URL:

https://cdn.refinitiv.com/public/packages/Workspace/RefinitivWorkspace-installer_1.23.269.exe

Full analysis: https://app.any.run/tasks/d7a2fec8-7d35-4eaf-865d-82b5c514aef8
Verdict: Malicious activity
Analysis date: December 05, 2023, 08:20:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

383F84DC407984EC82644BAD349FA304

SHA1:

9DC4872664F9E48D91B9DA17E4EEB5D2E10BADA0

SHA256:

F1AE7BD74CB59E71DD5833142651E1A74EF7E182AD53D650405510E34A3CDB84

SSDEEP:

3:N8cw4dKHJyOPpMO38mKMH3+XDXWeN:2cwvHJdmO3lKMH3+XDmK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RefinitivWorkspace-installer_1.23.269.exe (PID: 4060)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • RefinitivWorkspace-installer_1.23.269.exe (PID: 4060)

    • Process drops legitimate windows executable

      • RefinitivWorkspace-installer_1.23.269.exe (PID: 4060)

    • The process creates files with name similar to system file names

      • RefinitivWorkspace-installer_1.23.269.exe (PID: 4060)

  • INFO

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 1228)

    • Application launched itself

      • iexplore.exe (PID: 1236)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2928)
      • RefinitivWorkspace-installer_1.23.269.exe (PID: 4060)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2928)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2928)
      • explorer.exe (PID: 2764)

    • Create files in a temporary directory

      • RefinitivWorkspace-installer_1.23.269.exe (PID: 4060)

    • The process uses the downloaded file

      • iexplore.exe (PID: 1236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs refinitivworkspace-installer_1.23.269.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1236 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1236"C:\Program Files\Internet Explorer\iexplore.exe" "https://cdn.refinitiv.com/public/packages/Workspace/RefinitivWorkspace-installer_1.23.269.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2764"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2928"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4060"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\RefinitivWorkspace-installer_1.23.269.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\RefinitivWorkspace-installer_1.23.269.exeiexplore.exe
User:
admin
Company:
Refinitiv
Integrity Level:
MEDIUM
Description:
Refinitiv Workspace Installer
Exit code:
1
Version:
1.23.269
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\refinitivworkspace-installer_1.23.269.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
29 446
Read events
29 383
Write events
61
Delete events
2

Modification events

(PID) Process:(1236) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(1236) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(1236) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(1236) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1236) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1236) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1236) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1236) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1236) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1236) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
50
Suspicious files
84
Text files
27
Unknown types
1

Dropped files

PID
Process
Filename
Type
1228iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691binary
MD5:03582A4B3EA7BB6E14ED1B0FCDE1DFDD
SHA256:B9A9C916DDDFDA5C2A968BE9D3D3A76CBE6C7766F94EF359F0AED5590840ADDC
1228iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77binary
MD5:E6C461A50D37A38DC40FD91F53CF49FE
SHA256:0404ABA6674D82032AECBCBD40FC039F59B0CD05DD099DFA37E67D4686E1A217
1228iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:0C239E0F822FD846CBB9EE4BBD40FF77
SHA256:FC7703DF341BB76DE2F6B570A2191A717568143B6F40CD075B13537C0B3EE84D
1228iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
1236iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:5CDBCF373FB295D6FD6C48E39DC18BEF
SHA256:7ABA42083362F97BB700FAD72AC25081C502AC22D30F5C9D8E0FA7DDAF97707F
1228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\RefinitivWorkspace-installer_1.23.269[1].exeexecutable
MD5:A68EAB51155DC5BFEE5F40FCA6E2299C
SHA256:8DB991BE65412B989E10EAB1488E865967FA012370A69D4141B4FD65C737590A
1228iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77binary
MD5:6FD83AEFB972929224B79BA0F1749716
SHA256:39ED3B3178249FB14E5AE23529EB11E5434F6119441777C52C8BC1AE86ADF18E
1228iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691binary
MD5:6C82ABB65EA13D3A81E2BD235CAB6DD6
SHA256:CCD9AD9150277003F52BE694D1FCDE7CD5937AA870FB2FE39981637ED3C1AC21
1236iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\9BI5CNNI.txttext
MD5:E19F8D49A46A3E1A68DDE30C935764E1
SHA256:7D5C36BCEE89B7F3B3E1C2C07C0A559D595857415AC2FDC72C369DFB81C5494A
1236iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\C5WVZWCU.txttext
MD5:5CE27749C9B963C5F5F96DD497DEBC08
SHA256:C60D49C9CAFC295B7E277C344F6753585F6F10173F598F023601102C9FDA1B85
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
20
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1228
iexplore.exe
GET
200
23.53.40.75:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1d7b6ba33f16a438
unknown
compressed
4.66 Kb
unknown
1228
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D
unknown
binary
1.42 Kb
unknown
1236
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
binary
471 b
unknown
1236
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1236
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
unknown
binary
471 b
unknown
1236
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
1228
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D
unknown
binary
2.18 Kb
unknown
1228
iexplore.exe
GET
200
23.53.40.75:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7c0985578a653cb5
unknown
compressed
4.66 Kb
unknown
1080
svchost.exe
GET
200
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?59b8873ffc666c10
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1228
iexplore.exe
143.204.215.55:443
cdn.refinitiv.com
AMAZON-02
US
unknown
1228
iexplore.exe
23.53.40.75:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1228
iexplore.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
1080
svchost.exe
87.248.204.0:80
ctldl.windowsupdate.com
LLNW
US
unknown
1236
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
1236
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
cdn.refinitiv.com
  • 143.204.215.55
  • 143.204.215.38
  • 143.204.215.73
  • 143.204.215.4
unknown
ctldl.windowsupdate.com
  • 23.53.40.75
  • 23.53.40.67
  • 23.53.40.73
  • 23.53.40.80
  • 23.53.40.74
  • 23.53.40.83
  • 23.53.40.82
  • 23.53.40.59
  • 23.53.40.81
  • 87.248.204.0
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://cdn.refinitiv.com/public/packages/Workspace/RefinitivWorkspace-installer_1.23.269.exe