Botnet:Blacklist

PaulBlueberry · August 16, 2024, 1:25pm

Today I got this alert 5 times in an hour. The Process varies.

Threat name: Botnet:Blacklist.
URL: tcp://40.127.240.158:443 (VirusTotal links: IP, HTTPS)
Process: C:\Windows\System32\svchost.exe, C:\Windows\UUS\Packages\Preview\amd64\MoUsoCoreWorker.exe, C:\Windows\System32\taskhostw.exe
Detected by: Web Shield
Status: Connection aborted

How to get rid of this?

https://i.imgur.com/DUSVGqZ.png

Visiting https://40.127.240.158 gives a certificate error. The certificate is not issued to this domain name, but to settings.data.microsoft.com. Pinging this pings several IP addresses. Sometimes it is the IP address in question. Examples (each line is the first line of the output of ping settings.data.microsoft.com):


Pinging settings-prod-neu-1.northeurope.cloudapp.azure.com [40.127.240.158] with 32 bytes of data:
Pinging settings-prod-neu-2.northeurope.cloudapp.azure.com [51.104.136.2] with 32 bytes of data:
Pinging settings-prod-neu-3.northeurope.cloudapp.azure.com [4.231.128.59] with 32 bytes of data:

Botnet:Blacklist

Announcements