E20A0E8032F51F | |||
| 6860 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF175a35.TMP | binary | |
MD5:00A03B286E6E0EBFF8D9C492365D5EC2 | SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615 | |||
| 6860 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jmy1cegi.ohd.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6860 | powershell.exe | C:\Users\admin\AppData\Local\Temp\zoyo24dr.cmdline | text | |
MD5:B371D931CCCA087C092A971D094F248F | SHA256:FA450AB238EAC8ECC9D8C5FAAD2DCCD954E932EEF94904233C1B1CC890EEDCBB | |||
| 6860 | powershell.exe | C:\ProgramData\U7POu2j9\NSM.ini | binary | |
MD5:88B1DAB8F4FD1AE879685995C90BD902 | SHA256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92 | |||
| 6860 | powershell.exe | C:\Users\admin\AppData\Local\Temp\zoyo24dr.0.cs | text | |
MD5:338ACD03C5D66C9F3AA9B699A4899ADD | SHA256:0BB732370D33D9FD3A3D257DAC741771D6E2F795B4BA6AE0AF6A57F476BDF391 | |||
| 4372 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC65CAFFD223354BB7999967B7C4F386CC.TMP | res | |
MD5:BB0CE30AF45C1C8F6D128FA188FE925A | SHA256:F0B6CB5AD07ABF318DC0259C4374957C8AC3A579480AAA14760B87CDE1C5A5D8 | |||
| 6860 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MPKUCRVARZSMLMCQA9RA.temp | binary | |
MD5:2136079232334C32E10DD1D67BDE23AB | SHA256:2D3E7DE66C3ED84DA99CD9FB4618FC0395679F4CC8F534221BACFBB3429B8A49 | |||
| 6860 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:2136079232334C32E10DD1D67BDE23AB | SHA256:2D3E7DE66C3ED84DA99CD9FB4618FC0395679F4CC8F534221BACFBB3429B8A49 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
51
DNS requests
18
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4552 | client32.exe | POST | 502 | 185.163.45.30:443 | http://185.163.45.30/fakeurl.htm | unknown | — | — | — |
— | — | POST | 400 | 40.126.32.74:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.20:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | GET | 304 | 172.202.163.200:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | POST | 400 | 20.190.160.65:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | GET | 200 | 172.202.163.200:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
5628 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 13.85.23.206:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
5628 | SIHClient.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
592 | RUXIMICS.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
592 | RUXIMICS.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
592 | RUXIMICS.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
certifiedhackerindia.com |
| unknown |
login.live.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
— | — | Misc activity | ET REMOTE_ACCESS NetSupport Remote Admin Checkin |
— | — | Potentially Bad Traffic | ET INFO HTTP traffic on port 443 (POST) |
— | — | Misc activity | ET REMOTE_ACCESS NetSupport Remote Admin Checkin |
— | — | A Network Trojan was detected | REMOTE [ANY.RUN] NetSupport RAT |