URL:

https://github.com/Cryakl/Ultimate-RAT-Collection/tree/main/SheetRat/Sheet%20rat%20v2.6

Full analysis: https://app.any.run/tasks/1a12d2f5-397f-4824-9240-7d456f4c9c34
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: September 07, 2024, 18:30:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
xor-url
generic
sheetrat
rat
Indicators:
MD5:

7D3D838275EB4ED4E3856939CA4FF2C2

SHA1:

A9E2FF467617F70983C16246A5D319C89BFDC220

SHA256:

6E7A13C6A0854AEDA7BBCCA27B5AAB52672238C3BF174E6DC8EB708DFA7C0931

SSDEEP:

3:N8tEdJEwCFkO9JOGRJAKIRKvs2zRgFT3n:2uPpgOGXvIRKfzG5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SHEETRAT has been detected (YARA)

      • Server.exe (PID: 7648)

    • XORed URL has been found (YARA)

      • Server.exe (PID: 7648)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • firefox.exe (PID: 2456)
      • 7Zip-2408-x64.exe (PID: 3144)

    • Executable content was dropped or overwritten

      • 7Zip-2408-x64.exe (PID: 3144)
      • 7zG.exe (PID: 7404)
      • Server.exe (PID: 7648)

    • Creates/Modifies COM task schedule object

      • 7Zip-2408-x64.exe (PID: 3144)

    • Creates a software uninstall entry

      • 7Zip-2408-x64.exe (PID: 3144)

    • Drops a system driver (possible attempt to evade defenses)

      • 7zG.exe (PID: 7404)

    • Reads security settings of Internet Explorer

      • Server.exe (PID: 7648)

    • Process drops legitimate windows executable

      • 7zG.exe (PID: 7404)

    • The process creates files with name similar to system file names

      • 7zG.exe (PID: 7404)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 2456)
      • firefox.exe (PID: 5072)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 2456)

    • Checks supported languages

      • 7Zip-2408-x64.exe (PID: 3144)
      • 7zG.exe (PID: 5212)
      • 7zG.exe (PID: 7404)
      • Server.exe (PID: 7648)

    • Reads the computer name

      • 7Zip-2408-x64.exe (PID: 3144)
      • 7zG.exe (PID: 5212)
      • Server.exe (PID: 7648)
      • 7zG.exe (PID: 7404)

    • Creates files in the program directory

      • 7Zip-2408-x64.exe (PID: 3144)

    • The process uses the downloaded file

      • firefox.exe (PID: 2456)
      • WinRAR.exe (PID: 7736)
      • Server.exe (PID: 7648)

    • Manual execution by a user

      • 7zG.exe (PID: 5212)
      • WinRAR.exe (PID: 7736)
      • 7zG.exe (PID: 7404)
      • Server.exe (PID: 7648)

    • Reads the machine GUID from the registry

      • Server.exe (PID: 7648)

    • Reads the software policy settings

      • Server.exe (PID: 7648)

    • Creates files or folders in the user directory

      • Server.exe (PID: 7648)

    • Sends debugging messages

      • Server.exe (PID: 7648)

    • Checks proxy server information

      • Server.exe (PID: 7648)

    • Create files in a temporary directory

      • Server.exe (PID: 7648)

    • Disables trace logs

      • Server.exe (PID: 7648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(7648) Server.exe
Decrypted-URLs (1)http://marketdedamoroza.webhop.me/index.html
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
19
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs firefox.exe no specs 7zip-2408-x64.exe no specs 7zip-2408-x64.exe 7zg.exe no specs winrar.exe no specs 7zg.exe #XOR-URL server.exe

Process information

PID
CMD
Path
Indicators
Parent process
232"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2900 -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 2928 -prefsLen 26706 -prefMapSize 244343 -jsInitHandle 1204 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {430b87ac-b30e-4b5c-b333-5483a1dece14} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 19292c6e850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2080"C:\Users\admin\Downloads\7Zip-2408-x64.exe" C:\Users\admin\Downloads\7Zip-2408-x64.exefirefox.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Installer
Exit code:
3221226540
Version:
24.08
Modules
Images
c:\users\admin\downloads\7zip-2408-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2228"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1204 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ac974cc-d66c-4cf9-84b0-4486e9b8457e} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 192971f74d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2456"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/Cryakl/Ultimate-RAT-Collection/tree/main/SheetRat/Sheet%20rat%20v2.6C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
3144"C:\Users\admin\Downloads\7Zip-2408-x64.exe" C:\Users\admin\Downloads\7Zip-2408-x64.exe
firefox.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Installer
Exit code:
0
Version:
24.08
Modules
Images
c:\users\admin\downloads\7zip-2408-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
4444"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2208 -parentBuildID 20240213221259 -prefsHandle 2200 -prefMapHandle 2196 -prefsLen 30537 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9ab9857-09d1-4272-af2d-c54b1b17d45e} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 19281081110 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
5072"C:\Program Files\Mozilla Firefox\firefox.exe" "https://github.com/Cryakl/Ultimate-RAT-Collection/tree/main/SheetRat/Sheet%20rat%20v2.6"C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\msvcp140.dll
5212"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\admin\Downloads\RAT\" -an -ai#7zMap1705:308:7zEvent20929C:\Program Files\7-Zip\7zG.exeexplorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip GUI
Exit code:
255
Version:
24.08
Modules
Images
c:\program files\7-zip\7zg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5548"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7140 -childID 7 -isForBrowser -prefsHandle 7132 -prefMapHandle 7128 -prefsLen 31936 -prefMapSize 244343 -jsInitHandle 1204 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b69b26b9-f32d-43ad-a6ed-14ae932710ae} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 1929701ef50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
6152"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 5256 -prefMapHandle 5252 -prefsLen 36339 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf23a7c1-fd9f-450b-87fb-b9bf5526dc9e} 2456 "\\.\pipe\gecko-crash-server-pipe.2456" 19295e7c910 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
16 695
Read events
16 653
Write events
42
Delete events
0

Modification events

(PID) Process:(2456) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(2456) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3144) 7Zip-2408-x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path64
Value:
C:\Program Files\7-Zip\
(PID) Process:(3144) 7Zip-2408-x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path
Value:
C:\Program Files\7-Zip\
(PID) Process:(3144) 7Zip-2408-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip
Operation:writeName:Path64
Value:
C:\Program Files\7-Zip\
(PID) Process:(3144) 7Zip-2408-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip
Operation:writeName:Path
Value:
C:\Program Files\7-Zip\
(PID) Process:(3144) 7Zip-2408-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(3144) 7Zip-2408-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(3144) 7Zip-2408-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:writeName:{23170F69-40C1-278A-1000-000100020000}
Value:
7-Zip Shell Extension
(PID) Process:(3144) 7Zip-2408-x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:writeName:{23170F69-40C1-278A-1000-000100020000}
Value:
7-Zip Shell Extension
Executable files
74
Suspicious files
206
Text files
140
Unknown types
4

Dropped files

PID
Process
Filename
Type
2456firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
2456firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
2456firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2456firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2456firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2456firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:7A97B8DBC4F98D175F958C00F463A52A
SHA256:92074D2ED1AA1FD621287E35DB9EF1AE3DC04777EFAE5F09E7A3B4534C201548
2456firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2456firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2456firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\protections.sqlite-journalbinary
MD5:0867F03008CAD53A30A0778CFCD45AF3
SHA256:FC4D320C4479DFAEBF2EDD56ABDB13CE06EC0864975E177FDDAF691EA22EF7CD
2456firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
116
DNS requests
142
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2456
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
2456
firefox.exe
POST
200
184.24.77.46:80
http://r10.o.lencr.org/
unknown
2456
firefox.exe
POST
200
184.24.77.46:80
http://r10.o.lencr.org/
unknown
2456
firefox.exe
POST
200
184.24.77.46:80
http://r10.o.lencr.org/
unknown
2456
firefox.exe
POST
200
104.18.38.233:80
http://ocsp.sectigo.com/
unknown
2456
firefox.exe
POST
200
184.24.77.46:80
http://r10.o.lencr.org/
unknown
2456
firefox.exe
POST
142.250.185.163:80
http://o.pki.goog/wr2
unknown
2456
firefox.exe
POST
200
104.18.38.233:80
http://ocsp.sectigo.com/
unknown
2456
firefox.exe
POST
200
142.250.185.163:80
http://o.pki.goog/wr2
unknown
2456
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7072
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6160
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2456
firefox.exe
216.58.212.170:443
safebrowsing.googleapis.com
whitelisted
2456
firefox.exe
34.107.243.93:443
push.services.mozilla.com
whitelisted
2456
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
2456
firefox.exe
34.117.188.166:443
contile.services.mozilla.com
whitelisted
2456
firefox.exe
140.82.121.4:443
github.com
GITHUB
US
shared
2456
firefox.exe
34.36.165.17:443
tiles-cdn.prod.ads.prod.webservices.mozgcp.net
GOOGLE-CLOUD-PLATFORM
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 52.191.219.104
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.206
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
github.com
  • 140.82.121.4
shared
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.117.188.166
whitelisted
spocs.getpocket.com
  • 34.117.188.166
whitelisted
prod.ads.prod.webservices.mozgcp.net
  • 34.117.188.166
unknown
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
prod.content-signature-chains.prod.webservices.mozgcp.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Process
Message
Server.exe
SQLiteVersion: 3.8.11.1 | 2015-07-29 20:00:57 cf538e2783e468bbc25e7cb2a9ee64d3e0e80b2f | INTEROP_CODEC INTEROP_EXTENSION_FUNCTIONS INTEROP_VIRTUAL_TABLE NET_40 PRELOAD_NATIVE_LIBRARY THROW_ON_DISPOSED TRACE TRACE_PRELOAD TRACE_SHARED TRACE_WARNING USE_PREPARE_V2 WINDOWS
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/Cryakl/Ultimate-RAT-Collection/tree/main/SheetRat/Sheet%20rat%20v2.6