Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
188s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
10/02/2022, 02:57 UTC
Static task
static1
Behavioral task
behavioral1
Sample
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe
Resource
win10v2004-en-20220112
General
-
Target
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe
-
Size
2.9MB
-
MD5
d54474edd997f5ae1772d45974bd7005
-
SHA1
1c6dd6518d61df04fe42b4280cbe1c0e62bb352b
-
SHA256
475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57
-
SHA512
e9f187eebdbef0c0b38d01c163c827ed6e6e5fcbe355ac50cded01521425a558f3d090c8b6d1039c760c623ca20432fe830d647428188428761e4b3a75d067f9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe -
Modifies data under HKEY_USERS 45 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4156" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.075265" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132891120901901271" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe -
Modifies registry class 21 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\shell\open 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\ = "URL:de.web.mcl.redirect" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\shell\open\command 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\shell 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\shell 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\ = "URL:net.gmx.mcl.redirect" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\shell 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\URL Protocol 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\ = "URL:com.mail.mcl.redirect" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\URL Protocol 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\URL Protocol 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\shell\open 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe --weblogin \"%1\"" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\shell\open\command 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\com.mail.mcl.redirect\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe --weblogin \"%1\"" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\shell\open\command 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\net.gmx.mcl.redirect\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe --weblogin \"%1\"" 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\de.web.mcl.redirect\shell\open 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2136 msedge.exe 2136 msedge.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3284 wrote to memory of 408 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 68 PID 3284 wrote to memory of 408 3284 475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe 68 PID 408 wrote to memory of 452 408 msedge.exe 69 PID 408 wrote to memory of 452 408 msedge.exe 69 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 540 408 msedge.exe 71 PID 408 wrote to memory of 2136 408 msedge.exe 72 PID 408 wrote to memory of 2136 408 msedge.exe 72 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73 PID 408 wrote to memory of 636 408 msedge.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe"C:\Users\Admin\AppData\Local\Temp\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe"1⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe"C:\Users\Admin\AppData\Local\Temp\475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe" /SU1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --new-window "http://go.1und1.de/os/win/edge_runonce"2⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9bd2046f8,0x7ff9bd204708,0x7ff9bd2047183⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,7881462317759381813,8669994732358346024,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:23⤵PID:540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,7881462317759381813,8669994732358346024,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2740 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,7881462317759381813,8669994732358346024,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:83⤵PID:636
-
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3164
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3292
Network
-
Remote address:8.8.8.8:53Requestsettings-win.data.microsoft.comIN AResponsesettings-win.data.microsoft.comIN CNAMEatm-settingsfe-prod-geo.trafficmanager.netatm-settingsfe-prod-geo.trafficmanager.netIN CNAMEsettings-prod-eus2-1.eastus2.cloudapp.azure.comsettings-prod-eus2-1.eastus2.cloudapp.azure.comIN A52.167.249.196
-
Remote address:8.8.8.8:53Requestsettings-win.data.microsoft.comIN AResponsesettings-win.data.microsoft.comIN CNAMEatm-settingsfe-prod-geo.trafficmanager.netatm-settingsfe-prod-geo.trafficmanager.netIN CNAMEsettings-prod-eus2-2.eastus2.cloudapp.azure.comsettings-prod-eus2-2.eastus2.cloudapp.azure.comIN A52.167.17.97
-
Remote address:8.8.8.8:53Requestsettings-win.data.microsoft.comIN AResponsesettings-win.data.microsoft.comIN CNAMEatm-settingsfe-prod-geo.trafficmanager.netatm-settingsfe-prod-geo.trafficmanager.netIN CNAMEsettings-prod-eus2-1.eastus2.cloudapp.azure.comsettings-prod-eus2-1.eastus2.cloudapp.azure.comIN A52.167.249.196
-
Remote address:8.8.8.8:53Requestgo.1und1.deIN AResponsego.1und1.deIN CNAMEredir.g-ha-web.deredir.g-ha-web.deIN A82.165.229.87
-
Remote address:8.8.8.8:53Requestdl.1und1.deIN AResponsedl.1und1.deIN CNAMEdl.1und1.de.edgekey.netdl.1und1.de.edgekey.netIN CNAMEe5416.g.akamaiedge.nete5416.g.akamaiedge.netIN A104.80.224.162
-
GEThttp://dl.1und1.de/backend/ie/hotnews-de-de-2.7.9.xml475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:104.80.224.162:80RequestGET /backend/ie/hotnews-de-de-2.7.9.xml HTTP/1.1
Accept: application/xml
User-Agent: 1und1 MailCheck/2.7.9 (Windows NT 10.0; Win64; x64)
Host: dl.1und1.de
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Server: BigIP
Content-Length: 0
Cache-Control: max-age=30170401
Date: Thu, 10 Feb 2022 03:01:05 GMT
Connection: keep-alive
-
GEThttp://go.1und1.de/tb/ie_desktop_shortcuts475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:82.165.229.87:80RequestGET /tb/ie_desktop_shortcuts HTTP/1.1
Accept: application/xml
User-Agent: 1und1 MailCheck/2.7.9 (Windows NT 10.0; Win64; x64)
Host: go.1und1.de
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Location: http://download.1und1.de/backend/ie/ie_desktop_shortcuts
Content-Length: 240
Connection: close
Content-Type: text/html; charset=iso-8859-1
-
GEThttp://go.1und1.de/tb/ie_shop_providers475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:82.165.229.87:80RequestGET /tb/ie_shop_providers HTTP/1.1
Accept: application/xml
User-Agent: 1und1 MailCheck/2.7.9 (Windows NT 10.0; Win64; x64)
Host: go.1und1.de
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Location: https://suche.1und1.de/starthp?src=go_fallback
Content-Length: 230
Connection: close
Content-Type: text/html; charset=iso-8859-1
-
Remote address:8.8.8.8:53Requestdownload.1und1.deIN AResponsedownload.1und1.deIN CNAMEredir.g-ha-1und1.deredir.g-ha-1und1.deIN A82.165.229.152
-
Remote address:8.8.8.8:53Requestsuche.1und1.deIN AResponsesuche.1und1.deIN CNAMEsuche-rlp.ha-cdn.desuche-rlp.ha-cdn.deIN A82.165.229.23
-
GEThttps://dl.1und1.de/backend/ie/hotnews-de-de-2.7.9.xml475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:104.80.224.162:443RequestGET /backend/ie/hotnews-de-de-2.7.9.xml HTTP/1.1
Accept: application/xml
User-Agent: 1und1 MailCheck/2.7.9 (Windows NT 10.0; Win64; x64)
Connection: Keep-Alive
Host: dl.1und1.de
ResponseHTTP/1.1 404 Not Found
Content-Length: 196
Content-Type: text/html; charset=iso-8859-1
Cache-Control: max-age=31535923
Date: Thu, 10 Feb 2022 03:01:11 GMT
Connection: keep-alive
-
GEThttps://dl.1und1.de/backend/icons/1und1.ico475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:104.80.224.162:443RequestGET /backend/icons/1und1.ico HTTP/1.1
Accept: image/vnd.microsoft.icon, image/x-icon
User-Agent: 1und1 MailCheck/2.7.9 (Windows NT 10.0; Win64; x64)
Host: dl.1und1.de
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
ETag: "2cee-51426dc5c8e14"
Last-Modified: Mon, 20 Apr 2015 12:13:41 GMT
X-Robots-Tag: noindex
Content-Type: image/vnd.microsoft.icon
Cache-Control: public, max-age=3498
Date: Thu, 10 Feb 2022 03:01:11 GMT
Content-Length: 11502
Connection: keep-alive
-
GEThttps://suche.1und1.de/starthp?src=go_fallback475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:82.165.229.23:443RequestGET /starthp?src=go_fallback HTTP/1.1
Accept: application/xml
User-Agent: 1und1 MailCheck/2.7.9 (Windows NT 10.0; Win64; x64)
Connection: Keep-Alive
Host: suche.1und1.de
ResponseHTTP/1.1 200 OK
Server: Apache
Set-Cookie: user_locale=US; Path=/
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Accept-Ranges: bytes
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: *
Cache-Control: no-store
Origin: suche.1und1.de
Pragma: no-cache
X-Xss-Protection: 0
Via: 1.1 suche.1und1.de
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Set-Cookie: XSRF-TOKEN=32dd2836fa8938cde6e3ee30cf14cd1a;Path=/;Secure
Strict-Transport-Security: max-age=31536000; includeSubDomains
-
GEThttp://download.1und1.de/backend/ie/ie_desktop_shortcuts475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:82.165.229.152:80RequestGET /backend/ie/ie_desktop_shortcuts HTTP/1.1
Accept: application/xml
User-Agent: 1und1 MailCheck/2.7.9 (Windows NT 10.0; Win64; x64)
Connection: Keep-Alive
Host: download.1und1.de
ResponseHTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://dl.1und1.de//backend/ie/ie_desktop_shortcuts
Content-Length: 260
Connection: close
Content-Type: text/html; charset=iso-8859-1
-
GEThttps://dl.1und1.de//backend/ie/ie_desktop_shortcuts475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:104.80.224.162:443RequestGET //backend/ie/ie_desktop_shortcuts HTTP/1.1
Accept: application/xml
User-Agent: 1und1 MailCheck/2.7.9 (Windows NT 10.0; Win64; x64)
Connection: Keep-Alive
Host: dl.1und1.de
ResponseHTTP/1.1 200 OK
ETag: "ef-5531745323625"
Last-Modified: Thu, 29 Jun 2017 11:04:53 GMT
X-Robots-Tag: noindex
Cache-Control: public, max-age=3554
Date: Thu, 10 Feb 2022 03:01:11 GMT
Content-Length: 239
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestocsp.telesec.deIN AResponseocsp.telesec.deIN A80.158.50.254ocsp.telesec.deIN A80.158.61.91ocsp.telesec.deIN A80.158.59.63ocsp.telesec.deIN A217.170.186.122ocsp.telesec.deIN A217.170.186.111
-
GEThttp://ocsp.telesec.de/ocspr/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTFx4BvOw7Ixax9%2BP2ZItzIsVvQvwQUv1kgNgB5oKAia4zV8mHSuCzLgkoCCH45x60d2fBD475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:80.158.50.254:80RequestGET /ocspr/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTFx4BvOw7Ixax9%2BP2ZItzIsVvQvwQUv1kgNgB5oKAia4zV8mHSuCzLgkoCCH45x60d2fBD HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.telesec.de
ResponseHTTP/1.1 200 OK
Server: Apache
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: application/ocsp-response
Content-Length: 1481
Connection: close
-
Remote address:8.8.8.8:53Requestocsp.serverpass.telesec.deIN AResponseocsp.serverpass.telesec.deIN A80.158.50.254ocsp.serverpass.telesec.deIN A80.158.59.63ocsp.serverpass.telesec.deIN A80.158.61.91ocsp.serverpass.telesec.deIN A217.170.186.122ocsp.serverpass.telesec.deIN A217.170.186.111
-
GEThttp://ocsp.serverpass.telesec.de/ocspr/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT66Lqmxf42hHuY8hKFZzVwT4YoDAQUlMh0RvU6tEZIJvgryjQeViYEEgACEA390hO8ff9jnvoFNBYch9M%3D475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:80.158.50.254:80RequestGET /ocspr/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT66Lqmxf42hHuY8hKFZzVwT4YoDAQUlMh0RvU6tEZIJvgryjQeViYEEgACEA390hO8ff9jnvoFNBYch9M%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.serverpass.telesec.de
ResponseHTTP/1.1 200 OK
Server: Apache
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: application/ocsp-response
Content-Length: 1583
Connection: close
-
GEThttp://dl.1und1.de/backend/ie/hotnews-de-de.xml475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:104.80.224.162:80RequestGET /backend/ie/hotnews-de-de.xml HTTP/1.1
Accept: application/xml
User-Agent: 1und1 MailCheck/2.7.9 (Windows NT 10.0; Win64; x64)
Host: dl.1und1.de
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Server: BigIP
Content-Length: 0
Cache-Control: max-age=21801001
Date: Thu, 10 Feb 2022 03:01:11 GMT
Connection: keep-alive
-
GEThttps://dl.1und1.de/backend/ie/hotnews-de-de.xml475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exeRemote address:104.80.224.162:443RequestGET /backend/ie/hotnews-de-de.xml HTTP/1.1
Accept: application/xml
User-Agent: 1und1 MailCheck/2.7.9 (Windows NT 10.0; Win64; x64)
Connection: Keep-Alive
Host: dl.1und1.de
ResponseHTTP/1.1 200 OK
ETag: "231-5454992df1f5b"
Server: Apache
X-Robots-Tag: noindex
Content-Type: application/xml
Cache-Control: public, max-age=2144
Date: Thu, 10 Feb 2022 03:01:11 GMT
Content-Length: 561
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestsettings-win.data.microsoft.comIN AResponsesettings-win.data.microsoft.comIN CNAMEatm-settingsfe-prod-geo.trafficmanager.netatm-settingsfe-prod-geo.trafficmanager.netIN CNAMEsettings-prod-eus2-1.eastus2.cloudapp.azure.comsettings-prod-eus2-1.eastus2.cloudapp.azure.comIN A52.167.249.196
-
Remote address:8.8.8.8:53Requestgeo.prod.do.dsp.mp.microsoft.comIN AResponsegeo.prod.do.dsp.mp.microsoft.comIN CNAMEgeo.prod.do.dsp.trafficmanager.netgeo.prod.do.dsp.trafficmanager.netIN CNAMEarray805.prod.do.dsp.mp.microsoft.comarray805.prod.do.dsp.mp.microsoft.comIN A52.143.80.209
-
Remote address:8.8.8.8:53Requestkv801.prod.do.dsp.mp.microsoft.comIN AResponsekv801.prod.do.dsp.mp.microsoft.comIN CNAMEkv801.prod.do.dsp.mp.microsoft.com.edgekey.netkv801.prod.do.dsp.mp.microsoft.com.edgekey.netIN CNAMEe12437.g.akamaiedge.nete12437.g.akamaiedge.netIN A184.29.205.60
-
GEThttps://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1NetworkServiceRemote address:184.29.205.60:443RequestGET /all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Microsoft-Delivery-Optimization/10.0
MS-CV: fvwt2NVPlUqUD1hH.2.1.1
Content-Length: 0
Host: kv801.prod.do.dsp.mp.microsoft.com
ResponseHTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 808
Cache-Control: max-age=52
Date: Thu, 10 Feb 2022 03:01:35 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestnav.smartscreen.microsoft.comIN AResponsenav.smartscreen.microsoft.comIN CNAMEwd-prod-ss.trafficmanager.netwd-prod-ss.trafficmanager.netIN CNAMEwd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.comwd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.comIN A20.81.51.95
-
Remote address:20.81.51.95:443RequestPOST /api/browser/edge/actions HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json
Authorization: SmartScreenHash eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQiLCJoYXNoIjoiYmtad20vZlFrMDg9Iiwia2V5IjoiaWNzZFVUNHZCY2xZSklRclF5d1ZIUT09In0=
User-Agent: SmartScreen/281479409565696
Content-Length: 1272
Host: nav.smartscreen.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 2051
Content-Type: application/json; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
X-SmartScreen-Flight-Vector: EnableNsHumorMatch,enableProxyLeniency,IsArsFmsIntegrationEnabled,IsCurfId0LoggingEnabled,isCurfTstEnabled,isNpPIOverrideBlockEnabled,ListApiE5V2Enabled,npSettings2004,ServiceAdhocDetonate,serviceClientModelDetonate,servicePhishDetonate,servicePhishDetonateLegacy,SrcEOPEnabled,topTrafficV2Enabled,UpdateOnMissingEtagEnabled,updateSigningCert,updateSigningCertForRS3RS4
Date: Thu, 10 Feb 2022 03:01:46 GMT
Connection: close
-
Remote address:8.8.8.8:53Requestsmartscreen-prod.microsoft.comIN AResponsesmartscreen-prod.microsoft.comIN CNAMEwd-prod-ss.trafficmanager.netwd-prod-ss.trafficmanager.netIN CNAMEwd-prod-ss-us-east-2-fe.eastus.cloudapp.azure.comwd-prod-ss-us-east-2-fe.eastus.cloudapp.azure.comIN A20.81.52.156
-
Remote address:20.81.52.156:443RequestPOST /api/browser/edge/data/settings HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
Accept: application/x-patch-bsdiff, application/octet-stream
Authorization: SmartScreenHash eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQiLCJoYXNoIjoiYmtad20vZlFrMDg9Iiwia2V5IjoiaWNzZFVUNHZCY2xZSklRclF5d1ZIUT09In0=
If-None-Match: "2.0-0"
User-Agent: SmartScreen/281479409565696
Content-Length: 1272
Host: smartscreen-prod.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
ETag: "2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1"
Server: Microsoft-HTTPAPI/2.0
X-SmartScreen-Flight-Vector: EnableNsHumorMatch,enableProxyLeniency,IsArsFmsIntegrationEnabled,IsCurfId0LoggingEnabled,isCurfTstEnabled,isNpPIOverrideBlockEnabled,ListApiE5V2Enabled,npSettings2004,ServiceAdhocDetonate,serviceClientModelDetonate,servicePhishDetonate,servicePhishDetonateLegacy,SrcEOPEnabled,topTrafficV2Enabled,UpdateOnMissingEtagEnabled,updateSigningCert,updateSigningCertForRS3RS4
Date: Thu, 10 Feb 2022 03:01:47 GMT
Connection: close
-
GEThttps://smartscreen-prod.microsoft.com/windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19041.1288.vb_release&flight=%7B%22ETag%22%3A%22%5C%22IICLQzIHSHofpfdgZrDul8PdJyn3U%2FUW3kYLrLVpro8%3D%5C%22%22%2C%22Ids%22%3A%5B%22P-R-99770-6-31%2CP-R-86682-4-37%2CP-R-73000-8-25%2CP-R-72999-9-23%2CP-R-70204-2-18%2CP-R-69385-1-5%2CP-R-68026-7-37%2CP-R-68490-1-3%2CP-R-68172-1-4%2CP-R-68175-1-6%2CP-R-68176-3-8%2CP-R-68179-1-3%2CP-R-68187-2-33%2CP-R-68189-1-7%2CP-R-68191-2-8%2CP-R-68192-2-8%2CP-R-68306-1-20%2CP-R-68307-1-3%2CP-D-68194-1-2%22%5D%2C%22Settings%22%3A%7B%22Names%22%3Anull%2C%22Ring%22%3A0%2C%22Models%22%3Anull%2C%22ServiceClientModelDetonate%22%3Atrue%2C%22WdsiFeedback%22%3Afalse%2C%22NPFeedbackUriOverride%22%3Anull%2C%22NetworkFilterDetonate%22%3Afalse%2C%22ServicePhishDetonate%22%3Atrue%2C%22ServicePhishDetonateLegacy%22%3Atrue%2C%22ServiceAdhocDetonate%22%3Atrue%2C%22NpSettings2004%22%3Atrue%2C%22UpdateSigningCert%22%3Atrue%2C%22UpdateSigningCertForRS3RS4%22%3Atrue%2C%22NpSettings2004Value%22%3A0%2C%22IsCOCOBlockEnabled%22%3Afalse%2C%22NpIpBlockOverrideValue%22%3A0%2C%22TopTrafficV2Enabled%22%3Atrue%2C%22ListApiE5V2Enabled%22%3Atrue%2C%22IsNpPIOverrideBlockEnabled%22%3Atrue%2C%22TopTrafficV2MobileFlightEnabled%22%3Afalse%2C%22BloomFilterDeltaFlag%22%3A1%2C%22SrcEOPEnabled%22%3Atrue%2C%22IsCurfId0LoggingEnabled%22%3Atrue%2C%22IsCurfId0BlockingEnabled%22%3Afalse%2C%22UpdateOnMissingEtagEnabled%22%3Atrue%2C%22EnableProxyLeniency%22%3Atrue%2C%22IsArsFmsIntegrationEnabled%22%3Atrue%2C%22EnableNsHumorMatch%22%3Atrue%2C%22ApplyNsHumorVerdict%22%3Afalse%2C%22EnableNpSkipNonWeb%22%3Afalse%2C%22MTDThrottleFactor%22%3A0.0%2C%22UnsilenceModelGuid%22%3Anull%7D%7Dmsedge.exeRemote address:20.81.52.156:443RequestGET /windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19041.1288.vb_release&flight=%7B%22ETag%22%3A%22%5C%22IICLQzIHSHofpfdgZrDul8PdJyn3U%2FUW3kYLrLVpro8%3D%5C%22%22%2C%22Ids%22%3A%5B%22P-R-99770-6-31%2CP-R-86682-4-37%2CP-R-73000-8-25%2CP-R-72999-9-23%2CP-R-70204-2-18%2CP-R-69385-1-5%2CP-R-68026-7-37%2CP-R-68490-1-3%2CP-R-68172-1-4%2CP-R-68175-1-6%2CP-R-68176-3-8%2CP-R-68179-1-3%2CP-R-68187-2-33%2CP-R-68189-1-7%2CP-R-68191-2-8%2CP-R-68192-2-8%2CP-R-68306-1-20%2CP-R-68307-1-3%2CP-D-68194-1-2%22%5D%2C%22Settings%22%3A%7B%22Names%22%3Anull%2C%22Ring%22%3A0%2C%22Models%22%3Anull%2C%22ServiceClientModelDetonate%22%3Atrue%2C%22WdsiFeedback%22%3Afalse%2C%22NPFeedbackUriOverride%22%3Anull%2C%22NetworkFilterDetonate%22%3Afalse%2C%22ServicePhishDetonate%22%3Atrue%2C%22ServicePhishDetonateLegacy%22%3Atrue%2C%22ServiceAdhocDetonate%22%3Atrue%2C%22NpSettings2004%22%3Atrue%2C%22UpdateSigningCert%22%3Atrue%2C%22UpdateSigningCertForRS3RS4%22%3Atrue%2C%22NpSettings2004Value%22%3A0%2C%22IsCOCOBlockEnabled%22%3Afalse%2C%22NpIpBlockOverrideValue%22%3A0%2C%22TopTrafficV2Enabled%22%3Atrue%2C%22ListApiE5V2Enabled%22%3Atrue%2C%22IsNpPIOverrideBlockEnabled%22%3Atrue%2C%22TopTrafficV2MobileFlightEnabled%22%3Afalse%2C%22BloomFilterDeltaFlag%22%3A1%2C%22SrcEOPEnabled%22%3Atrue%2C%22IsCurfId0LoggingEnabled%22%3Atrue%2C%22IsCurfId0BlockingEnabled%22%3Afalse%2C%22UpdateOnMissingEtagEnabled%22%3Atrue%2C%22EnableProxyLeniency%22%3Atrue%2C%22IsArsFmsIntegrationEnabled%22%3Atrue%2C%22EnableNsHumorMatch%22%3Atrue%2C%22ApplyNsHumorVerdict%22%3Afalse%2C%22EnableNpSkipNonWeb%22%3Afalse%2C%22MTDThrottleFactor%22%3A0.0%2C%22UnsilenceModelGuid%22%3Anull%7D%7D HTTP/1.1
Connection: Keep-Alive
Accept: application/x-patch-bsdiff, application/octet-stream
Authorization: SmartScreenPlain eyJhdXRoSWQiOiIzODFkZGQxZS1lNjAwLTQyZGUtOTRlZC04YzM0YmY3M2YxNmQifQ==
If-None-Match: "170540185939602997400506234197983529371"
User-Agent: SmartScreen/281479409565696
Host: smartscreen-prod.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 461072
Content-Type: application/octet-stream
ETag: "637786431098503299"
Server: Microsoft-HTTPAPI/2.0
X-SmartScreen-Flight-Vector: EnableNsHumorMatch,EnableProxyLeniency,IsArsFmsIntegrationEnabled,IsCurfId0LoggingEnabled,IsNpPIOverrideBlockEnabled,ListApiE5V2Enabled,NpSettings2004,ServiceAdhocDetonate,ServiceClientModelDetonate,ServicePhishDetonate,ServicePhishDetonateLegacy,SrcEOPEnabled,TopTrafficV2Enabled,UpdateOnMissingEtagEnabled,UpdateSigningCert,UpdateSigningCertForRS3RS4
Date: Thu, 10 Feb 2022 03:01:47 GMT
Connection: close
-
Remote address:8.8.8.8:53Requestdns.googleIN AResponsedns.googleIN A8.8.4.4dns.googleIN A8.8.8.8
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
1.6kB 4.4kB 12 10
-
2.0kB 14.9kB 16 18
-
1.3kB 8.1kB 14 14
-
260 B 5
-
2.6kB 8.0kB 15 15
-
2.6kB 8.0kB 15 15
-
104.80.224.162:80http://dl.1und1.de/backend/ie/hotnews-de-de-2.7.9.xmlhttp475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe461 B 400 B 6 4
HTTP Request
GET http://dl.1und1.de/backend/ie/hotnews-de-de-2.7.9.xmlHTTP Response
301 -
82.165.229.87:80http://go.1und1.de/tb/ie_desktop_shortcutshttp475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe450 B 723 B 6 5
HTTP Request
GET http://go.1und1.de/tb/ie_desktop_shortcutsHTTP Response
302 -
82.165.229.87:80http://go.1und1.de/tb/ie_shop_providershttp475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe447 B 703 B 6 5
HTTP Request
GET http://go.1und1.de/tb/ie_shop_providersHTTP Response
302 -
104.80.224.162:443https://dl.1und1.de/backend/icons/1und1.icotls, http475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe1.7kB 17.6kB 21 20
HTTP Request
GET https://dl.1und1.de/backend/ie/hotnews-de-de-2.7.9.xmlHTTP Response
404HTTP Request
GET https://dl.1und1.de/backend/icons/1und1.icoHTTP Response
200 -
82.165.229.23:443https://suche.1und1.de/starthp?src=go_fallbacktls, http475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe3.9kB 89.2kB 74 73
HTTP Request
GET https://suche.1und1.de/starthp?src=go_fallbackHTTP Response
200 -
82.165.229.152:80http://download.1und1.de/backend/ie/ie_desktop_shortcutshttp475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe464 B 708 B 6 5
HTTP Request
GET http://download.1und1.de/backend/ie/ie_desktop_shortcutsHTTP Response
301 -
104.80.224.162:443https://dl.1und1.de//backend/ie/ie_desktop_shortcutstls, http475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe1.1kB 5.6kB 14 12
HTTP Request
GET https://dl.1und1.de//backend/ie/ie_desktop_shortcutsHTTP Response
200 -
80.158.50.254:80http://ocsp.telesec.de/ocspr/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTFx4BvOw7Ixax9%2BP2ZItzIsVvQvwQUv1kgNgB5oKAia4zV8mHSuCzLgkoCCH45x60d2fBDhttp475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe500 B 1.9kB 6 6
HTTP Request
GET http://ocsp.telesec.de/ocspr/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTFx4BvOw7Ixax9%2BP2ZItzIsVvQvwQUv1kgNgB5oKAia4zV8mHSuCzLgkoCCH45x60d2fBDHTTP Response
200 -
80.158.50.254:80http://ocsp.serverpass.telesec.de/ocspr/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT66Lqmxf42hHuY8hKFZzVwT4YoDAQUlMh0RvU6tEZIJvgryjQeViYEEgACEA390hO8ff9jnvoFNBYch9M%3Dhttp475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe523 B 2.0kB 6 6
HTTP Request
GET http://ocsp.serverpass.telesec.de/ocspr/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT66Lqmxf42hHuY8hKFZzVwT4YoDAQUlMh0RvU6tEZIJvgryjQeViYEEgACEA390hO8ff9jnvoFNBYch9M%3DHTTP Response
200 -
104.80.224.162:80http://dl.1und1.de/backend/ie/hotnews-de-de.xmlhttp475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe455 B 394 B 6 4
HTTP Request
GET http://dl.1und1.de/backend/ie/hotnews-de-de.xmlHTTP Response
301 -
104.80.224.162:443https://dl.1und1.de/backend/ie/hotnews-de-de.xmltls, http475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe1.0kB 5.8kB 11 10
HTTP Request
GET https://dl.1und1.de/backend/ie/hotnews-de-de.xmlHTTP Response
200 -
2.0kB 4.4kB 12 10
-
1.2kB 3.5kB 12 9
-
184.29.205.60:443https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1tls, httpNetworkService1.0kB 7.7kB 8 11
HTTP Request
GET https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=1HTTP Response
200 -
-
2.6kB 10.3kB 12 11
HTTP Request
POST https://nav.smartscreen.microsoft.com/api/browser/edge/actionsHTTP Response
200 -
20.81.52.156:443https://smartscreen-prod.microsoft.com/api/browser/edge/data/settingstls, httpmsedge.exe4.7kB 141.1kB 55 99
HTTP Request
POST https://smartscreen-prod.microsoft.com/api/browser/edge/data/settingsHTTP Response
200 -
20.81.52.156:443https://smartscreen-prod.microsoft.com/windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19041.1288.vb_release&flight=%7B%22ETag%22%3A%22%5C%22IICLQzIHSHofpfdgZrDul8PdJyn3U%2FUW3kYLrLVpro8%3D%5C%22%22%2C%22Ids%22%3A%5B%22P-R-99770-6-31%2CP-R-86682-4-37%2CP-R-73000-8-25%2CP-R-72999-9-23%2CP-R-70204-2-18%2CP-R-69385-1-5%2CP-R-68026-7-37%2CP-R-68490-1-3%2CP-R-68172-1-4%2CP-R-68175-1-6%2CP-R-68176-3-8%2CP-R-68179-1-3%2CP-R-68187-2-33%2CP-R-68189-1-7%2CP-R-68191-2-8%2CP-R-68192-2-8%2CP-R-68306-1-20%2CP-R-68307-1-3%2CP-D-68194-1-2%22%5D%2C%22Settings%22%3A%7B%22Names%22%3Anull%2C%22Ring%22%3A0%2C%22Models%22%3Anull%2C%22ServiceClientModelDetonate%22%3Atrue%2C%22WdsiFeedback%22%3Afalse%2C%22NPFeedbackUriOverride%22%3Anull%2C%22NetworkFilterDetonate%22%3Afalse%2C%22ServicePhishDetonate%22%3Atrue%2C%22ServicePhishDetonateLegacy%22%3Atrue%2C%22ServiceAdhocDetonate%22%3Atrue%2C%22NpSettings2004%22%3Atrue%2C%22UpdateSigningCert%22%3Atrue%2C%22UpdateSigningCertForRS3RS4%22%3Atrue%2C%22NpSettings2004Value%22%3A0%2C%22IsCOCOBlockEnabled%22%3Afalse%2C%22NpIpBlockOverrideValue%22%3A0%2C%22TopTrafficV2Enabled%22%3Atrue%2C%22ListApiE5V2Enabled%22%3Atrue%2C%22IsNpPIOverrideBlockEnabled%22%3Atrue%2C%22TopTrafficV2MobileFlightEnabled%22%3Afalse%2C%22BloomFilterDeltaFlag%22%3A1%2C%22SrcEOPEnabled%22%3Atrue%2C%22IsCurfId0LoggingEnabled%22%3Atrue%2C%22IsCurfId0BlockingEnabled%22%3Afalse%2C%22UpdateOnMissingEtagEnabled%22%3Atrue%2C%22EnableProxyLeniency%22%3Atrue%2C%22IsArsFmsIntegrationEnabled%22%3Atrue%2C%22EnableNsHumorMatch%22%3Atrue%2C%22ApplyNsHumorVerdict%22%3Afalse%2C%22EnableNpSkipNonWeb%22%3Afalse%2C%22MTDThrottleFactor%22%3A0.0%2C%22UnsilenceModelGuid%22%3Anull%7D%7Dtls, httpmsedge.exe10.2kB 482.7kB 169 326
HTTP Request
GET https://smartscreen-prod.microsoft.com/windows/browser/edge/data/toptraffic?pushCert=false&os=10.0.19041.1288.vb_release&flight=%7B%22ETag%22%3A%22%5C%22IICLQzIHSHofpfdgZrDul8PdJyn3U%2FUW3kYLrLVpro8%3D%5C%22%22%2C%22Ids%22%3A%5B%22P-R-99770-6-31%2CP-R-86682-4-37%2CP-R-73000-8-25%2CP-R-72999-9-23%2CP-R-70204-2-18%2CP-R-69385-1-5%2CP-R-68026-7-37%2CP-R-68490-1-3%2CP-R-68172-1-4%2CP-R-68175-1-6%2CP-R-68176-3-8%2CP-R-68179-1-3%2CP-R-68187-2-33%2CP-R-68189-1-7%2CP-R-68191-2-8%2CP-R-68192-2-8%2CP-R-68306-1-20%2CP-R-68307-1-3%2CP-D-68194-1-2%22%5D%2C%22Settings%22%3A%7B%22Names%22%3Anull%2C%22Ring%22%3A0%2C%22Models%22%3Anull%2C%22ServiceClientModelDetonate%22%3Atrue%2C%22WdsiFeedback%22%3Afalse%2C%22NPFeedbackUriOverride%22%3Anull%2C%22NetworkFilterDetonate%22%3Afalse%2C%22ServicePhishDetonate%22%3Atrue%2C%22ServicePhishDetonateLegacy%22%3Atrue%2C%22ServiceAdhocDetonate%22%3Atrue%2C%22NpSettings2004%22%3Atrue%2C%22UpdateSigningCert%22%3Atrue%2C%22UpdateSigningCertForRS3RS4%22%3Atrue%2C%22NpSettings2004Value%22%3A0%2C%22IsCOCOBlockEnabled%22%3Afalse%2C%22NpIpBlockOverrideValue%22%3A0%2C%22TopTrafficV2Enabled%22%3Atrue%2C%22ListApiE5V2Enabled%22%3Atrue%2C%22IsNpPIOverrideBlockEnabled%22%3Atrue%2C%22TopTrafficV2MobileFlightEnabled%22%3Afalse%2C%22BloomFilterDeltaFlag%22%3A1%2C%22SrcEOPEnabled%22%3Atrue%2C%22IsCurfId0LoggingEnabled%22%3Atrue%2C%22IsCurfId0BlockingEnabled%22%3Afalse%2C%22UpdateOnMissingEtagEnabled%22%3Atrue%2C%22EnableProxyLeniency%22%3Atrue%2C%22IsArsFmsIntegrationEnabled%22%3Atrue%2C%22EnableNsHumorMatch%22%3Atrue%2C%22ApplyNsHumorVerdict%22%3Afalse%2C%22EnableNpSkipNonWeb%22%3Afalse%2C%22MTDThrottleFactor%22%3A0.0%2C%22UnsilenceModelGuid%22%3Anull%7D%7DHTTP Response
200 -
747 B 5.1kB 5 6
-
747 B 5.1kB 5 6
-
747 B 5.1kB 5 6
-
747 B 5.1kB 5 6
-
747 B 5.1kB 5 6
-
747 B 5.1kB 5 6
-
747 B 5.1kB 5 6
-
747 B 5.1kB 5 6
-
77 B 207 B 1 1
DNS Request
settings-win.data.microsoft.com
DNS Response
52.167.249.196
-
77 B 207 B 1 1
DNS Request
settings-win.data.microsoft.com
DNS Response
52.167.17.97
-
77 B 207 B 1 1
DNS Request
settings-win.data.microsoft.com
DNS Response
52.167.249.196
-
57 B 102 B 1 1
DNS Request
go.1und1.de
DNS Response
82.165.229.87
-
57 B 143 B 1 1
DNS Request
dl.1und1.de
DNS Response
104.80.224.162
-
8.8.8.8:53download.1und1.dedns475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe63 B 110 B 1 1
DNS Request
download.1und1.de
DNS Response
82.165.229.152
-
60 B 107 B 1 1
DNS Request
suche.1und1.de
DNS Response
82.165.229.23
-
61 B 141 B 1 1
DNS Request
ocsp.telesec.de
DNS Response
80.158.50.25480.158.61.9180.158.59.63217.170.186.122217.170.186.111
-
8.8.8.8:53ocsp.serverpass.telesec.dedns475eba482ed51fe75968f9457f559c9af6cf50ea35bc305e39e8bdee7e75bf57.exe72 B 152 B 1 1
DNS Request
ocsp.serverpass.telesec.de
DNS Response
80.158.50.25480.158.59.6380.158.61.91217.170.186.122217.170.186.111
-
77 B 207 B 1 1
DNS Request
settings-win.data.microsoft.com
DNS Response
52.167.249.196
-
78 B 165 B 1 1
DNS Request
geo.prod.do.dsp.mp.microsoft.com
DNS Response
52.143.80.209
-
80 B 190 B 1 1
DNS Request
kv801.prod.do.dsp.mp.microsoft.com
DNS Response
184.29.205.60
-
75 B 194 B 1 1
DNS Request
nav.smartscreen.microsoft.com
DNS Response
20.81.51.95
-
76 B 195 B 1 1
DNS Request
smartscreen-prod.microsoft.com
DNS Response
20.81.52.156
-
56 B 88 B 1 1
DNS Request
dns.google
DNS Response
8.8.4.48.8.8.8