File name:

t.exe

Full analysis: https://app.any.run/tasks/612d2bb6-cfda-4ff5-a702-a36f20b9e88d
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: October 23, 2024, 15:13:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sheetrat
remote
rat
wmi-base64
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

561F9038C8E65338F62D1D8D3F459D6E

SHA1:

5B05FCEAD24A88DDE920FB1D47E662B5FE08C7C6

SHA256:

5AC32ECF760B98F2FF4A1539FE6090370590F83C7B38230730B143CA96857EB2

SSDEEP:

3072:IsIWd5rcdwqgCvBl27rI07ZkZsAmkcfpK9Wm55F0Xr1StXbEBq1Jq1:IsFBqL7cI07ZkZs/lm5Xso9bN1Jq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 4144)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5892)
      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 8152)
      • cmd.exe (PID: 5268)
      • cmd.exe (PID: 7916)
      • cmd.exe (PID: 2100)
      • cmd.exe (PID: 6684)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 2124)
      • cmd.exe (PID: 3852)
      • cmd.exe (PID: 4232)
      • cmd.exe (PID: 6612)
      • cmd.exe (PID: 5160)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 7032)
      • cmd.exe (PID: 4508)
      • cmd.exe (PID: 7404)
      • cmd.exe (PID: 4232)
      • cmd.exe (PID: 7172)
      • cmd.exe (PID: 7348)
      • cmd.exe (PID: 7912)
      • cmd.exe (PID: 6320)
      • cmd.exe (PID: 7632)
      • cmd.exe (PID: 5664)
      • cmd.exe (PID: 5332)
      • cmd.exe (PID: 4312)
      • cmd.exe (PID: 8144)
      • cmd.exe (PID: 6928)
      • cmd.exe (PID: 5356)
      • cmd.exe (PID: 2888)
      • cmd.exe (PID: 5608)
      • cmd.exe (PID: 7568)
      • cmd.exe (PID: 6540)

    • Connects to the CnC server

      • t.exe (PID: 6344)

    • SHEETRAT has been detected (SURICATA)

      • t.exe (PID: 6344)

  • SUSPICIOUS

    • Application launched itself

      • t.exe (PID: 2432)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 5976)

    • Connects to unusual port

      • t.exe (PID: 6344)

    • Executable content was dropped or overwritten

      • t.exe (PID: 6344)

    • Contacting a server suspected of hosting an CnC

      • t.exe (PID: 6344)

    • Starts CMD.EXE for commands execution

      • t.exe (PID: 6344)

  • INFO

    • Reads the computer name

      • t.exe (PID: 2432)

    • Checks supported languages

      • t.exe (PID: 2432)

    • Found Base64 encoded reference to WMI classes (YARA)

      • t.exe (PID: 6344)

    • Manual execution by a user

      • firefox.exe (PID: 4312)

    • Application launched itself

      • firefox.exe (PID: 8028)
      • firefox.exe (PID: 4312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr | Windows screen saver (12.9)
.dll | Win32 Dynamic Link Library (generic) (6.4)
.exe | Win32 Executable (generic) (4.4)
.exe | Generic Win/DOS Executable (1.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2100:10:13 03:20:15+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 254464
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x4006e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 237.233.64.120
ProductVersionNumber: 175.23.183.221
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft PowerPoint
FileDescription: Microsoft Visual Studio
FileVersion: 237.233.64.120
InternalName: Putty.exe
LegalCopyright: Slack
LegalTrademarks: Unreal Engine
OriginalFileName: Putty.exe
ProductName: WPS Office
ProductVersion: 175.23.183.221
AssemblyVersion: 175.23.183.221
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
263
Monitored processes
127
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start t.exe no specs #SHEETRAT t.exe sppextcomobj.exe no specs slui.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs svchost.exe wmiapsrv.exe no specs searchapp.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs firefox.exe no specs firefox.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs firefox.exe no specs schtasks.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs firefox.exe no specs firefox.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1156SchTaSKs /create /f /sc minute /mo -1 /tn "CorelDRAW" /tr "C:\Users\admin\AppData\Local\OBS_Studio.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1712SchTaSKs /create /f /sc minute /mo -1 /tn "CorelDRAW" /tr "C:\Users\admin\AppData\Local\OBS_Studio.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1804"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6456 -childID 10 -isForBrowser -prefsHandle 4540 -prefMapHandle 4404 -prefsLen 31242 -prefMapSize 244343 -jsInitHandle 1412 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fea406e7-5d89-43e9-a84a-ff618d998188} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 193b6efd850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
2100"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CorelDRAW" /tr "C:\Users\admin\AppData\Local\OBS_Studio.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2100SchTaSKs /create /f /sc minute /mo -1 /tn "CorelDRAW" /tr "C:\Users\admin\AppData\Local\OBS_Studio.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
2124"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CorelDRAW" /tr "C:\Users\admin\AppData\Local\OBS_Studio.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
12 697
Read events
12 605
Write events
83
Delete events
9

Modification events

(PID) Process:(2432) t.exeKey:HKEY_CURRENT_USER\SOFTWARE
Operation:writeName:hwid
Value:
MUFFQ0EyRTVDODhDMzgzNkJFQkZBM0M=
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage
Operation:writeName:Export
Value:
.NET Memory Cache 4.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage
Operation:writeName:Export
Value:
MSDTC Bridge 3.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 4.0.0.0\Linkage
Operation:writeName:Export
Value:
MSDTC Bridge 4.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelEndpoint 3.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelOperation 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelOperation 3.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelService 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelService 3.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 3.0.0.0\Linkage
Operation:writeName:Export
Value:
SMSvcHost 3.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 4.0.0.0\Linkage
Operation:writeName:Export
Value:
SMSvcHost 4.0.0.0
(PID) Process:(6344) t.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0\Linkage
Operation:writeName:Export
Value:
Windows Workflow Foundation 3.0.0.0
Executable files
6
Suspicious files
618
Text files
341
Unknown types
46

Dropped files

PID
Process
Filename
Type
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133741700807381129.txt~RF97e9a.TMP
MD5:
SHA256:
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\0jUdtV12Tn_stZnlwEN7jHJWY2Y.gz[1].jsbinary
MD5:8C0F73D4C854DC52B555898FEF7EDB54
SHA256:B652F917E744E7A4EADB5DF108D622FD18C793E80445FAA69B1BFFC97BE2529E
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\yy4SnZtT2-rfsZpLbcm-u8xyafQ[1].csstext
MD5:F17DF11A7C86F77E92950D111ABAF4E1
SHA256:72504249ABB304D8B5F75A5E9182B478112E02773B8A9A276CD4982D8CF842FE
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresbinary
MD5:76CE598B3B095331218DD608168D3308
SHA256:B42BE9072AA92101D7E67F61E0387E8E4B5B7FC9CEEEBEF8A20C07C829A57472
6344t.exeC:\Users\admin\AppData\Local\OBS_Studio.exeexecutable
MD5:561F9038C8E65338F62D1D8D3F459D6E
SHA256:5AC32ECF760B98F2FF4A1539FE6090370590F83C7B38230730B143CA96857EB2
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133741700807381129.txt.~tmpini
MD5:EBA9D627AEFA0148EA256382E454768F
SHA256:85F02886D53B7427792E54BCEE97D366AD46F78CF90AA25DCC3FAE29ED7FA7F8
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\6aa-EF2IAVwnTTOiwAbhwI_VmCw[1].jss
MD5:B2C3CBF8A1D940D6C83D59A67486675C
SHA256:08EA9109346E9018ED50567503D2C141F7A84CFDE80EB25E97FDDCFE270BAA67
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133741700807381129.txtini
MD5:EBA9D627AEFA0148EA256382E454768F
SHA256:85F02886D53B7427792E54BCEE97D366AD46F78CF90AA25DCC3FAE29ED7FA7F8
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\f4st08wpuYBQ5KWRJ3MqAsJB8zg[1].csstext
MD5:3D24779C6014BCFEFB3D9A80B8F3567B
SHA256:A7EF8FAA37710D7E90C9C8950C203C8DA82410780F872E4F217EE636250D831F
6960SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c962cc1c-5e83-4111-9032-de81b29398a3}\0.0.filtertrie.intermediate.txttext
MD5:313FB75B427790D01342FE144D9C3C06
SHA256:50DBBA1A26C02E1C1B831C474708E68C9B11E3FCF6B254AE908A2C3007D88100
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
200
DNS requests
170
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
632
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
POST
200
142.250.185.131:80
http://o.pki.goog/wr2
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
4904
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4904
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
POST
200
195.138.255.18:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4360
SearchApp.exe
92.122.215.95:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
632
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.167
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.164
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 92.122.215.95
  • 92.122.215.53
  • 92.122.215.57
  • 2.20.142.3
  • 2.20.142.180
  • 92.122.215.65
  • 2.20.142.251
  • 2.20.142.4
  • 92.122.215.60
  • 2.20.142.154
  • 92.122.215.74
  • 2.20.142.155
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.138
  • 40.126.32.74
  • 40.126.32.133
  • 40.126.32.76
  • 40.126.32.140
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
th.bing.com
  • 2.20.142.155
  • 2.20.142.154
  • 2.20.142.187
  • 2.20.142.251
  • 2.20.142.3
  • 92.122.215.57
  • 92.122.215.60
  • 2.20.142.180
  • 92.122.215.65
  • 104.126.37.130
  • 104.126.37.131
  • 104.126.37.128
  • 104.126.37.179
  • 104.126.37.170
  • 104.126.37.186
  • 104.126.37.136
  • 104.126.37.123
  • 104.126.37.171
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
2172
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2172
svchost.exe
Misc activity
ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
2172
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
6344
t.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] SheetRat (Ping)
6344
t.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] SheetRat (Ping)
14 ETPRO signatures available at the full report
No debug info