File name:

t.exe

Full analysis: https://app.any.run/tasks/612d2bb6-cfda-4ff5-a702-a36f20b9e88d
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: October 23, 2024, 15:13:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sheetrat
remote
rat
wmi-base64
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

561F9038C8E65338F62D1D8D3F459D6E

SHA1:

5B05FCEAD24A88DDE920FB1D47E662B5FE08C7C6

SHA256:

5AC32ECF760B98F2FF4A1539FE6090370590F83C7B38230730B143CA96857EB2

SSDEEP:

3072:IsIWd5rcdwqgCvBl27rI07ZkZsAmkcfpK9Wm55F0Xr1StXbEBq1Jq1:IsFBqL7cI07ZkZs/lm5Xso9bN1Jq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5268)
      • cmd.exe (PID: 2100)
      • cmd.exe (PID: 8152)
      • cmd.exe (PID: 5892)
      • cmd.exe (PID: 6684)
      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 7916)
      • cmd.exe (PID: 3852)
      • cmd.exe (PID: 4232)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 2124)
      • cmd.exe (PID: 5160)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 7032)
      • cmd.exe (PID: 7404)
      • cmd.exe (PID: 6612)
      • cmd.exe (PID: 7348)
      • cmd.exe (PID: 7172)
      • cmd.exe (PID: 7632)
      • cmd.exe (PID: 4508)
      • cmd.exe (PID: 4232)
      • cmd.exe (PID: 7912)
      • cmd.exe (PID: 4312)
      • cmd.exe (PID: 8144)
      • cmd.exe (PID: 5664)
      • cmd.exe (PID: 2888)
      • cmd.exe (PID: 6928)
      • cmd.exe (PID: 5332)
      • cmd.exe (PID: 6540)
      • cmd.exe (PID: 5356)
      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 7568)
      • cmd.exe (PID: 6320)

    • SHEETRAT has been detected (SURICATA)

      • t.exe (PID: 6344)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 4144)

    • Connects to the CnC server

      • t.exe (PID: 6344)

  • SUSPICIOUS

    • Connects to unusual port

      • t.exe (PID: 6344)

    • Contacting a server suspected of hosting an CnC

      • t.exe (PID: 6344)

    • Starts CMD.EXE for commands execution

      • t.exe (PID: 6344)

    • Executable content was dropped or overwritten

      • t.exe (PID: 6344)

    • Application launched itself

      • t.exe (PID: 2432)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 5976)

  • INFO

    • Reads the computer name

      • t.exe (PID: 2432)

    • Checks supported languages

      • t.exe (PID: 2432)

    • Found Base64 encoded reference to WMI classes (YARA)

      • t.exe (PID: 6344)

    • Manual execution by a user

      • firefox.exe (PID: 4312)

    • Application launched itself

      • firefox.exe (PID: 8028)
      • firefox.exe (PID: 4312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr | Windows screen saver (12.9)
.dll | Win32 Dynamic Link Library (generic) (6.4)
.exe | Win32 Executable (generic) (4.4)
.exe | Generic Win/DOS Executable (1.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2100:10:13 03:20:15+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 254464
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x4006e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 237.233.64.120
ProductVersionNumber: 175.23.183.221
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft PowerPoint
FileDescription: Microsoft Visual Studio
FileVersion: 237.233.64.120
InternalName: Putty.exe
LegalCopyright: Slack
LegalTrademarks: Unreal Engine
OriginalFileName: Putty.exe
ProductName: WPS Office
ProductVersion: 175.23.183.221
AssemblyVersion: 175.23.183.221
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
263
Monitored processes
127
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start t.exe no specs #SHEETRAT t.exe sppextcomobj.exe no specs slui.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs svchost.exe wmiapsrv.exe no specs searchapp.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs firefox.exe no specs firefox.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs firefox.exe no specs schtasks.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs firefox.exe no specs firefox.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1156SchTaSKs /create /f /sc minute /mo -1 /tn "CorelDRAW" /tr "C:\Users\admin\AppData\Local\OBS_Studio.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1712SchTaSKs /create /f /sc minute /mo -1 /tn "CorelDRAW" /tr "C:\Users\admin\AppData\Local\OBS_Studio.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1804"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6456 -childID 10 -isForBrowser -prefsHandle 4540 -prefMapHandle 4404 -prefsLen 31242 -prefMapSize 244343 -jsInitHandle 1412 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fea406e7-5d89-43e9-a84a-ff618d998188} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 193b6efd850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
2100"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CorelDRAW" /tr "C:\Users\admin\AppData\Local\OBS_Studio.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2100SchTaSKs /create /f /sc minute /mo -1 /tn "CorelDRAW" /tr "C:\Users\admin\AppData\Local\OBS_Studio.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
2124"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CorelDRAW" /tr "C:\Users\admin\AppData\Local\OBS_Studio.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
12 697
Read events
12 605
Write events
83
Delete events
9

Modification events

(PID) Process:(2432) t.exeKey:HKEY_CURRENT_USER\SOFTWARE
Operation:writeName:hwid
Value:
MUFFQ0EyRTVDODhDMzgzNkJFQkZBM0M=
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage
Operation:writeName:Export
Value:
.NET Memory Cache 4.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage
Operation:writeName:Export
Value:
MSDTC Bridge 3.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 4.0.0.0\Linkage
Operation:writeName:Export
Value:
MSDTC Bridge 4.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelEndpoint 3.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelOperation 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelOperation 3.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelService 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelService 3.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 3.0.0.0\Linkage
Operation:writeName:Export
Value:
SMSvcHost 3.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 4.0.0.0\Linkage
Operation:writeName:Export
Value:
SMSvcHost 4.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0\Linkage
Operation:writeName:Export
Value:
Windows Workflow Foundation 3.0.0.0
Executable files
6
Suspicious files
618
Text files
341
Unknown types
46

Dropped files

PID
Process
Filename
Type
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133741700807381129.txt~RF97e9a.TMP
MD5:
SHA256:
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\P26HLZ9S\-UAIppANYxiGpRWJy2NDph4qOEw.gz[1].jss
MD5:9E527B91C2D8B31B0017B76049B5E4E3
SHA256:38EDF0F961C1CCB287880B88F12F370775FC65B2E28227EEE215E849CDBE9BBC
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresbinary
MD5:76CE598B3B095331218DD608168D3308
SHA256:B42BE9072AA92101D7E67F61E0387E8E4B5B7FC9CEEEBEF8A20C07C829A57472
6344t.exeC:\Users\admin\AppData\Local\OBS_Studio.exeexecutable
MD5:561F9038C8E65338F62D1D8D3F459D6E
SHA256:5AC32ECF760B98F2FF4A1539FE6090370590F83C7B38230730B143CA96857EB2
6344t.exeC:\Users\admin\AppData\Roaming\Adobe_Photoshop.exeexecutable
MD5:561F9038C8E65338F62D1D8D3F459D6E
SHA256:5AC32ECF760B98F2FF4A1539FE6090370590F83C7B38230730B143CA96857EB2
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c962cc1c-5e83-4111-9032-de81b29398a3}\Apps.ftbinary
MD5:AB5CF5D309581951ACE7978FF8DF0FF0
SHA256:CA45CAA7DE38CB805EC43EDC8B9332E1E95124A27FBB6E5BD3DDD5E8A526AFC7
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133741700807381129.txtini
MD5:EBA9D627AEFA0148EA256382E454768F
SHA256:85F02886D53B7427792E54BCEE97D366AD46F78CF90AA25DCC3FAE29ED7FA7F8
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\f4st08wpuYBQ5KWRJ3MqAsJB8zg[1].csstext
MD5:3D24779C6014BCFEFB3D9A80B8F3567B
SHA256:A7EF8FAA37710D7E90C9C8950C203C8DA82410780F872E4F217EE636250D831F
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\-lxTjronWiCCazqIxFTp4HrDoXc.gz[1].jsbinary
MD5:8465A334065673EB6A6487C8D87539DB
SHA256:84ED6C495B322B0F2213CC33EC6C652D84D82E010C928B1141DB2290D4365F3D
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c962cc1c-5e83-4111-9032-de81b29398a3}\Apps.indexbinary
MD5:FE9A819377870FA6FDD677E5D3AA1A07
SHA256:C43D46A72D282151F56E09F15CD47DB4414ECA02B536D41D26D5560AA5ADEC78
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
200
DNS requests
170
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
632
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4904
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4904
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5084
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
POST
200
142.250.185.131:80
http://o.pki.goog/s/wr3/XjA
unknown
whitelisted
POST
200
195.138.255.18:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4360
SearchApp.exe
92.122.215.95:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
632
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.167
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.164
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 92.122.215.95
  • 92.122.215.53
  • 92.122.215.57
  • 2.20.142.3
  • 2.20.142.180
  • 92.122.215.65
  • 2.20.142.251
  • 2.20.142.4
  • 92.122.215.60
  • 2.20.142.154
  • 92.122.215.74
  • 2.20.142.155
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.138
  • 40.126.32.74
  • 40.126.32.133
  • 40.126.32.76
  • 40.126.32.140
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
th.bing.com
  • 2.20.142.155
  • 2.20.142.154
  • 2.20.142.187
  • 2.20.142.251
  • 2.20.142.3
  • 92.122.215.57
  • 92.122.215.60
  • 2.20.142.180
  • 92.122.215.65
  • 104.126.37.130
  • 104.126.37.131
  • 104.126.37.128
  • 104.126.37.179
  • 104.126.37.170
  • 104.126.37.186
  • 104.126.37.136
  • 104.126.37.123
  • 104.126.37.171
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
2172
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2172
svchost.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
2172
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
6344
t.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] SheetRat (Ping)
6344
t.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] SheetRat (Ping)
14 ETPRO signatures available at the full report
No debug info