| File name: | file_648701.exe |
| Full analysis: | https://app.any.run/tasks/11703a4c-d95b-4bb3-b870-14c36d64112d |
| Verdict: | Malicious activity |
| Threats: | A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. |
| Analysis date: | February 02, 2026, 10:23:23 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 6 sections |
| MD5: | 24A9CD093F9C4B73B7190B3CDD2F786E |
| SHA1: | 7A2BD18D12B6F39A2CF03B72E121CFEC41F75EBF |
| SHA256: | 7D7E1B0508ED08AC404D5850344ABD308FD5A62D06AE5F004FD5B06AA48B6626 |
| SSDEEP: | 98304:dA7qGRplv9T1+YeZcvnqkqsflxtemNXcz6vh7U8OF4Timiaif9cpaIcuuAXmubez:4lrZcrPAk |
MALICIOUS
ANDROMEDA mutex has been found
- file_648701.exe (PID: 5080)
Loads dropped or rewritten executable
- consent.exe (PID: 7312)
- file_648701.exe (PID: 5080)
- WMIC.exe (PID: 6056)
- lsass.exe (PID: 804)
- svchost.exe (PID: 7092)
- WMIC.exe (PID: 5608)
- svchost.exe (PID: 8068)
- CompatTelRunner.exe (PID: 3036)
- RUXIMICS.exe (PID: 2424)
- taskhostw.exe (PID: 7820)
- MoUsoCoreWorker.exe (PID: 6768)
Uses Task Scheduler to run other applications
- file_648701.exe (PID: 5080)
Changes the autorun value in the registry
- file_648701.exe (PID: 5080)
SUSPICIOUS
Process drops legitimate windows executable
- file_648701.exe (PID: 5080)
Executable content was dropped or overwritten
- file_648701.exe (PID: 5080)
Executes as Windows Service
- pdk1.exe (PID: 2564)
Uses WMIC.EXE to obtain Windows Installer data
- pdk1.exe (PID: 2564)
- pdk1.exe (PID: 6720)
Searches for installed software
- svchost.exe (PID: 7092)
- CompatTelRunner.exe (PID: 3036)
Reads the date of Windows installation
- file_648701.exe (PID: 5080)
Accesses product unique identifier via WMI (SCRIPT)
- WMIC.exe (PID: 5608)
- WMIC.exe (PID: 6056)
INFO
The sample compiled with english language support
- file_648701.exe (PID: 5080)
Checks supported languages
- file_648701.exe (PID: 5080)
- pdk1.exe (PID: 2564)
- RUXIMICS.exe (PID: 2424)
- pdk1.exe (PID: 6720)
Reads the computer name
- file_648701.exe (PID: 5080)
- pdk1.exe (PID: 6720)
- pdk1.exe (PID: 2564)
Reads the machine GUID from the registry
- file_648701.exe (PID: 5080)
Drops script file
- file_648701.exe (PID: 5080)
Creates files in the program directory
- file_648701.exe (PID: 5080)
- MoUsoCoreWorker.exe (PID: 6768)
- RUXIMICS.exe (PID: 2424)
Process checks computer location settings
- file_648701.exe (PID: 5080)
Launching a file from Task Scheduler
- file_648701.exe (PID: 5080)
Reads security settings of Internet Explorer
- WMIC.exe (PID: 6056)
- file_648701.exe (PID: 5080)
- WMIC.exe (PID: 5608)
Creates a software uninstall entry
- file_648701.exe (PID: 5080)
Creates files or folders in the user directory
- file_648701.exe (PID: 5080)
Launching a file from a Registry key
- file_648701.exe (PID: 5080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2026:01:20 12:30:25+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.42 |
| CodeSize: | 4144640 |
| InitializedDataSize: | 1891328 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x3b5fe0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Unknown (0) |
| ObjectFileType: | Unknown |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Norton |
| FileDescription: | Defender Security Update |
| FileVersion: | 1.0.0.0 |
| InternalName: | default |
| LegalCopyright: | My Name |
| ProductName: | Defender Security Update |
| ProductVersion: | 1.0.0.0 |
Total processes
160
Monitored processes
19
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 804 | C:\WINDOWS\system32\lsass.exe | C:\Windows\System32\lsass.exe | — | wininit.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Local Security Authority Process Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2424 | %ProgramFiles%\RUXIM\RUXIMICS.EXE /nonetwork | C:\Program Files\RUXIM\RUXIMICS.exe | — | PLUGScheduler.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Reusable UX Interaction Manager Exit code: 0 Version: 10.0.19041.3623 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2564 | "C:\Users\admin\AppData\Roaming\pdk1.exe" -appkey=ftzvHbTfJ2D8gDky | C:\Users\admin\AppData\Roaming\pdk1.exe | services.exe | ||||||||||||
User: SYSTEM Integrity Level: SYSTEM Modules
| |||||||||||||||
| 3036 | C:\WINDOWS\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW | C:\Windows\System32\CompatTelRunner.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Compatibility Telemetry Exit code: 0 Version: 10.0.19645.1102 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5080 | "C:\Users\admin\AppData\Local\Temp\file_648701.exe" | C:\Users\admin\AppData\Local\Temp\file_648701.exe | explorer.exe | ||||||||||||
User: admin Company: Norton Integrity Level: HIGH Description: Defender Security Update Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 5608 | wmic csproduct get UUID | C:\Windows\System32\wbem\WMIC.exe | — | pdk1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6056 | wmic csproduct get UUID | C:\Windows\System32\wbem\WMIC.exe | — | pdk1.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6348 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | WMIC.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6544 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6720 | "C:\Users\admin\AppData\Roaming\pdk1.exe" | C:\Users\admin\AppData\Roaming\pdk1.exe | — | file_648701.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 4294967295 Modules
| |||||||||||||||
Total events
86 512
Read events
85 841
Write events
473
Delete events
198
Modification events
| (PID) Process: | (804) lsass.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits |
| Operation: | write | Name: | SecureTimeHigh |
Value: 20CD26CFEB70DC01 | |||
| (PID) Process: | (804) lsass.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits |
| Operation: | write | Name: | SecureTimeEstimated |
Value: 2065626DE370DC01 | |||
| (PID) Process: | (804) lsass.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits |
| Operation: | write | Name: | SecureTimeLow |
Value: 20FD9D0BDB70DC01 | |||
| (PID) Process: | (804) lsass.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime |
| Operation: | write | Name: | SecureTimeTickCount |
Value: C1521E0000000000 | |||
| (PID) Process: | (804) lsass.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime |
| Operation: | write | Name: | SecureTimeConfidence |
Value: 8 | |||
| (PID) Process: | (7092) svchost.exe | Key: | \REGISTRY\A\{102f2831-f297-283a-0cc4-0d891f3aeb8a}\Root\InventoryApplicationFile |
| Operation: | write | Name: | WritePermissionsCheck |
Value: 1 | |||
| (PID) Process: | (7092) svchost.exe | Key: | \REGISTRY\A\{102f2831-f297-283a-0cc4-0d891f3aeb8a}\Root\InventoryApplicationFile\PermissionsCheckTestKey |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (7092) svchost.exe | Key: | \REGISTRY\A\{102f2831-f297-283a-0cc4-0d891f3aeb8a}\Root\InventoryApplicationFile\file_648701.exe|f86572b711c87564 |
| Operation: | write | Name: | ProgramId |
Value: 00063bba9311ac8fedbdec7d0afa2cd5b50500000904 | |||
| (PID) Process: | (7092) svchost.exe | Key: | \REGISTRY\A\{102f2831-f297-283a-0cc4-0d891f3aeb8a}\Root\InventoryApplicationFile\file_648701.exe|f86572b711c87564 |
| Operation: | write | Name: | FileId |
Value: 00007a2bd18d12b6f39a2cf03b72e121cfec41f75ebf | |||
| (PID) Process: | (7092) svchost.exe | Key: | \REGISTRY\A\{102f2831-f297-283a-0cc4-0d891f3aeb8a}\Root\InventoryApplicationFile\file_648701.exe|f86572b711c87564 |
| Operation: | write | Name: | LowerCaseLongPath |
Value: c:\users\admin\appdata\local\temp\file_648701.exe | |||
Executable files
4
Suspicious files
70
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5080 | file_648701.exe | C:\Program Files\Google\Chrome\Application\Extensions\updates.xml | xml | |
MD5:D5332086672215E9581C65D93FB9F918 | SHA256:ED31C790FA3A9CC2FF606159B3E89D29864733DEBABC3762DDA3223DC6FD9DA7 | |||
| 5080 | file_648701.exe | C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest | text | |
MD5:4333ACE6F8B5BAC29394D3E4409929F9 | SHA256:B8461B89BA761FD92B16ECEA08860DA463C4802F232AEEECA1E6EAA32324F29F | |||
| 5080 | file_648701.exe | C:\Windows\System32\shlwapi_p.dll | executable | |
MD5:530F43CB92295C5272B39EC2FE19A3F1 | SHA256:90AB63A474F88C82419529674E97281707EA937BE97A04D6CDB4BF610C475E6D | |||
| 5080 | file_648701.exe | C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll | executable | |
MD5:6EF0FA23576A8864B2D4B2032BD47D9A | SHA256:FD0EB03E533C4EA960BED320079045FEB5792BC7AA2C86E605F753674913A0F1 | |||
| 8068 | svchost.exe | C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE | binary | |
MD5:05DDF56FC804F432398703E32AF90A79 | SHA256:7193D01CF9580401784B76B581FABC0D63B97D49977EDD15370DF6967EF2F443 | |||
| 5080 | file_648701.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.manifest | xml | |
MD5:DBC9CD2992113A2485C68D18FF1E82A0 | SHA256:53309EA657D63B9D3BC2442DE44B67D4431B64AD8B0163B188BC5FD143353303 | |||
| 5080 | file_648701.exe | C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml | xml | |
MD5:4F226A9A717D92D7C287480961A8A9FC | SHA256:85072C13CB61BFC455CC9B657288F65F646108992D59815CBB5C352D8F79819D | |||
| 5080 | file_648701.exe | C:\Program Files (x86)\Microsoft\Edge\Application\dlls\Shlwapi.dll | executable | |
MD5:6EF0FA23576A8864B2D4B2032BD47D9A | SHA256:FD0EB03E533C4EA960BED320079045FEB5792BC7AA2C86E605F753674913A0F1 | |||
| 5080 | file_648701.exe | C:\Program Files (x86)\Microsoft\Edge\Application\dlls\dlls.manifest | text | |
MD5:4333ACE6F8B5BAC29394D3E4409929F9 | SHA256:B8461B89BA761FD92B16ECEA08860DA463C4802F232AEEECA1E6EAA32324F29F | |||
| 7092 | svchost.exe | C:\Windows\appcompat\Programs\Install\INSTALL_0000_3f0b5853-3c2b-4775-ab2f-452eff4f045d.txt | binary | |
MD5:E249DF590BA34B1CAA0C09CC48E40F5E | SHA256:12EEC3700248721A9C6048D2730EDDE15F8137EA5A7F2F9F7585EB5A101F4C56 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
23
DNS requests
22
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
8068 | svchost.exe | GET | 304 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 304 | 40.127.240.158:443 | https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop | US | — | — | whitelisted |
6788 | SIHClient.exe | GET | 304 | 135.233.95.144:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
6788 | SIHClient.exe | GET | 200 | 13.95.31.18:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | US | — | — | whitelisted |
6788 | SIHClient.exe | GET | 200 | 135.233.95.144:443 | https://slscr.update.microsoft.com/sls/ping | US | — | — | whitelisted |
6788 | SIHClient.exe | GET | 304 | 135.233.95.144:443 | https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
8068 | svchost.exe | GET | 200 | 51.104.136.2:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | text | 5.66 Kb | whitelisted |
8068 | svchost.exe | GET | 200 | 2.16.164.49:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
356 | svchost.exe | POST | 200 | 20.190.159.68:443 | https://login.live.com/RST2.srf | US | xml | 10.3 Kb | whitelisted |
356 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | binary | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6768 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
5512 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8068 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
5080 | file_648701.exe | 104.21.94.105:443 | statssrv.com | CLOUDFLARENET | US | whitelisted |
5080 | file_648701.exe | 104.21.61.140:443 | systemsafetycheck.com | CLOUDFLARENET | US | whitelisted |
8068 | svchost.exe | 2.16.164.49:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
8068 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3412 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
self.events.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
statssrv.com |
| unknown |
systemsafetycheck.com |
| unknown |
ftzvHbTfJ2D8gDky.api-seed.packetsdk.xyz |
| unknown |
ftzvHbTfJ2D8gDky.api-seed.packetsdk.net |
| unknown |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
8068 | svchost.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
Process | Message |
|---|---|
pdk1.exe | RegisterServiceCtrlHandler succeed |
pdk1.exe | Service starting... |
pdk1.exe | Service running... |