| download: | /windows/0install/DeepLSetup.exe |
| Full analysis: | https://app.any.run/tasks/9013a86a-246e-4ddd-824f-8dec57197b4b |
| Verdict: | Malicious activity |
| Analysis date: | August 23, 2024, 17:35:38 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 02A9A9A951A9122BB303E3D20A4132A4 |
| SHA1: | 9B5A7E0889F1AFFBB2478630A7CF158E1F426A53 |
| SHA256: | C915FB81B980D874B62DF5D842F0C460C3D0B8A4B6F70CA827875D75FBAE6DA9 |
| SSDEEP: | 98304:CyU8099+Hwwp+S1RPIuRfkUujTq7LBKj/:M9+HwvkP0jZ |
MALICIOUS
Create files in the Startup directory
- 0install-win.exe (PID: 6956)
SUSPICIOUS
Drops the executable file immediately after the start
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6956)
- 0install-win.exe (PID: 6728)
- CefSharp.BrowserSubprocess.exe (PID: 7352)
Executable content was dropped or overwritten
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6956)
- 0install-win.exe (PID: 6728)
- CefSharp.BrowserSubprocess.exe (PID: 7352)
Process drops legitimate windows executable
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6728)
The process creates files with name similar to system file names
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6728)
Starts itself from another location
- 0install-win.exe (PID: 6428)
Searches for installed software
- 0install-win.exe (PID: 6956)
Creates a software uninstall entry
- 0install-win.exe (PID: 6956)
Detected use of alternative data streams (AltDS)
- 0install-win.exe (PID: 6728)
The process drops C-runtime libraries
- 0install-win.exe (PID: 6728)
Reads Internet Explorer settings
- 0install-win.exe (PID: 6728)
Reads security settings of Internet Explorer
- DeepL.exe (PID: 7028)
Checks Windows Trust Settings
- DeepL.exe (PID: 7028)
There is functionality for taking screenshot (YARA)
- DeepL.exe (PID: 7028)
INFO
Reads the computer name
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6728)
- 0install-win.exe (PID: 6956)
- 0install.exe (PID: 6912)
- DeepL.exe (PID: 7028)
- 0install.exe (PID: 6360)
- 0install.exe (PID: 4056)
- CefSharp.BrowserSubprocess.exe (PID: 4316)
- CefSharp.BrowserSubprocess.exe (PID: 3292)
- identity_helper.exe (PID: 5164)
- CefSharp.BrowserSubprocess.exe (PID: 7140)
- CefSharp.BrowserSubprocess.exe (PID: 5372)
- CefSharp.BrowserSubprocess.exe (PID: 5088)
- CefSharp.BrowserSubprocess.exe (PID: 7352)
Checks supported languages
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6956)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6728)
- 0install.exe (PID: 6912)
- DeepL.exe (PID: 7028)
- 0install.exe (PID: 4056)
- CefSharp.BrowserSubprocess.exe (PID: 4316)
- 0install.exe (PID: 6360)
- CefSharp.BrowserSubprocess.exe (PID: 3292)
- CefSharp.BrowserSubprocess.exe (PID: 5088)
- identity_helper.exe (PID: 5164)
- CefSharp.BrowserSubprocess.exe (PID: 7352)
- CefSharp.BrowserSubprocess.exe (PID: 7140)
- CefSharp.BrowserSubprocess.exe (PID: 5372)
Reads Environment values
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6956)
- 0install-win.exe (PID: 6728)
- 0install.exe (PID: 6912)
- 0install.exe (PID: 6360)
- 0install.exe (PID: 4056)
- identity_helper.exe (PID: 5164)
Checks proxy server information
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6956)
- 0install-win.exe (PID: 6728)
- DeepL.exe (PID: 7028)
- 0install.exe (PID: 6360)
- 0install.exe (PID: 4056)
- 0install.exe (PID: 6912)
Disables trace logs
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6956)
- 0install-win.exe (PID: 6728)
- 0install.exe (PID: 6912)
- 0install.exe (PID: 6360)
- 0install.exe (PID: 4056)
Reads the machine GUID from the registry
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6956)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6728)
- DeepL.exe (PID: 7028)
- 0install.exe (PID: 6912)
- 0install.exe (PID: 6360)
- 0install.exe (PID: 4056)
- CefSharp.BrowserSubprocess.exe (PID: 4316)
- CefSharp.BrowserSubprocess.exe (PID: 5088)
- CefSharp.BrowserSubprocess.exe (PID: 3292)
- CefSharp.BrowserSubprocess.exe (PID: 7140)
- CefSharp.BrowserSubprocess.exe (PID: 5372)
- CefSharp.BrowserSubprocess.exe (PID: 7352)
Create files in a temporary directory
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6428)
- DeepL.exe (PID: 7028)
- 0install.exe (PID: 6912)
Creates files or folders in the user directory
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6956)
- 0install-win.exe (PID: 6728)
- DeepL.exe (PID: 7028)
- 0install.exe (PID: 6360)
- 0install.exe (PID: 4056)
- 0install.exe (PID: 6912)
- CefSharp.BrowserSubprocess.exe (PID: 3292)
Process checks whether UAC notifications are on
- DeepLSetup.exe (PID: 6672)
Reads the software policy settings
- DeepLSetup.exe (PID: 6672)
- 0install-win.exe (PID: 6956)
- 0install-win.exe (PID: 6728)
- DeepL.exe (PID: 7028)
Creates files in the program directory
- 0install-win.exe (PID: 6428)
- 0install-win.exe (PID: 6956)
- 0install-win.exe (PID: 6728)
- DeepL.exe (PID: 7028)
Process checks computer location settings
- DeepL.exe (PID: 7028)
- CefSharp.BrowserSubprocess.exe (PID: 7140)
- CefSharp.BrowserSubprocess.exe (PID: 5372)
Reads Microsoft Office registry keys
- DeepL.exe (PID: 7028)
- msedge.exe (PID: 3880)
Application launched itself
- msedge.exe (PID: 3880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2092:06:12 00:25:29+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 4307968 |
| InitializedDataSize: | 113152 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x41dbce |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.25.10.0 |
| ProductVersionNumber: | 2.25.10.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | Downloads and runs Zero Install optionally showing a GUI. |
| CompanyName: | zero-install |
| FileDescription: | zero-install |
| FileVersion: | 2.25.10.0 |
| InternalName: | zero-install.exe |
| LegalCopyright: | |
| OriginalFileName: | zero-install.exe |
| ProductName: | Zero Install |
| ProductVersion: | 2.25.10+dc9e71b7feda494f49256313ad5af690384d9d4d |
| AssemblyVersion: | 2.25.10.0 |
Total processes
205
Monitored processes
64
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 32 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6976 --field-trial-handle=2548,i,8768375086250425187,1918767152267917654,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2680 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4160 --field-trial-handle=2548,i,8768375086250425187,1918767152267917654,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2992 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6248 --field-trial-handle=2548,i,8768375086250425187,1918767152267917654,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 3292 | "C:\Users\admin\AppData\Local\0install.net\implementations\sha256new_URIJA5AX26HNM7QVJKAF4VRTKDDVZDUL2XD4MMI4IJ3R32IZBLRA\.\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Users\admin\AppData\Roaming\DeepL_SE\logs\cefSharpLog_debug.log" --mojo-platform-channel-handle=5184 --field-trial-handle=4796,i,17475969947438085490,17218400034791309204,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=7028 | C:\Users\admin\AppData\Local\0install.net\implementations\sha256new_URIJA5AX26HNM7QVJKAF4VRTKDDVZDUL2XD4MMI4IJ3R32IZBLRA\CefSharp.BrowserSubprocess.exe | DeepL.exe | ||||||||||||
User: admin Company: The CefSharp Authors Integrity Level: MEDIUM Description: CefSharp.BrowserSubprocess Version: 109.1.110.0 Modules
| |||||||||||||||
| 3864 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6640 --field-trial-handle=2548,i,8768375086250425187,1918767152267917654,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 3880 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.deepl.com/en/app-installed?windows_app_version=24.8.1.13198%2ba8473b37ea891268a8ccc6f7f04a4161fe53a7f7 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | DeepL.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 4016 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=892 --field-trial-handle=2548,i,8768375086250425187,1918767152267917654,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 4056 | "C:\Users\admin\AppData\Roaming\Programs\Zero Install\0install.exe" integrate --batch https://appdownload.deepl.com/windows/0install/deepl.xml --add default-access-point | C:\Users\admin\AppData\Roaming\Programs\Zero Install\0install.exe | — | DeepL.exe | |||||||||||
User: admin Company: Bastian Eicher Integrity Level: MEDIUM Description: 0install Exit code: 0 Version: 2.25.11.0 Modules
| |||||||||||||||
| 4292 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4388 --field-trial-handle=2548,i,8768375086250425187,1918767152267917654,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 4316 | "C:\Users\admin\AppData\Local\0install.net\implementations\sha256new_URIJA5AX26HNM7QVJKAF4VRTKDDVZDUL2XD4MMI4IJ3R32IZBLRA\.\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\admin\AppData\Roaming\DeepL_SE\logs\cefSharpLog_debug.log" --mojo-platform-channel-handle=4732 --field-trial-handle=4796,i,17475969947438085490,17218400034791309204,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 --host-process-id=7028 | C:\Users\admin\AppData\Local\0install.net\implementations\sha256new_URIJA5AX26HNM7QVJKAF4VRTKDDVZDUL2XD4MMI4IJ3R32IZBLRA\CefSharp.BrowserSubprocess.exe | — | DeepL.exe | |||||||||||
User: admin Company: The CefSharp Authors Integrity Level: MEDIUM Description: CefSharp.BrowserSubprocess Version: 109.1.110.0 Modules
| |||||||||||||||
Total events
25 880
Read events
25 688
Write events
177
Delete events
15
Modification events
| (PID) Process: | (6672) DeepLSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DeepLSetup_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6672) DeepLSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DeepLSetup_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (6672) DeepLSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DeepLSetup_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (6672) DeepLSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DeepLSetup_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (6672) DeepLSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DeepLSetup_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (6672) DeepLSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DeepLSetup_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (6672) DeepLSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DeepLSetup_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (6672) DeepLSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DeepLSetup_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6672) DeepLSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DeepLSetup_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (6672) DeepLSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DeepLSetup_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
Executable files
1 691
Suspicious files
750
Text files
256
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6672 | DeepLSetup.exe | C:\Users\admin\AppData\Roaming\0install.net\injector\implementation-dirs | — | |
MD5:— | SHA256:— | |||
| 6672 | DeepLSetup.exe | C:\Users\admin\AppData\Roaming\0install.net\injector\global | text | |
MD5:C21FB6102DF78A20A75B5F0B9F8544D2 | SHA256:A5A650E2E7FE8EC0B6E5F57FE03F96491016580A268D91303A3906B060057B4D | |||
| 6672 | DeepLSetup.exe | C:\Users\admin\AppData\Local\0install.net\implementations\0install-extract-enqj1vrx.1fh\System.Threading.Tasks.Extensions.dll | executable | |
MD5:E1E9D7D46E5CD9525C5927DC98D9ECC7 | SHA256:4F81FFD0DC7204DB75AFC35EA4291769B07C440592F28894260EEA76626A23C6 | |||
| 6672 | DeepLSetup.exe | C:\Users\admin\AppData\Local\0install.net\implementations\0install-extract-enqj1vrx.1fh\0store-service.exe | executable | |
MD5:66EEFF49858B1B4508F307ABFC075D5A | SHA256:5E6A5FC58EAD10310E8EEF0B57307E1B098F6C2A2D46FEC8466C0581C57D54E2 | |||
| 6672 | DeepLSetup.exe | C:\Users\admin\AppData\Local\0install.net\implementations\0install-extract-enqj1vrx.1fh\de\ZeroInstall.resources.dll | executable | |
MD5:181A0861EF3F550898CFFC73F987D45C | SHA256:D922F761BCEDFD0889325075C84F1A7DD2C59DCF363CF4C65B180B59652DEE17 | |||
| 6672 | DeepLSetup.exe | C:\Users\admin\AppData\Roaming\0install.net\temp.243p0kun.ikg.catalog-sources | text | |
MD5:085F4C9F480A808BE427574573138250 | SHA256:8A770C09F2E020A1056C204DD66E16B180878EF17DF94A1694E57AF535A19240 | |||
| 6672 | DeepLSetup.exe | C:\Users\admin\AppData\Roaming\0install.net\injector\temp.wtimqr4o.cso.global | text | |
MD5:C21FB6102DF78A20A75B5F0B9F8544D2 | SHA256:A5A650E2E7FE8EC0B6E5F57FE03F96491016580A268D91303A3906B060057B4D | |||
| 6672 | DeepLSetup.exe | C:\Users\admin\AppData\Roaming\0install.net\injector\temp.n3woqwhx.00z.trustdb.xml | xml | |
MD5:96B45CB4BC25586320AA84E9C3EFE5A1 | SHA256:E3FA8145F6108A9D43BABBB421105909A2647538290AB900FDA0DCA34D617193 | |||
| 6672 | DeepLSetup.exe | C:\Users\admin\AppData\Roaming\0install.net\catalog-sources | text | |
MD5:085F4C9F480A808BE427574573138250 | SHA256:8A770C09F2E020A1056C204DD66E16B180878EF17DF94A1694E57AF535A19240 | |||
| 6672 | DeepLSetup.exe | C:\Users\admin\AppData\Local\0install.net\implementations\pvmf14gs.hqx | binary | |
MD5:0CC175B9C0F1B6A831C399E269772661 | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
237
DNS requests
237
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2224 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
2224 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6912 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
2224 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7028 | DeepL.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D | unknown | — | — | whitelisted |
7028 | DeepL.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDFois1hItl2R2J%2FivQ%3D%3D | unknown | — | — | whitelisted |
7028 | DeepL.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D | unknown | — | — | whitelisted |
7028 | DeepL.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAc2N7ckVHzYR6z9KGYqXls%3D | unknown | — | — | whitelisted |
7028 | DeepL.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTjzY2p9Pa8oibmj%2BNSMWsz63kmWgQUuhbZbU2FL3MpdpovdYxqII%2BeyG8CEAVEr%2FOUnQg5pr%2FbP1%2FlYRY%3D | unknown | — | — | whitelisted |
7776 | svchost.exe | HEAD | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3 | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4040 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4876 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3260 | svchost.exe | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2224 | svchost.exe | 20.190.160.17:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2224 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
6912 | backgroundTaskHost.exe | 20.103.156.88:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
6912 | backgroundTaskHost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
arc.msn.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6596 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .cc TLD |
6596 | msedge.exe | Misc activity | SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc) |
6596 | msedge.exe | Potentially Bad Traffic | ET DNS Query for .cc TLD |
6596 | msedge.exe | Misc activity | SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc) |
6596 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com) |
6596 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com) |
Process | Message |
|---|---|
DeepL.exe | Profiler was prevented from loading notification profiler due to app settings.
Process ID (decimal): 7028. Message ID: [0x2509].
|
DeepL.exe | [17:38:54 WRN] Exception during loading options: System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Users\admin\AppData\Roaming\DeepL_SE\settings.json'.
at Microsoft.Win32.SafeHandles.SafeFileHandle.CreateFile(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options)
at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)
at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)
at System.IO.Strategies.FileStreamHelpers.ChooseStrategyCore(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)
at System.IO.Strategies.FileStreamHelpers.ChooseStrategy(FileStream fileStream, String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, Int64 preallocationSize)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at DeepL.Persistence.FileStreamProvider.GetStream(StreamModes modes)
at DeepL.Persistence.RepositoryBase`1.LoadCore()
at DeepL.Persistence.RepositoryBase`1.Load()
|
DeepL.exe | [17:38:54 INF] Read app configuration (LocalSettings): proxy.active = False
|
DeepL.exe | [17:38:54 INF] Loaded user settings: {"schema_version":2,"version":"24.8.1.13198","configuration":{"dialog":{"is_manual_first_start":false,"has_document_translation_onboarding_been_shown":false,"has_quicky_onboarding_been_shown":false,"wants_to_show_onboarding":false,"wants_to_show_quicky_onboarding":false,"wants_to_show_translation_history_opt_in":false,"has_onboarding_screen_been_shown_at_start":false,"has_desktop_survey_baloon_been_shown":false,"was_indonesian_notification_shown":false,"was_turkish_notification_shown":false,"history_or_saved_shown":0,"has_translation_history_privacy_hint_been_shown":false,"last_stay_logged_in":true,"visited_features_modal_page_identifiers":[],"has_image_translation_nudge_been_shown":false,"walled_state":1,"last_preferences_page_index":0,"has_assistant_nudge_been_shown":false,"text_translator_tab_promotion_banner_close_timestamp":"0001-01-01T00:00:00+00:00","write_tab_promotion_banner_close_timestamp":"0001-01-01T00:00:00+00:00","image_translator_tab_promotion_banner_close_timestamp":"0001-01-01T00:00:00+00:00","document_translation_tab_promotion_banner_close_timestamp":"0001-01-01T00:00:00+00:00","has_quick_translate_nudge_been_shown":false},"window":{"last_window_state":0,"window_left":null,"window_top":null,"window_height":null,"window_width":null,"set_default_window_size":false},"app":{"updated_from_version":null,"updated_to_version":null,"install_voice_at_startup":null}},"UserPreferences":{"exit_from_menu_without_prompt":false,"custom_shortcut":{},"is_custom_shortcut_enabled":false,"is_shortcut_disabled":false,"quicky_shortcut":{},"is_quicky_enabled":false,"screen_capture_shortcut":{},"is_screen_capture_enabled":false,"screen_capture_languages":["de","en"],"quicky_height":200.0,"quicky_width":300.0,"quicky_last_target_language":"","doc_trans_save_folder_strategy":0,"doc_trans_last_target_language":"","doc_trans_last_source_language":"","recently_used_doc_trans_target_languages":[],"recently_used_doc_trans_source_languages":[],"doc_trans_last_formality":3,"proxy_preferences":{"use_proxy":false},"user_ui_theme":1,"is_instant_replace_enabled":false,"instant_replace_shortcut":{},"instant_replace_last_target_language":"","recently_used_instant_replace_target_languages":[],"last_quick_translate_target_language":"","recently_used_quick_translate_target_languages":[],"use_quick_translate_on_shortcut":true,"use_app_on_shortcut":false,"image_translation_last_source_language":"","image_translation_last_target_language":"","image_translation_last_formality":3,"use_assistant":true,"general_preferences":{"behaviour_on_closing":0}},"account_preferences":{},"web_view_configuration":{},"write_configuration":{}}
|
DeepL.exe | [17:38:54 INF] Read app configuration (LocalSettings): proxy.active = False
|
DeepL.exe | [17:38:54 INF] Read app configuration (LocalSettings): proxy.active = False
|
DeepL.exe | [17:38:54 INF] No webproxy for http request handler in use
|
DeepL.exe | [17:38:54 INF] Read app configuration (LocalSettings): proxy.active = False
|
DeepL.exe | [17:38:54 INF] Read app configuration (LocalSettings): proxy.active = False
|
DeepL.exe | [17:38:54 INF] No webproxy for http request handler in use
|