File name:

njRAT-Horror-Edition-main.zip

Full analysis: https://app.any.run/tasks/04543d05-e119-4900-afc0-0ab22baf15ca
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 30, 2024, 11:42:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
discord
exfiltration
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

8EC5227058B24996EF285F7A0507DF98

SHA1:

2DD742068125BF57F0DA211BEA555DA40003AA9D

SHA256:

3C7A6D357A1B0531B0CDBD19B43D8B13082BD7CA026AD52217EE69C04712E9B3

SSDEEP:

24576:ds1n6YvWNqBWWQ1rywt+nor7bOYsLLiAwZx8wjVyxMVdPMcbJBcVkcrJpIw1+pxS:ds1nDvWNLWQ1ry6CorPOYsLLrwZx8wjS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 7044)

    • Stealers network behavior

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Changes powershell execution policy (Bypass)

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 244)
      • powershell.exe (PID: 7120)

    • Adds process to the Windows Defender exclusion list

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Adds path to the Windows Defender exclusion list

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Attempting to use instant messaging service

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • njRAT 0.7d Horror Edition.exe (PID: 6896)
      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Reads security settings of Internet Explorer

      • njRAT 0.7d Horror Edition.exe (PID: 6896)
      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • njRAT 0.7d Horror Edition.exe (PID: 6896)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 7104)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 7104)
      • mshta.exe (PID: 5592)

    • Uses TASKKILL.EXE to kill process

      • mshta.exe (PID: 5592)

    • Checks for external IP

      • njRAT 0.7d Horror Edition.exe (PID: 1864)
      • svchost.exe (PID: 2192)

    • The process connected to a server suspected of theft

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Starts POWERSHELL.EXE for commands execution

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Script adds exclusion path to Windows Defender

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • WUDFHost.exe (PID: 2084)

    • Connects to unusual port

      • WUDFHost.exe (PID: 2084)

    • Script adds exclusion process to Windows Defender

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Executable content was dropped or overwritten

      • njRAT 0.7d Horror Edition.exe (PID: 1864)
      • WUDFHost.exe (PID: 2084)

    • The process executes via Task Scheduler

      • WUDFHost.exe (PID: 2084)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4804)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2424)

    • Reads the machine GUID from the registry

      • njRAT 0.7d Horror Edition.exe (PID: 6896)
      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • The process uses the downloaded file

      • njRAT 0.7d Horror Edition.exe (PID: 6896)
      • WinRAR.exe (PID: 2424)
      • mshta.exe (PID: 7104)
      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Manual execution by a user

      • njRAT 0.7d Horror Edition.exe (PID: 6896)

    • Reads the computer name

      • njRAT 0.7d Horror Edition.exe (PID: 6896)
      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Checks supported languages

      • njRAT 0.7d Horror Edition.exe (PID: 6896)
      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Process checks computer location settings

      • njRAT 0.7d Horror Edition.exe (PID: 6896)
      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Disables trace logs

      • cmstp.exe (PID: 6960)
      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7104)
      • mshta.exe (PID: 5592)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 6960)

    • Reads Environment values

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Creates files in the program directory

      • dllhost.exe (PID: 7044)

    • Checks proxy server information

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Reads the software policy settings

      • njRAT 0.7d Horror Edition.exe (PID: 1864)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2192)
      • njRAT 0.7d Horror Edition.exe (PID: 1864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:11:29 21:14:56
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: njRAT-Horror-Edition-main/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
22
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs njrat 0.7d horror edition.exe no specs cmstp.exe no specs CMSTPLUA mshta.exe no specs cmd.exe no specs conhost.exe no specs njrat 0.7d horror edition.exe mshta.exe no specs taskkill.exe no specs conhost.exe no specs svchost.exe SPPSurrogate no specs vssvc.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wudfhost.exe netsh.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
244"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\WUDFHost.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exenjRAT 0.7d Horror Edition.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1864"C:\Users\admin\Desktop\njRAT-Horror-Edition-main\njRAT 0.7d Horror Edition.exe" C:\Users\admin\Desktop\njRAT-Horror-Edition-main\njRAT 0.7d Horror Edition.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\njrat-horror-edition-main\njrat 0.7d horror edition.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2084"C:\Users\admin\AppData\Roaming\WUDFHost.exe"C:\Users\admin\AppData\Roaming\WUDFHost.exe
svchost.exe
User:
admin
Integrity Level:
HIGH
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\wudfhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2424"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\njRAT-Horror-Edition-main.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4804C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5240"C:\Windows\System32\taskkill.exe" /IM cmstp.exe /FC:\Windows\System32\taskkill.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
16 667
Read events
16 572
Write events
95
Delete events
0

Modification events

(PID) Process:(2424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(2424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\njRAT-Horror-Edition-main.zip
(PID) Process:(2424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6960) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6960) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
5
Suspicious files
2
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4tdsyxra.l4u.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2424.25348\njRAT-Horror-Edition-main\GeoIP.datbinary
MD5:A0A228C187329AD148F33C81DDB430BB
SHA256:B4BFD1EBC50F0EAAB3D3F4C2152FEAE7AA8EFAD380B85064153A6BFD006C6210
2084WUDFHost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6821e713d7a1ac2c22c8f414f25b24fa.exeexecutable
MD5:5FFCCCCBBB918F95A1340D50B31525BB
SHA256:999C8DE9475785F8A711B256FE808D1F1A384B66A97A1A290E93FBEE34314F2A
7120powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vcv2vdc3.iym.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1864njRAT 0.7d Horror Edition.exeC:\Users\admin\AppData\Roaming\WUDFHost.exeexecutable
MD5:5FFCCCCBBB918F95A1340D50B31525BB
SHA256:999C8DE9475785F8A711B256FE808D1F1A384B66A97A1A290E93FBEE34314F2A
2424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2424.25348\njRAT-Horror-Edition-main\README.mdtext
MD5:9A87AE5921133EBD1FB4B66A90859B8F
SHA256:CE5A6CC879601C06DE3088A2EEB48795E8FC8341B234365E4BB336BCD9083C66
2424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2424.25348\njRAT-Horror-Edition-main\WinMM.Net.dllexecutable
MD5:D4B80052C7B4093E10CE1F40CE74F707
SHA256:59E2AC1B79840274BDFCEF412A10058654E42F4285D732D1487E65E60FFBFB46
2424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2424.25348\njRAT-Horror-Edition-main\njRAT 0.7d Horror Edition.exeexecutable
MD5:5FFCCCCBBB918F95A1340D50B31525BB
SHA256:999C8DE9475785F8A711B256FE808D1F1A384B66A97A1A290E93FBEE34314F2A
244powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3F8CAE3AB8E52D82B0A248A7EEFAEE8E
SHA256:8A858C593B35166EFB40A178CC25EEEF0448F8F6B2295692C464BAC153534748
7120powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ei1iutj2.3ot.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
38
DNS requests
20
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1864
njRAT 0.7d Horror Edition.exe
GET
200
208.95.112.1:80
http://ip-api.com/csv/?fields=status,query
unknown
shared
6304
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5472
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5472
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4652
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.16.204.149:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.37.237.227
  • 2.16.253.202
whitelisted
www.bing.com
  • 2.16.204.149
  • 2.16.204.146
  • 2.16.204.138
  • 2.16.204.157
  • 2.16.204.141
  • 2.16.204.148
  • 2.16.204.160
  • 2.16.204.161
  • 2.16.204.153
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.159.73
  • 20.190.159.2
  • 20.190.159.71
  • 20.190.159.68
  • 20.190.159.23
  • 20.190.159.4
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
ip-api.com
  • 208.95.112.1
shared
discord.com
  • 162.159.135.232
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.138.232
  • 162.159.128.233
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2192
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
1864
njRAT 0.7d Horror Edition.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
1864
njRAT 0.7d Horror Edition.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
1864
njRAT 0.7d Horror Edition.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
njRAT-Horror-Edition-main.zip