URL: | https://go.microsoft.com/fwlink/?linkid=2126594&pc=w045&icid=mscom_marcom_dlc |
Full analysis: | https://app.any.run/tasks/a5944016-d699-4d4b-9a5e-d499107df0e3 |
Verdict: | Malicious activity |
Analysis date: | January 27, 2021, 16:38:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 818E52DD4BBF7241A448C43A95AC9D96 |
SHA1: | C75C854136D23AF97803B28FB211925C29B8E581 |
SHA256: | 0B0A3ED21566C7962A572A3705FD45967A943287AFBAD036F6CCB1712BEA7A20 |
SSDEEP: | 3:N8r8etR7LO+BYsw/7QTM2dp4n:2geDPO+YfQTtdp4n |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2540 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://go.microsoft.com/fwlink/?linkid=2126594&pc=w045&icid=mscom_marcom_dlc" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2420 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2540 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2012 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\BingWallpaper.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\BingWallpaper.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BingWallpaper Exit code: 0 Version: 1.0.8.2 Modules
| |||||||||||||||
4000 | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe | — | BingWallpaper.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2396 | "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\BWInstaller.exe" | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\BWInstaller.exe | StartupInstaller.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: BWInstaller Exit code: 0 Version: 1.0.8.2 Modules
| |||||||||||||||
2220 | "C:\Windows\System32\msiexec.exe" /q /i BWCInstaller.msi /norestart | C:\Windows\System32\msiexec.exe | — | BWInstaller.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3520 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3136 | "C:\Users\admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe" | C:\Users\admin\AppData\Local\Microsoft\BingWallpaperApp\BingWallpaperApp.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Bing Wallpaper Version: 1.0.8.2 Modules
| |||||||||||||||
3224 | C:\Windows\system32\MsiExec.exe -Embedding A01518031554CE810E89BB5603C0521C | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3504 | rundll32.exe "C:\Windows\Installer\MSI8559.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1415921 1 CustomActions!CustomActions.CustomActions.InstallPing | C:\Windows\system32\rundll32.exe | MsiExec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 33515748 | |||
(PID) Process: | (2540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30864587 | |||
(PID) Process: | (2540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (2540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2420 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab3E89.tmp | — | |
MD5:— | SHA256:— | |||
2420 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar3E8A.tmp | — | |
MD5:— | SHA256:— | |||
2420 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\BingWallpaper[1].exe | — | |
MD5:— | SHA256:— | |||
2540 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFD5F8337DE9CB21FF.TMP | — | |
MD5:— | SHA256:— | |||
2540 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\BingWallpaper.exe.glxi45t.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2012 | BingWallpaper.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\BWCInstaller.msi | — | |
MD5:— | SHA256:— | |||
2420 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:2ABF646F63AD1ECA5A2345C91EC46DE1 | SHA256:5E84E6985E911A73B6A83FD6FE51F9325930898CC0C0A674808DE8BFB2D7691E | |||
2420 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A07532D6AAE6A04052D31515DB38D1D_CA882703125241C37BA7EFB65CEA8710 | der | |
MD5:EA7EF22CA276AC02C3E117B3FA79AAE6 | SHA256:7A1E9C7C68BBD800820A33D4AA6132020F32CE46BB638A20502A4863C36297BB | |||
2396 | BWInstaller.exe | C:\Users\admin\AppData\Local\Temp\ZMG721C.tmp | — | |
MD5:— | SHA256:— | |||
2396 | BWInstaller.exe | C:\Users\admin\AppData\Local\Temp\ZMG724C.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3504 | rundll32.exe | GET | 200 | 20.41.62.11:80 | http://g.ceipmsn.com/8SE/44?MI=8929C91FFFA147AE9FCB2CB59F391AB9&LV=6.1.7600.16385&OS=6.1.7601.1&TE=40&TV=isW045%7cpkBingWallpaper%7ctmen-us%7cvr1.0.8.2%7cat1%7crt1%7cpt2 | US | — | — | suspicious |
2396 | BWInstaller.exe | GET | 200 | 20.41.62.11:80 | http://g.ceipmsn.com/8SE/44?MI=8929C91FFFA147AE9FCB2CB59F391AB9&LV=1.0.8.2&OS=6.1.7601.1&TE=40&TV=isW045%7cpkBWInstaller%7ctmen-us%7chdIE2%2cMF1%2cGC1%7csdIE2%2cMF1%2cGC1%7chpBing%7cdbIE%7crt2%7cpt1 | US | — | — | suspicious |
2420 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D | US | der | 1.47 Kb | whitelisted |
2420 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3028 | firefox.exe | GET | 200 | 20.41.62.11:80 | http://g.ceipmsn.com/8SE/44?MI=B3D6ECDB15E7850D69246872CDD0B741&LV=0.0.0.9&OS=WindowsNT6.1;rv:68.0&TE=37&TV=isW045%7CpkMicrosoftBingSearchEngine%7Ctmen-US%7CbvFirefox68.0%[email protected]%7Ces1 | US | — | — | suspicious |
3240 | DefaultSetup.exe | GET | 200 | 20.41.62.11:80 | http://g.ceipmsn.com/8SE/44?MI=8929C91FFFA147AE9FCB2CB59F391AB9&LV=1.7.74.0&OS=6.1.7601.1&TE=24&TV=isW045%7cpkBrowserDefMgr%7crt1%7ctmen-us%7chdGC75.0.3770.100%2c1%7csdGC75.0.3770.100%2c1%7cseGC75.0.3770.100%2c1%7chpGC75.0.3770.100%2c1%7ccd2021-01-27%7cct16:39:55:540 | US | — | — | suspicious |
3240 | DefaultSetup.exe | GET | 200 | 20.41.62.11:80 | http://g.ceipmsn.com/8SE/44?MI=8929C91FFFA147AE9FCB2CB59F391AB9&LV=1.7.74.0&OS=6.1.7601.1&TE=25&TV=isW045%7cpkBrowserDefMgr%7crt1%7ctmen-us%7chdIE11.0.9600.17843%2c0%7csdIE11.0.9600.17843%2c0%7cse%7chp%7ccd2021-01-27%7cct16:39:55:540 | US | — | — | suspicious |
3240 | DefaultSetup.exe | GET | 200 | 20.41.62.11:80 | http://g.ceipmsn.com/8SE/44?MI=8929C91FFFA147AE9FCB2CB59F391AB9&LV=1.7.74.0&OS=6.1.7601.1&TE=23&TV=isW045%7cpkBrowserDefMgr%7crt1%7ctmen-us%7chdMF68.0.0.0%2c1%7csdMF68.0.0.0%2c1%7cseMF68.0.0.0%2c1%7chpMF68.0.0.0%2c1%7ccd2021-01-27%7cct16:39:55:540 | US | — | — | suspicious |
2540 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
2420 | iexplore.exe | GET | 200 | 104.18.24.243:80 | http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRSHuNsR4EZqcsD%2BrdOV%2BEZevGBiwQUtXYMMBHOx5JCTUzHXCzIqQzoC2QCE2sABS6X6DFrE9H0DdEAAAAFLpc%3D | US | der | 1.71 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3136 | BingWallpaperApp.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2420 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3028 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
2420 | iexplore.exe | 104.79.88.34:443 | download.microsoft.com | Time Warner Cable Internet LLC | US | malicious |
2420 | iexplore.exe | 23.205.239.104:443 | go.microsoft.com | GTT Communications Inc. | NL | unknown |
2420 | iexplore.exe | 52.173.134.115:443 | bingwallpaper.microsoft.com | Microsoft Corporation | US | unknown |
3136 | BingWallpaperApp.exe | 52.173.134.115:443 | bingwallpaper.microsoft.com | Microsoft Corporation | US | unknown |
3504 | rundll32.exe | 20.41.62.11:80 | g.ceipmsn.com | — | US | suspicious |
2396 | BWInstaller.exe | 20.41.62.11:80 | g.ceipmsn.com | — | US | suspicious |
3136 | BingWallpaperApp.exe | 92.123.16.55:443 | go.microsoft.com | Telia Company AB | FR | malicious |
Domain | IP | Reputation |
---|---|---|
go.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
bingwallpaper.microsoft.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.msocsp.com |
| whitelisted |
download.microsoft.com |
| whitelisted |
g.ceipmsn.com |
| suspicious |
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |