This detection rule identifies the loading of specific dynamic-link libraries (DLLs) associated with the NetSupport Remote Manager (RMM) tool by any process on Windows systems. It is especially focused on detecting when DLLs such as CryptPak.dll, HTCTL32.DLL, and others are loaded from uncommon directories, which could indicate misuse of the legitimate NetSupport software as a Remote Access Trojan (RAT) by adversaries. The analysis looks for instances where these modules are loaded by processes located in directories such as Downloads or user-specific folders instead of the legitimate Program Files path. The detection leverages Sysmon Event ID 7 for ImageLoaded events to monitor Windows processes, resulting in the identification of potentially malicious activity. Relevant filters and statistics are applied to enhance detection accuracy and reduce false positives.