Malware and More: A Concise List of Windows 10 Network Activity on Boot

So this is just a list of what sysmon sees on boot. This is Windows 10 Pro with all the security settings set to as much strict as allowed. This was a fresh install, updated, no applications installed, with no user interaction. Interesting that Procmon running on Windows 10 doesn't show any of this activity. CSV is below...read from bottom up.

Type,Date,Time,Domain\User,Computer,Process proto dst ip
Information,2/5/2016,12:02:16 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:02:14 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:57 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:45 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:42 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:38 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:35 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:33 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:01:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 191.232.139.170
Information,2/5/2016,12:01:04 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 191.232.139.170
Information,2/5/2016,12:00:53 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:00:50 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,12:00:38 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 134.170.179.87
Information,2/5/2016,12:00:37 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 131.253.61.66
Information,2/5/2016,12:00:36 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 134.170.179.87
Information,2/5/2016,12:00:35 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.61.66
Information,2/5/2016,12:00:31 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 239.255.255.250
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 127.0.0.1
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 239.255.255.250
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 64.4.54.253
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,System udp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 23.196.87.75
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.200.101
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.255.140
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 131.253.40.84
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.200.101
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 23.196.87.75
Information,2/5/2016,12:00:30 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.231.255.140
Information,2/5/2016,12:00:29 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\CompatTelRunner.exe tcp 64.4.54.253
Information,2/5/2016,12:00:28 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 107.20.234.199
Information,2/5/2016,12:00:14 PM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:59:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.158
Information,2/5/2016,11:59:25 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:24 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:23 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 65.55.113.11
Information,2/5/2016,11:59:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:59:19 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.165
Information,2/5/2016,11:59:17 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.252
Information,2/5/2016,11:59:16 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.103
Information,2/5/2016,11:59:13 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.129.104.158
Information,2/5/2016,11:58:57 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:58:56 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 111.221.29.222
Information,2/5/2016,11:58:54 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 111.221.29.222
Information,2/5/2016,11:58:52 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:50 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:50 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 64.4.54.36
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.137.132
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.137.132
Information,2/5/2016,11:58:29 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 64.129.104.150
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 64.129.104.150
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.113.163
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.225.172.125
Information,2/5/2016,11:58:28 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\BackgroundTransferHost.exe tcp 172.226.113.163
Information,2/5/2016,11:58:23 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 198.41.215.184
Information,2/5/2016,11:58:23 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.52.108.252
Information,2/5/2016,11:58:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 198.41.215.184
Information,2/5/2016,11:58:22 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 72.21.91.8
Information,2/5/2016,11:58:21 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.252
Information,2/5/2016,11:58:20 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 72.21.91.8
Information,2/5/2016,11:58:20 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.52.108.103
Information,2/5/2016,11:58:19 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 72.21.91.8
Information,2/5/2016,11:58:18 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\backgroundTaskHost.exe tcp 65.52.108.103
Information,2/5/2016,11:58:12 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe tcp 204.79.197.200
Information,2/5/2016,11:58:11 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\SppExtComObj.Exe tcp 10.0.5.34
Information,2/5/2016,11:58:11 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\SppExtComObj.Exe tcp 10.0.5.34
Information,2/5/2016,11:57:56 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 65.55.113.11
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp e000:fc:0:0:0:0:0:0
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp ff02:0:0:0:0:0:1:3
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 65.55.113.11
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe tcp 172.225.172.182
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp 10.10.0.25
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp a0a:19:0:0:0:0:0:0
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,C:\Windows\System32\svchost.exe udp ff02:0:0:0:0:0:1:2
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 10.0.2.15
Information,2/5/2016,11:57:55 AM,\SYSTEM,DESKTOP-GTO9KN6,System udp 10.0.2.255

And matching IP to name for a unique list:
107.20.234.199    version.hybrid.api.here.com
111.221.29.222    tsfe.trafficshaping.dsp.mp.microsoft.com
131.253.40.84    platform.maps.glbdns2.microsoft.com
131.253.61.66    login.live.com.nsatc.net
134.170.179.87    device.auth.xboxlive.com
172.225.172.125    store-images.microsoft.com
172.225.172.182    go.microsoft.com.edgekey.net
172.226.113.163    store-images.s-microsoft.com
172.226.137.132    sci1-1.am.microsoft.com
172.231.200.101    t0.ssl.ak.dynamic.tiles.virtualearth.net
172.231.255.140    t0.ssl.ak.tiles.virtualearth.net
191.232.139.170    tsfe.trafficshaping.dsp.mp.microsoft.com
198.41.215.184    ocsp.msocsp.com
204.79.197.200    tse4.mm.bing.net
23.196.87.75    ssl2.tiles.virtualearth.net.edgekey.net
64.129.104.150    static.btrd.net
64.129.104.158    ctldl.windowsupdate.nsatc.net
64.129.104.165    ctldl.windowsupdate.nsatc.net
64.4.54.253        settings-win.data.microsoft.com
64.4.54.36        licensing.mp.microsoft.com
65.52.108.103    arc.msn.com
65.52.108.252    rpt.msn.com
65.55.113.11    dmd.metaservices.microsoft.com
72.21.91.8        cdn.optimizely.com

Malware and More

Friday, February 5, 2016

A Concise List of Windows 10 Network Activity on Boot

No comments:

Post a Comment

Blog Archive

Followers