Quote Originally Posted by instrumentally View Post
What we are seeing in the LOGs could be a combination of both failed user attempts and anti-virus scanners that are trying to analyze whether the EXE and associated files are trustworthy or not. As I mentioned towards the beginning of this thread, the EXE cannot be accessed through a web page linked to our home page. The EXE link was either in an email that we sent out, or in a HTML file on the server that has no links to any other page. So it cannot be that a standard search engine spider is behind the downloads. Would a search engine spider try to run a Web Deploy stub? That doesn't make sense. I can, however, see virus checkers performing sandbox tests. I can also see Google analyzing any links found in emails to EXEs that arrive in GMail inboxes.
Well, I think this IP address 14.141.60.156 (which belongs to Tata Communications Limited, India) is prepared to handle it. This is from your server LOG. They download the Web Deploy stub and later execute it from another IP.

2019-03-19 04:13:52 192.168.1.15 GET /demo/deployment/inword.exe - 80 - 14.141.60.156 python-requests/2.18.4 - 200 0 0 31
2019-03-19 04:14:00 192.168.1.15 GET /demo/deployment/inword.exe - 80 - 14.141.60.156 python-requests/2.18.4 - 200 0 0 15