Overview

overview

10

Static

static

3

NjRAT 0.7D...7d.exe

windows7-x64

10

NjRAT 0.7D...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 23:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NjRAT 0.7D/njRAT v0.7d/njRAT v0.7d.exe

  • Size

    2.1MB

  • MD5

    82797e8e4f73c21fbafe42c0f0a6af02

  • SHA1

    3a3c35c40b15969ea5c4ab466d5df56f3cfd60ed

  • SHA256

    903d1bf52ade4faa221f0b264f1ac2bc816ff82c21542fde9b03d650f85d5ec9

  • SHA512

    21a547080da7aafcd62e3fa588e80d99a3eec23a9bc70789a9402331b41a9996086061748b2ca9b3ad056fb44b585fc85aad7a98950bca543a0979d4aaf06c97

  • SSDEEP

    24576:/tNAFB4Uzr6UeRmmZg8ADHWsJuFfo5jYbYzHSG/UpnMUnFz3Y/l0FbKXjGHO/gF7:/Xw+Fb3HOYF2

Score
10/10
imminentevasionpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NjRAT 0.7D\njRAT v0.7d\njRAT v0.7d.exe
    "C:\Users\Admin\AppData\Local\Temp\NjRAT 0.7D\njRAT v0.7d\njRAT v0.7d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Users\Admin\AppData\Local\Temp\CRACK.EXE
      "C:\Users\Admin\AppData\Local\Temp\CRACK.EXE"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE
        "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"
        3⤵
        • Executes dropped EXE
        PID:4552
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        3⤵
          PID:5184
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CRACK.EXE
          3⤵
            PID:1456
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c ping 127.0.0.1 -n 5&del "C:\Users\Admin\AppData\Local\Temp\CRACK.EXE"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3052
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 5
              4⤵
              • Runs ping.exe
              PID:1184
        • C:\Users\Admin\AppData\Local\Temp\NJRAT V0.7D.EXE
          "C:\Users\Admin\AppData\Local\Temp\NJRAT V0.7D.EXE"
          2⤵
          • Executes dropped EXE
          PID:4408
        • C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE
          "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:936
          • C:\Users\Admin\AppData\Local\Temp\svhost\svhost.exe
            "C:\Users\Admin\AppData\Local\Temp\svhost\svhost.exe"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops desktop.ini file(s)
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3988
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5576
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 1000
              4⤵
              • Runs ping.exe
              PID:5600
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:3236

        Network

        • flag-us
          DNS
          228.249.119.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          228.249.119.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          0.204.248.87.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          0.204.248.87.in-addr.arpa
          IN PTR
          Response
          0.204.248.87.in-addr.arpa
          IN PTR
          https-87-248-204-0lhrllnwnet
        • flag-us
          DNS
          22.160.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          22.160.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 659775
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 0959CC43FA22429C88827CD26D5A9567 Ref B: LON04EDGE1209 Ref C: 2024-05-26T23:37:01Z
          date: Sun, 26 May 2024 23:37:00 GMT
        • flag-us
          DNS
          241.150.49.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.150.49.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          200.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          200.197.79.204.in-addr.arpa
          IN PTR
          Response
          200.197.79.204.in-addr.arpa
          IN PTR
          a-0001a-msedgenet
        • flag-us
          DNS
          g.bing.com
          Remote address:
          8.8.8.8:53
          Request
          g.bing.com
          IN A
          Response
          g.bing.com
          IN CNAME
          g-bing-com.dual-a-0034.a-msedge.net
          g-bing-com.dual-a-0034.a-msedge.net
          IN CNAME
          dual-a-0034.a-msedge.net
          dual-a-0034.a-msedge.net
          IN A
          204.79.197.237
          dual-a-0034.a-msedge.net
          IN A
          13.107.21.237
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MUID=04D2BE5363BB6FEA1857AAD8629C6E2D; domain=.bing.com; expires=Fri, 20-Jun-2025 23:37:02 GMT; path=/; SameSite=None; Secure; Priority=High;
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: B852B6E34B4049FBA2AF9CE9E37F8330 Ref B: LON04EDGE0707 Ref C: 2024-05-26T23:37:02Z
          date: Sun, 26 May 2024 23:37:02 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=04D2BE5363BB6FEA1857AAD8629C6E2D
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MSPTC=4JDnkmrEX6irljMgP2xWoUBqmVSF-j8MS7b6PDSw-ak; domain=.bing.com; expires=Fri, 20-Jun-2025 23:37:02 GMT; path=/; Partitioned; secure; SameSite=None
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 48521D8D86814DC4A3D28D7C81B95260 Ref B: LON04EDGE0707 Ref C: 2024-05-26T23:37:02Z
          date: Sun, 26 May 2024 23:37:02 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=04D2BE5363BB6FEA1857AAD8629C6E2D; MSPTC=4JDnkmrEX6irljMgP2xWoUBqmVSF-j8MS7b6PDSw-ak
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 8294C86924324409B1E44E8EBA6C1997 Ref B: LON04EDGE0707 Ref C: 2024-05-26T23:37:02Z
          date: Sun, 26 May 2024 23:37:02 GMT
        • flag-us
          DNS
          mikro.publicvm.com
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          mikro.publicvm.com
          IN A
          Response
          mikro.publicvm.com
          IN CNAME
          publicvm.com
          publicvm.com
          IN A
          139.99.66.103
        • flag-us
          DNS
          237.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          237.197.79.204.in-addr.arpa
          IN PTR
          Response
        • flag-nl
          GET
          https://www.bing.com/th?id=OADD2.10239373720215_1RHWT2NN92K0QRRNR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          Remote address:
          23.62.61.97:443
          Request
          GET /th?id=OADD2.10239373720215_1RHWT2NN92K0QRRNR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
          host: www.bing.com
          accept: */*
          cookie: MUID=04D2BE5363BB6FEA1857AAD8629C6E2D; MSPTC=4JDnkmrEX6irljMgP2xWoUBqmVSF-j8MS7b6PDSw-ak
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-type: image/png
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          content-length: 1548
          date: Sun, 26 May 2024 23:37:04 GMT
          alt-svc: h3=":443"; ma=93600
          x-cdn-traceid: 0.5d3d3e17.1716766624.126b777f
        • flag-us
          DNS
          26.35.223.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.35.223.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          97.61.62.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          97.61.62.23.in-addr.arpa
          IN PTR
          Response
          97.61.62.23.in-addr.arpa
          IN PTR
          a23-62-61-97deploystaticakamaitechnologiescom
        • flag-us
          DNS
          15.164.165.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          15.164.165.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          103.169.127.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          103.169.127.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          48.229.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          48.229.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 627437
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: D352F55FA04C4A60962F3D1B537F79D7 Ref B: LON04EDGE0621 Ref C: 2024-05-26T23:38:33Z
          date: Sun, 26 May 2024 23:38:32 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 659775
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 188C98D6CF284B96A802DC1C73CE133B Ref B: LON04EDGE0621 Ref C: 2024-05-26T23:38:33Z
          date: Sun, 26 May 2024 23:38:32 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 621794
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: B9E854B1E61C4674A9A5F80ECC097230 Ref B: LON04EDGE0621 Ref C: 2024-05-26T23:38:33Z
          date: Sun, 26 May 2024 23:38:32 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 792794
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: A971951F06F74E5C8CB7C77F5C544F30 Ref B: LON04EDGE0621 Ref C: 2024-05-26T23:38:33Z
          date: Sun, 26 May 2024 23:38:32 GMT
        • flag-us
          DNS
          mikro.publicvm.com
          svhost.exe
          Remote address:
          8.8.8.8:53
          Request
          mikro.publicvm.com
          IN A
          Response
          mikro.publicvm.com
          IN CNAME
          publicvm.com
          publicvm.com
          IN A
          139.99.66.103
        • 204.79.197.200:443
          https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          tls, http2
          24.7kB
           690.4kB
           507
          505

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Response

          200
        • 204.79.197.237:443
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=
          tls, http2
          2.0kB
           9.2kB
           22
          19

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

          HTTP Response

          204
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 23.62.61.97:443
          https://www.bing.com/th?id=OADD2.10239373720215_1RHWT2NN92K0QRRNR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          tls, http2
          1.6kB
           6.8kB
           18
          13

          HTTP Request

          GET https://www.bing.com/th?id=OADD2.10239373720215_1RHWT2NN92K0QRRNR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

          HTTP Response

          200
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 204.79.197.200:443
          https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          tls, http2
          96.7kB
           2.8MB
           2033
          2029

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           8.1kB
           16
          14
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           8.1kB
           16
          14
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           8.1kB
           16
          13
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 139.99.66.103:888
          mikro.publicvm.com
          svhost.exe
          156 B
           3
        • 8.8.8.8:53
          228.249.119.40.in-addr.arpa
          dns
          73 B
           159 B
           1
          1

          DNS Request

          228.249.119.40.in-addr.arpa

        • 8.8.8.8:53
          0.204.248.87.in-addr.arpa
          dns
          71 B
           116 B
           1
          1

          DNS Request

          0.204.248.87.in-addr.arpa

        • 8.8.8.8:53
          22.160.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          22.160.190.20.in-addr.arpa

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          62 B
           173 B
           1
          1

          DNS Request

          tse1.mm.bing.net

          DNS Response

          204.79.197.200
          13.107.21.200

        • 8.8.8.8:53
          241.150.49.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          241.150.49.20.in-addr.arpa

        • 8.8.8.8:53
          200.197.79.204.in-addr.arpa
          dns
          73 B
           106 B
           1
          1

          DNS Request

          200.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          g.bing.com
          dns
          56 B
           151 B
           1
          1

          DNS Request

          g.bing.com

          DNS Response

          204.79.197.237
          13.107.21.237

        • 8.8.8.8:53
          mikro.publicvm.com
          dns
          svhost.exe
          64 B
           94 B
           1
          1

          DNS Request

          mikro.publicvm.com

          DNS Response

          139.99.66.103

        • 8.8.8.8:53
          237.197.79.204.in-addr.arpa
          dns
          73 B
           143 B
           1
          1

          DNS Request

          237.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          26.35.223.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          26.35.223.20.in-addr.arpa

        • 8.8.8.8:53
          97.61.62.23.in-addr.arpa
          dns
          70 B
           133 B
           1
          1

          DNS Request

          97.61.62.23.in-addr.arpa

        • 8.8.8.8:53
          15.164.165.52.in-addr.arpa
          dns
          72 B
           146 B
           1
          1

          DNS Request

          15.164.165.52.in-addr.arpa

        • 8.8.8.8:53
          103.169.127.40.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          103.169.127.40.in-addr.arpa

        • 8.8.8.8:53
          48.229.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          48.229.111.52.in-addr.arpa

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          62 B
           173 B
           1
          1

          DNS Request

          tse1.mm.bing.net

          DNS Response

          204.79.197.200
          13.107.21.200

        • 8.8.8.8:53
          mikro.publicvm.com
          dns
          svhost.exe
          64 B
           94 B
           1
          1

          DNS Request

          mikro.publicvm.com

          DNS Response

          139.99.66.103

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SVHOST.EXE.log
          Filesize

          771B

          MD5

          36c85b51fe803ac6009874a8f4a4879a

          SHA1

          b33dfa5c3cb416db33a167edad92d1e678fd6c5f

          SHA256

          b3d71b4a609a9b0e117b5b2acdfbb9b59d71aae2f27b5f9bc3f03796949dfb03

          SHA512

          e9efd16b585cbe747d46da115474a957e969b067c478628cae47bd84f13575a8d737f6256dd65907e05c3556e668a0deaf6a0393382815d799c3959233ec38eb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CRACK.EXE
          Filesize

          85KB

          MD5

          caa83316e90e94b2c2620434a8ac2f5d

          SHA1

          299a978130cb359d2f9e2b2f1e1d4a6e8ccb2259

          SHA256

          330fee0fa9b36c20a546a8f9867623c73bd00421681cc703f2be1688fc1c5718

          SHA512

          18da0883735a51b5bee3724deb68e1703e220ed1478cff420ccbde388d6858f7b8691f9238a078624a29d38de35fee7cbe23073f8021a4c2b15f4a90ddd34705

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\NJRAT V0.7D.EXE
          Filesize

          1.6MB

          MD5

          473e1a7be89c3a727176d4f9f5a64b69

          SHA1

          501eb2c1432ff2b4e5ff582ad82d0fca152adebc

          SHA256

          bf853789b938bdc5da8aaeb52511379a332c7cf238266a21bfcb0318a62e85cb

          SHA512

          4d0ef049c83fe2790e8c201c643b68be26ae854feaeb154e7b1703c9f7c7250abc7307cef035f723fe8d5cf9d85175ff19a7bd37c403536617c8df9f9a7079fd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE
          Filesize

          321KB

          MD5

          fadfa817c5a1253997e1552850f4192c

          SHA1

          444f0fb74b3b270b6e4d90b88f97eb44805edd52

          SHA256

          05dd7d0db8be999edd96dcbe6c53684b194b423e2c34d94f220143f558570daf

          SHA512

          63338ebee99609dd50df7d3a64d94955079b2dabc64029d5eb17742b0032e3f47dd1609c41a16af050d99b2002c9d5732c51e10a208e03f42825f1c7baabe5d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\delself.bat
          Filesize

          360B

          MD5

          491b310d228b446b3a0aa1cef7301e4a

          SHA1

          c512625ad65a257fec46f37fd112805e08f5b125

          SHA256

          f56b3f7c5b0d72f5599f83399570c60f0740f3aa503207add746cafc8845b936

          SHA512

          5560539414e65bf6aa2f73bc74758f8fef687c7fc926ef503ce4707c1c04b3cbd2473dec8508234dfe55e6a7175ecf8992b299308bf5ef65ae22c9f8af6bac0f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Imminent\Path.dat
          Filesize

          63B

          MD5

          ec8dc8d118b2eb2ed9f10e518a6144c7

          SHA1

          3a8eb270e8c391f6829366402c236c43363ff116

          SHA256

          79f10e43a8fdbcd03e3aaedd85b1b7dd460c419a7b4c61c6b24d597880402c1c

          SHA512

          0a1462494be1e85a1293063e787a7b0a46e55f2d5f6a4fef94f2f5bbc33d136734d27a2be5910c44a90c635df2be9347796e040a2fc2eb6d4d30537ee7ffde62

          Download Submit

        • memory/936-39-0x0000000074AB2000-0x0000000074AB4000-memory.dmp

          Filesize

          8KB

          Download

        • memory/936-59-0x0000000074AB0000-0x0000000075061000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/936-40-0x0000000074AB0000-0x0000000075061000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/936-38-0x0000000000F10000-0x0000000000F20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1016-66-0x0000000002080000-0x0000000002081000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-60-0x00000000005A0000-0x00000000005A5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1016-63-0x00000000005B0000-0x00000000005B5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1016-64-0x00000000005B0000-0x00000000005B5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1016-44-0x00000000005B0000-0x00000000005B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-43-0x00000000005A0000-0x00000000005A5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1016-42-0x00000000005A0000-0x00000000005A5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1016-41-0x00000000005A0000-0x00000000005A5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1016-65-0x00000000005B0000-0x00000000005B5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/4408-36-0x000000001C6A0000-0x000000001C6EC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4408-33-0x000000001C4D0000-0x000000001C56C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4408-30-0x000000001BF60000-0x000000001C42E000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/4408-34-0x00007FFA038B0000-0x00007FFA04251000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/4408-35-0x00000000011D0000-0x00000000011D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4408-37-0x00007FFA038B0000-0x00007FFA04251000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/4408-31-0x00007FFA03B65000-0x00007FFA03B66000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4408-29-0x000000001B9E0000-0x000000001BA86000-memory.dmp

          Filesize

          664KB

          Download

        • memory/4408-96-0x00007FFA038B0000-0x00007FFA04251000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/4408-100-0x00007FFA03B65000-0x00007FFA03B66000-memory.dmp

          Filesize

          4KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.