File name:

ExtendInstaller_1.0.0.6[1].exe

Full analysis: https://app.any.run/tasks/f895a64f-2895-41f1-997c-2cf414b83040
Verdict: Malicious activity
Analysis date: June 29, 2025, 21:58:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

001CA3358ED0E81F867F50914770C8D3

SHA1:

514B73831C2E0E088A53572AE2D795C497928C0C

SHA256:

92BE77FC52AB75A14EF213B4B1C41B1FCD4CA1409E5CF960169E217664549FEE

SSDEEP:

98304:t/REOKg9dRoMg5S6u2BkdqnIuBfeQ9il3ozRxhMoLtg5S9Pb5NqMwZMC74qUWv7+:1Z+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • ExtendInstaller_1.0.0.6[1].exe (PID: 3800)
      • DRInstaller_scene_scene.exe (PID: 4676)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ExtendInstaller_1.0.0.6[1].exe (PID: 3800)
      • DRInstaller_scene_scene.exe (PID: 4676)
      • XDExtend.exe (PID: 4236)
      • DLLRepair.exe (PID: 3936)

    • Reads security settings of Internet Explorer

      • ExtendInstaller_1.0.0.6[1].exe (PID: 4412)
      • ExtendInstaller_1.0.0.6[1].exe (PID: 3800)
      • XDExtend.exe (PID: 4236)
      • DRInstaller_scene_scene.exe (PID: 4676)
      • DLLRepair.exe (PID: 3936)

    • Application launched itself

      • ExtendInstaller_1.0.0.6[1].exe (PID: 4412)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1688)

    • Executes as Windows Service

      • XDExtendServer.exe (PID: 592)
      • DOSvr.exe (PID: 3952)

    • Drops 7-zip archiver for unpacking

      • DRInstaller_scene_scene.exe (PID: 4676)

    • Creates a software uninstall entry

      • DRInstaller_scene_scene.exe (PID: 4676)

    • Searches for installed software

      • DLLRepair.exe (PID: 3936)
      • DRInstaller_scene_scene.exe (PID: 4676)

  • INFO

    • Reads the computer name

      • ExtendInstaller_1.0.0.6[1].exe (PID: 4412)
      • ExtendInstaller_1.0.0.6[1].exe (PID: 3800)
      • XDExtendServer.exe (PID: 3980)
      • XDExtendServer.exe (PID: 592)
      • XDExtend.exe (PID: 4236)
      • DRInstaller_scene_scene.exe (PID: 4676)
      • DOSvr.exe (PID: 6940)
      • DOSvr.exe (PID: 3952)
      • DLLRepair.exe (PID: 3936)

    • Process checks computer location settings

      • ExtendInstaller_1.0.0.6[1].exe (PID: 4412)
      • XDExtend.exe (PID: 4236)
      • DRInstaller_scene_scene.exe (PID: 4676)

    • Checks supported languages

      • ExtendInstaller_1.0.0.6[1].exe (PID: 3800)
      • XDExtendServer.exe (PID: 3980)
      • XDExtendServer.exe (PID: 592)
      • XDExtend.exe (PID: 4236)
      • ExtendInstaller_1.0.0.6[1].exe (PID: 4412)
      • XDLauncher.exe (PID: 6764)
      • XDExtend.exe (PID: 5348)
      • DRInstaller_scene_scene.exe (PID: 4676)
      • DOSvr.exe (PID: 6940)
      • DLLRepair.exe (PID: 3936)
      • DOSvr.exe (PID: 3952)
      • DLLRepair.exe (PID: 4948)

    • Creates files or folders in the user directory

      • ExtendInstaller_1.0.0.6[1].exe (PID: 3800)
      • DRInstaller_scene_scene.exe (PID: 4676)
      • DLLRepair.exe (PID: 3936)

    • The sample compiled with chinese language support

      • ExtendInstaller_1.0.0.6[1].exe (PID: 4412)
      • XDExtend.exe (PID: 4236)
      • DRInstaller_scene_scene.exe (PID: 4676)
      • DLLRepair.exe (PID: 3936)

    • Checks proxy server information

      • ExtendInstaller_1.0.0.6[1].exe (PID: 3800)
      • XDExtend.exe (PID: 4236)
      • DRInstaller_scene_scene.exe (PID: 4676)
      • DLLRepair.exe (PID: 3936)
      • slui.exe (PID: 4880)

    • Manual execution by a user

      • XDExtend.exe (PID: 5348)
      • XDExtend.exe (PID: 3788)
      • XDLauncher.exe (PID: 6764)

    • Create files in a temporary directory

      • XDExtend.exe (PID: 4236)
      • DRInstaller_scene_scene.exe (PID: 4676)

    • Reads the machine GUID from the registry

      • XDExtend.exe (PID: 4236)
      • DRInstaller_scene_scene.exe (PID: 4676)
      • DLLRepair.exe (PID: 3936)

    • The sample compiled with english language support

      • DRInstaller_scene_scene.exe (PID: 4676)

    • Creates files in the program directory

      • DRInstaller_scene_scene.exe (PID: 4676)

    • Reads the software policy settings

      • slui.exe (PID: 4880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:26 08:35:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 484352
InitializedDataSize: 1646592
UninitializedDataSize: -
EntryPoint: 0x45ef5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.5
ProductVersionNumber: 1.0.0.5
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: 成都艾上办公科技有限公司
FileDescription: 扩展程序安装包
FileVersion: 1.0.0.6
InternalName: Setup.exe
LegalCopyright: Copyright (C) 2024
OriginalFileName: Setup.exe
ProductName: 扩展程序
ProductVersion: 1.0.0.6
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
20
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start extendinstaller_1.0.0.6[1].exe no specs extendinstaller_1.0.0.6[1].exe regsvr32.exe no specs regsvr32.exe xdextendserver.exe no specs xdextendserver.exe no specs xdextend.exe conhost.exe no specs slui.exe xdextend.exe no specs xdextend.exe conhost.exe no specs xdlauncher.exe no specs drinstaller_scene_scene.exe regsvr32.exe no specs dllrepair.exe dosvr.exe no specs dosvr.exe no specs dllrepair.exe no specs cefview.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
592C:\Users\admin\AppData\Local\XDExtend\XDExtendServer.exeC:\Users\admin\AppData\Local\XDExtend\XDExtendServer.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\users\admin\appdata\local\xdextend\xdextendserver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1688 /s "C:\Users\admin\AppData\Local\XDExtend\XDExtendShell64.dll"C:\Windows\System32\regsvr32.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1932"C:\Users\admin\AppData\Roaming\DLLRepairOfficialData\webview\cef\CefView.exe" --parent_wnd=40372 --tab_rect="0,32,776,528" --tab_ids="5E138AFB-8D74-4c22-80A2-3A2E43D4471D" --cmd="" --disable-gpu --disable-gpu-compositing --url="https://dll.pdfxd.com/pricing.html?token=MTc1MTIzNDQxN3xOUXdBTWxCbGRERmhlbmxPVWpwNFpHUnNiRHBsTjJJeFpqRmlabVU0TTJaa05qUmxZVFJsTWpNeFlUY3dOVE5pWXprellUbzF8w8Qc_Cma1xaV5AEWGvZu412Gj6qw0X0SWFd47QPR9Oo=&os=163842&device_id=e7b1f1bfe83fd64ea4e231a7053bc93a&version=1.0.2.9&qd=scene&t=1646500&product=xddll&machine_name=DESKTOP-JGLLJLD&webview=cef&os=163842&device_id=e7b1f1bfe83fd64ea4e231a7053bc93a&version=1.0.2.9&qd=scene&machine_name=DESKTOP-JGLLJLD&webview=cef" --user-agent=Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 XunduPDF/49.0.2623.110 --no-proxy-serverC:\Users\admin\AppData\Roaming\DLLRepairOfficialData\webview\cef\CefView.exeDLLRepair.exe
User:
admin
Integrity Level:
HIGH
Description:
CefView Application
Version:
2.5020.2001.229
Modules
Images
c:\users\admin\appdata\roaming\dllrepairofficialdata\webview\cef\cefview.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1948\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeXDExtend.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2040regsvr32 /s "C:\Program Files (x86)\DLLRepairOfficial\DLLRepairShellExt64.dll"C:\Windows\SysWOW64\regsvr32.exeDRInstaller_scene_scene.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3788"C:\Users\admin\Desktop\XDExtend.exe" C:\Users\admin\Desktop\XDExtend.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\xdextend.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3800"C:\Users\admin\AppData\Local\Temp\ExtendInstaller_1.0.0.6[1].exe" /ElevPri C:\Users\admin\AppData\Local\Temp\ExtendInstaller_1.0.0.6[1].exe
ExtendInstaller_1.0.0.6[1].exe
User:
admin
Company:
成都艾上办公科技有限公司
Integrity Level:
HIGH
Description:
扩展程序安装包
Exit code:
0
Version:
1.0.0.6
Modules
Images
c:\users\admin\appdata\local\temp\extendinstaller_1.0.0.6[1].exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3820regsvr32 /s "C:\Users\admin\AppData\Local\XDExtend\XDExtendShell64.dll"C:\Windows\SysWOW64\regsvr32.exeExtendInstaller_1.0.0.6[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3936"C:\Program Files (x86)\DLLRepairOfficial\DLLRepair.exe" /from startmenuC:\Program Files (x86)\DLLRepairOfficial\DLLRepair.exe
DRInstaller_scene_scene.exe
User:
admin
Company:
成都艾上办公科技有限公司
Integrity Level:
HIGH
Description:
DLL修复工具主程序
Version:
1.0.2.9
Modules
Images
c:\program files (x86)\dllrepairofficial\dllrepair.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3952"C:\Program Files (x86)\DLLRepairOfficial\DOSvr.exe"C:\Program Files (x86)\DLLRepairOfficial\DOSvr.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\program files (x86)\dllrepairofficial\dosvr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
Total events
110 759
Read events
109 744
Write events
984
Delete events
31

Modification events

(PID) Process:(3800) ExtendInstaller_1.0.0.6[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\XDExtend.exe
Operation:writeName:Mid
Value:
e7b1f1bfe83fd64ea4e231a7053bc93a
(PID) Process:(3800) ExtendInstaller_1.0.0.6[1].exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3800) ExtendInstaller_1.0.0.6[1].exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3800) ExtendInstaller_1.0.0.6[1].exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3800) ExtendInstaller_1.0.0.6[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\XDExtend.exe
Operation:delete keyName:(default)
Value:
(PID) Process:(3800) ExtendInstaller_1.0.0.6[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\XDExtend.exe
Operation:writeName:Path
Value:
C:\Users\admin\AppData\Local\XDExtend\
(PID) Process:(3800) ExtendInstaller_1.0.0.6[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\XDExtend.exe
Operation:writeName:Launcher
Value:
C:\Users\admin\AppData\Local\XDExtend\XDExtend.exe
(PID) Process:(3800) ExtendInstaller_1.0.0.6[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\XDExtend.exe
Operation:writeName:Date
Value:
1751234314
(PID) Process:(3800) ExtendInstaller_1.0.0.6[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\XDExtend.exe
Operation:writeName:InstallDate
Value:
2025-06-29 21:58:34
(PID) Process:(3800) ExtendInstaller_1.0.0.6[1].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\XDExtend.exe
Operation:writeName:ActDate
Value:
1751234314
Executable files
51
Suspicious files
78
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
3800ExtendInstaller_1.0.0.6[1].exeC:\Users\admin\AppData\Roaming\{E36A5F88-9B4B-4DE8-B29B-5A13E04B3A37}\setup.configxml
MD5:CDF9BAC1C61921CD4A1EA66CA05E74E2
SHA256:E96E3B84786948652456A5E4FDE99EB458841867DA83B98BA13092CFB72C523A
3800ExtendInstaller_1.0.0.6[1].exeC:\Users\admin\AppData\Local\XDExtend\XDLauncher.exeexecutable
MD5:528C10A8E13312D133CBE0369AE1E131
SHA256:EA25928A92F4B940BD29FD9BE7B837E12A9AD81CEE5084D271CE53ED68F47A4B
3800ExtendInstaller_1.0.0.6[1].exeC:\Users\admin\AppData\Roaming\{E36A5F88-9B4B-4DE8-B29B-5A13E04B3A37}Res.cabcompressed
MD5:C16B2704C994D01ED0AD026C6F4B62A0
SHA256:3E78B0AA24CD094E1E4EDF5B58A8A0B3B4C254020AAAAC251277DAACD4FA1ADB
3800ExtendInstaller_1.0.0.6[1].exeC:\Users\admin\AppData\Roaming\{E36A5F88-9B4B-4DE8-B29B-5A13E04B3A37}\Skin\extend.skncompressed
MD5:9800F7AAAE28DF95A46F7DFA2C432782
SHA256:6304E271DBEC76413FB5DE141E300212F80515C18F854E588A291760EB1FE0E2
3800ExtendInstaller_1.0.0.6[1].exeC:\Users\admin\AppData\Roaming\{E36A5F88-9B4B-4DE8-B29B-5A13E04B3A37}\Uninst.exeexecutable
MD5:1B21838F155C34B5485E3929BA73522D
SHA256:A8B2BF5F5E90E2C1A74AA046B2437F5DF275107312C8DB03D97A58FBDD7E3634
3800ExtendInstaller_1.0.0.6[1].exeC:\Users\admin\AppData\Roaming\{E36A5F88-9B4B-4DE8-B29B-5A13E04B3A37}\XDExtendServer.exeexecutable
MD5:C061B04CD0987D6E4B2E97496363D322
SHA256:10DDDC2EC78AD35B6482AAD3A768A64CB91FF0C63F49E5AE09FF9568ECA00F2D
3800ExtendInstaller_1.0.0.6[1].exeC:\Users\admin\AppData\Roaming\{E36A5F88-9B4B-4DE8-B29B-5A13E04B3A37}\XDExtendShell64.dllexecutable
MD5:27BEFF6F5D99B6163A0C3D2D71110EBA
SHA256:F7511D715998DDF322426B58A503FDB39356E4BFA09D22A311734EB93798BF9F
3800ExtendInstaller_1.0.0.6[1].exeC:\Users\admin\AppData\Local\XDExtend\PopPlugin.dllexecutable
MD5:C90E27B46CDE2B9C0B9D4E71336214E7
SHA256:B0171FFC7591EAFB891C71DD87424591F267BE3B5B5C4278FC0C36785146F7CE
3800ExtendInstaller_1.0.0.6[1].exeC:\Users\admin\AppData\Local\XDExtend\setup.configxml
MD5:CDF9BAC1C61921CD4A1EA66CA05E74E2
SHA256:E96E3B84786948652456A5E4FDE99EB458841867DA83B98BA13092CFB72C523A
4676DRInstaller_scene_scene.exeC:\Users\admin\AppData\Local\Temp\39DCC7CD_F3DF_4436_B3CC_A62F65BD99A7.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
53
DNS requests
23
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4236
XDExtend.exe
POST
200
123.56.218.178:80
http://report.pdfxd.com/v1/log?sign=7fe4f67e197b5a6255849ab264bbbd19&timestamp=1751234325
unknown
unknown
4236
XDExtend.exe
POST
200
123.56.218.178:80
http://report.pdfxd.com/v1/log?sign=c6575670a5b77c60b71711b107e8e823&timestamp=1751234325
unknown
unknown
4236
XDExtend.exe
POST
200
123.56.218.178:80
http://report.pdfxd.com/v1/log?sign=16145380b1be359196f12874837868a6&timestamp=1751234325
unknown
unknown
2940
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
4676
DRInstaller_scene_scene.exe
POST
200
123.56.218.178:80
http://report.pdfxd.com/v1/log?sign=f57d36196914cbb6ffa81a4317f202d7&timestamp=1751234415
unknown
unknown
3936
DLLRepair.exe
POST
200
123.56.218.178:80
http://report.pdfxd.com/v1/log?sign=b270a492781b353f87c5ed9878db3bb5&timestamp=1751234415
unknown
unknown
3800
ExtendInstaller_1.0.0.6[1].exe
POST
200
123.56.218.178:80
http://report.pdfxd.com/v1/log?sign=d9144b34e5c24940f44eb03094785777&timestamp=1751234313
unknown
unknown
3800
ExtendInstaller_1.0.0.6[1].exe
POST
200
123.56.218.178:80
http://report.pdfxd.com/v1/log?sign=0493384346a9fccff6428d5ef6c97872&timestamp=1751234314
unknown
unknown
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4664
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3800
ExtendInstaller_1.0.0.6[1].exe
123.56.218.178:80
report.pdfxd.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2668
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.110
whitelisted
report.pdfxd.com
  • 123.56.218.178
unknown
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.66
  • 20.190.160.132
  • 20.190.160.67
  • 40.126.32.76
  • 20.190.160.17
  • 20.190.160.64
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Process
Message
regsvr32.exe
[DEBUG] UnInit
regsvr32.exe
[DEBUG] DLL_PROCESS_DETACH
regsvr32.exe
[DEBUG] Init
regsvr32.exe
[DEBUG] DLL_PROCESS_ATTACH
XDExtend.exe
[DEBUG] start ui thread
XDExtend.exe
[DEBUG] start monitor dir: C:\Users\admin\
XDExtend.exe
[DEBUG] ReportAssoc.ext:.pdf,filename:Acrobat
XDExtend.exe
[DEBUG] ReportAssoc.ext:.7z,filename:WinRAR
XDExtend.exe
[DEBUG] ReportAssoc.ext:.rar,filename:WinRAR
XDExtend.exe
[DEBUG] ReportAssoc.ext:.zip,filename:WinRAR
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ExtendInstaller_1.0.0.6[1].exe