| File name: | Retrac.Launcher_1.0.13_x64_en-US.msi |
| Full analysis: | https://app.any.run/tasks/f6fda3a8-ee04-4218-a2a0-bb94da6d577c |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | September 28, 2024, 21:40:04 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Retrac Launcher, Author: retrac, Keywords: Installer, Comments: This installer database contains the logic and data required to install Retrac Launcher., Template: x64;0, Revision Number: {96B6EFCC-925B-4F3C-B073-1B1E96E5D875}, Create Time/Date: Fri Aug 30 21:43:00 2024, Last Saved Time/Date: Fri Aug 30 21:43:00 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2 |
| MD5: | 5F1EAA7C85D7589BFF98B064E521A8CF |
| SHA1: | FB4183909BFA7D8CCD056D15D3062A2343811B11 |
| SHA256: | 77F824CBC498DD3CA31197B8251C41B3F810F8FED50C5A9893552D42EE42FA65 |
| SSDEEP: | 98304:/mpbDmD4IPKBzzrvuziWwLuFHArMAfDZdf7zrPwOC+rGBIJql2phRPvqFAvn4i6s:/sDjn7fVv1Lue |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 5288)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 5040)
Downloads file from URI
- powershell.exe (PID: 5288)
Request a resource from the Internet using PowerShell's cmdlet
- msiexec.exe (PID: 1360)
The process bypasses the loading of PowerShell profile settings
- msiexec.exe (PID: 1360)
Starts POWERSHELL.EXE for commands execution
- msiexec.exe (PID: 1360)
Powershell scripting: start process
- msiexec.exe (PID: 1360)
Process drops legitimate windows executable
- MicrosoftEdgeWebview2Setup.exe (PID: 6124)
- svchost.exe (PID: 1920)
- setup.exe (PID: 5932)
- MicrosoftEdgeUpdate.exe (PID: 1328)
- MicrosoftEdge_X64_129.0.2792.65.exe (PID: 5128)
- powershell.exe (PID: 5288)
Executable content was dropped or overwritten
- MicrosoftEdgeWebview2Setup.exe (PID: 6124)
- MicrosoftEdgeUpdate.exe (PID: 1328)
- setup.exe (PID: 5932)
- powershell.exe (PID: 5288)
- MicrosoftEdge_X64_129.0.2792.65.exe (PID: 5128)
Starts a Microsoft application from unusual location
- MicrosoftEdgeUpdate.exe (PID: 1328)
- MicrosoftEdgeWebview2Setup.exe (PID: 6124)
Starts itself from another location
- MicrosoftEdgeUpdate.exe (PID: 1328)
Application launched itself
- setup.exe (PID: 5932)
- MicrosoftEdgeUpdate.exe (PID: 2368)
- msedgewebview2.exe (PID: 3140)
Potential Corporate Privacy Violation
- svchost.exe (PID: 1920)
INFO
Checks supported languages
- msiexec.exe (PID: 1360)
- msiexec.exe (PID: 4980)
An automatically generated document
- msiexec.exe (PID: 6696)
Reads the computer name
- msiexec.exe (PID: 4980)
- msiexec.exe (PID: 1360)
Executable content was dropped or overwritten
- msiexec.exe (PID: 6696)
- msiexec.exe (PID: 1360)
Manual execution by a user
- WINWORD.EXE (PID: 3908)
- Taskmgr.exe (PID: 4944)
- Taskmgr.exe (PID: 6504)
- Retrac Launcher.exe (PID: 5976)
- Retrac Launcher.exe (PID: 6000)
- Retrac Launcher.exe (PID: 2844)
- Retrac Launcher.exe (PID: 6196)
- Retrac Launcher.exe (PID: 4236)
Manages system restore points
- SrTasks.exe (PID: 3860)
Attempting to use instant messaging service
- msedge.exe (PID: 6604)
The executable file from the user directory is run by the Powershell process
- MicrosoftEdgeWebview2Setup.exe (PID: 6124)
Application launched itself
- msedge.exe (PID: 2180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | Retrac Launcher |
| Author: | retrac |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install Retrac Launcher. |
| Template: | x64;0 |
| RevisionNumber: | {96B6EFCC-925B-4F3C-B073-1B1E96E5D875} |
| CreateDate: | 2024:08:30 21:43:00 |
| ModifyDate: | 2024:08:30 21:43:00 |
| Pages: | 450 |
| Words: | 2 |
| Software: | Windows Installer XML Toolset (3.11.2.4516) |
| Security: | Read-only recommended |
Total processes
190
Monitored processes
50
Malicious processes
4
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 652 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe" /user | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe | — | MicrosoftEdgeUpdate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update COM Registration Helper Exit code: 0 Version: 1.3.195.19 Modules
| |||||||||||||||
| 1116 | "C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.13 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1876,i,14568359503480116587,8662869439500404738,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1868 /prefetch:2 | C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\129.0.2792.65\msedgewebview2.exe | — | msedgewebview2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge WebView2 Version: 129.0.2792.65 Modules
| |||||||||||||||
| 1144 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7NjVBNzJGNzgtN0M4Mi00NzhFLThEMEMtMTlGMEREMjU4NzkxfSIgdXNlcmlkPSJ7RjVGOUZDNjYtQjQ0OS00MDAwLUJFQjgtMkQ4RURENDM4Mzg2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBNjlDNjhEQi03QUY0LTRDQTMtOTM1QS1FQzRENDcxRDkzQkR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS4xOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDE4NjA5NjIxMTMiIGluc3RhbGxfdGltZV9tcz0iNTc3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | MicrosoftEdgeUpdate.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Exit code: 0 Version: 1.3.195.19 Modules
| |||||||||||||||
| 1328 | C:\Users\admin\AppData\Local\Temp\EUD7B0.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" | C:\Users\admin\AppData\Local\Temp\EUD7B0.tmp\MicrosoftEdgeUpdate.exe | MicrosoftEdgeWebview2Setup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Exit code: 0 Version: 1.3.195.19 Modules
| |||||||||||||||
| 1360 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1920 | C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITS | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1928 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3544 --field-trial-handle=2388,i,5305437637137115828,9978039176166310282,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2180 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/oauth2/authorize?client_id=1212184991732080700&redirect_uri=https%3A%2F%2Fretrac.site%2Fretrac%2Fdiscord&response_type=code&scope=identify | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | Retrac Launcher.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2208 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2368 | "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -Embedding | C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Exit code: 0 Version: 1.3.195.19 Modules
| |||||||||||||||
Total events
35 331
Read events
31 947
Write events
3 262
Delete events
122
Modification events
| (PID) Process: | (1360) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4800000000000000FEF8F002EF11DB0150050000080B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1360) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 4800000000000000FEF8F002EF11DB0150050000080B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1360) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 480000000000000003A53F03EF11DB0150050000080B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1360) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 480000000000000003A53F03EF11DB0150050000080B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1360) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000F9084203EF11DB0150050000080B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1360) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 480000000000000022BC4603EF11DB0150050000080B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1360) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
| (PID) Process: | (1360) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 480000000000000005B13605EF11DB0150050000080B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1360) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 480000000000000089143905EF11DB0150050000CC0F0000E80300000100000000000000000000005D15AD29B7BE2F4D9EF4348CDC1A033E00000000000000000000000000000000 | |||
| (PID) Process: | (5040) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 48000000000000006EF44405EF11DB01B0130000D0150000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
213
Suspicious files
171
Text files
94
Unknown types
23
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1360 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 3908 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | binary | |
MD5:E97F8FF623C9DCA38B905F119C583E55 | SHA256:B8FECE7706E939895E00D7DF5A754FCDB714EEF4CC07A86C5AE54980FA1527F8 | |||
| 6696 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI6A31.tmp | executable | |
MD5:4FDD16752561CF585FED1506914D73E0 | SHA256:AECD2D2FE766F6D439ACC2BBF1346930ECC535012CF5AD7B3273D2875237B7E7 | |||
| 3908 | WINWORD.EXE | C:\Users\admin\Desktop\~$ricahost.rtf | binary | |
MD5:BCEE27EB2A4196EBA5E2F54A96E436D3 | SHA256:711CDEEEB104A8DE4E0F4213F002C81DE3223E2335624836A8287452B044FBD6 | |||
| 3908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres | binary | |
MD5:ED2AB2DC92FB9A50442367FD7B492717 | SHA256:34B78AEE628E6DA1A4AFE12676AD97A6910F76EE7CD71F6B2B067EEA45B640AA | |||
| 3908 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | abr | |
MD5:63EE2BE2FACC794288D74DC4CE00DC54 | SHA256:DDFD27D4A5E5F64E79B0811B4A56746E5925300A24A02D355A3835073E218076 | |||
| 3908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BB8C41A7-D10B-4193-8147-D2FCDC4066F1 | xml | |
MD5:159487B0E6C9AE803781956A74F6F117 | SHA256:7E80307AF1C9618D85C3BB42720F353C02FC9D76F360615219EF7649AB2BAF96 | |||
| 1360 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{29ad155d-beb7-4d2f-9ef4-348cdc1a033e}_OnDiskSnapshotProp | binary | |
MD5:144406DE8345669EFAEA9B3A6A679749 | SHA256:A0C59E75DE0B395CC1AF91DDF985798E75F36270210094EC009DDF7B6691457A | |||
| 3908 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D | der | |
MD5:E131FB9B94EF49A77ED5E43828ADC46C | SHA256:5D18B5985A0501BED10FE5CC49BB475B57946634823765A8F2FE7D7A9539111A | |||
| 1360 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:144406DE8345669EFAEA9B3A6A679749 | SHA256:A0C59E75DE0B395CC1AF91DDF985798E75F36270210094EC009DDF7B6691457A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
91
DNS requests
51
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2120 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3908 | WINWORD.EXE | GET | 200 | 204.79.197.203:80 | http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTVmxc3aY%2FvSxbIF7f%2BFQjNQl4g8gQUNfHnETJo5rLI2nHmcPPoPLgOBxsCEzMAACPksaaPgtK%2F468AAAAAI%2BQ%3D | unknown | — | — | whitelisted |
3908 | WINWORD.EXE | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
3908 | WINWORD.EXE | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
3908 | WINWORD.EXE | GET | 200 | 142.250.185.67:80 | http://c.pki.goog/r/gsr1.crl | unknown | — | — | whitelisted |
3908 | WINWORD.EXE | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAFSnug2jwtdcrpDPi2Opi0%3D | unknown | — | — | whitelisted |
3908 | WINWORD.EXE | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
3908 | WINWORD.EXE | GET | 200 | 142.250.185.67:80 | http://c.pki.goog/r/r4.crl | unknown | — | — | whitelisted |
1328 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4056 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1448 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3260 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3592 | svchost.exe | 40.126.32.74:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3592 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
3908 | WINWORD.EXE | 52.109.32.97:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
ecs.office.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
roaming.officeapps.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com) |
1920 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
5060 | msedgewebview2.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare Network Error Logging (NEL) |
5060 | msedgewebview2.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
5060 | msedgewebview2.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
5060 | msedgewebview2.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare Network Error Logging (NEL) |
6604 | msedge.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
6604 | msedge.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
6604 | msedge.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
Process | Message |
|---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
Retrac Launcher.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
Retrac Launcher.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
Retrac Launcher.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
Retrac Launcher.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
Retrac Launcher.exe | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
msedgewebview2.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\site.retrac directory exists )
|