File name:

1.ps1

Full analysis: https://app.any.run/tasks/edd28ebd-5b13-4b75-992a-a46c861e603b
Verdict: Malicious activity
Analysis date: May 31, 2025, 17:43:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
arch-exec
arch-doc
python
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text
MD5:

AA00661AB05EDDCB50573492E722F1C8

SHA1:

1D348C943ABCA0A5EA4A750EE9A70EE0C6E2E9A8

SHA256:

AEAD3F1B89CAB3F3E26227A62FCA48B810F88DECF668D212A029B5B19088FA15

SSDEEP:

48:Jh4DVNOdnBcii9AEG/PB5adXGS1qipIfnERyu5tG2RT2Ot+Em5Qv/2W/LOtXLrN6:nNG90Udb1BgERyuK22m+15QmyOtXKY1k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7316)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • powershell.exe (PID: 7316)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 7316)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 7316)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Starts CMD.EXE for commands execution

      • python.exe (PID: 5056)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7316)
      • python.exe (PID: 5056)

    • Loads Python modules

      • python.exe (PID: 5056)

    • Process drops python dynamic module

      • powershell.exe (PID: 7316)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 7316)
      • python.exe (PID: 5056)
      • rundll32.exe (PID: 7260)

    • Manual execution by a user

      • pythonw.exe (PID: 7656)
      • notepad.exe (PID: 4016)
      • notepad.exe (PID: 4200)
      • cmd.exe (PID: 5376)
      • notepad.exe (PID: 3868)
      • OpenWith.exe (PID: 1600)
      • notepad.exe (PID: 2796)
      • OpenWith.exe (PID: 1472)
      • notepad.exe (PID: 2124)
      • OpenWith.exe (PID: 2108)
      • notepad.exe (PID: 6372)
      • notepad.exe (PID: 7696)
      • notepad.exe (PID: 2136)
      • notepad.exe (PID: 2408)
      • notepad.exe (PID: 3804)
      • notepad.exe (PID: 7336)
      • notepad.exe (PID: 5172)
      • notepad.exe (PID: 132)
      • OpenWith.exe (PID: 4608)
      • OpenWith.exe (PID: 7972)
      • python.exe (PID: 6840)
      • WinRAR.exe (PID: 1056)
      • rundll32.exe (PID: 7260)

    • Python executable

      • python.exe (PID: 6840)
      • pythonw.exe (PID: 7656)
      • python.exe (PID: 5056)

    • Disables trace logs

      • powershell.exe (PID: 7316)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 7260)
      • notepad.exe (PID: 4200)
      • notepad.exe (PID: 4016)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7316)

    • The sample compiled with english language support

      • powershell.exe (PID: 7316)
      • python.exe (PID: 5056)

    • Reads the software policy settings

      • rundll32.exe (PID: 7260)
      • python.exe (PID: 5056)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Checks supported languages

      • python.exe (PID: 5056)

    • Create files in a temporary directory

      • python.exe (PID: 5056)

    • Checks operating system version

      • python.exe (PID: 5056)

    • Reads the computer name

      • python.exe (PID: 5056)

    • Reads the machine GUID from the registry

      • python.exe (PID: 5056)

    • Creates files or folders in the user directory

      • python.exe (PID: 5056)
      • rundll32.exe (PID: 7260)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • python.exe (PID: 5056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
32
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs svchost.exe pythonw.exe no specs python.exe no specs conhost.exe no specs notepad.exe no specs winrar.exe no specs rundll32.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs python.exe cmd.exe no specs slui.exe openwith.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\top_level.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1056"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\python311.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1472"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\RECORDC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1600"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\command_templateC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2108"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\METADATAC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2124"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\LICENSE.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2136"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\top_level.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2408"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\entry_points.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
22 696
Read events
22 688
Write events
8
Delete events
0

Modification events

(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\python311.zip
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
44
Suspicious files
989
Text files
943
Unknown types
0

Dropped files

PID
Process
Filename
Type
7260rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:6B35F9719C80E0571223D5BCD0B9F2BD
SHA256:366415E535BB5CB0C85FD271C6F937229D92DC8A456C5781C72F0BB46D56A66B
7316powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\478K0BTQAIY2F4BVNN4T.tempbinary
MD5:1E86299A26DE7DE40199CB3BEE28CC58
SHA256:660117DE4A26ADCECC4228B8CA93F01EC398661FC4C9CAA65B1E825E51CB963F
7316powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:1E86299A26DE7DE40199CB3BEE28CC58
SHA256:660117DE4A26ADCECC4228B8CA93F01EC398661FC4C9CAA65B1E825E51CB963F
7316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5epetewt.wk0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7316powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF120e60.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7316powershell.exeC:\Temp\PortablePython\pyexpat.pydexecutable
MD5:D7ECC2746314FEC5CA46B64C964EA93E
SHA256:58B95F03A2D7EC49F5260E3E874D2B9FB76E95ECC80537E27ABEF0C74D03CB00
7316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vvavov0y.o1x.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7316powershell.exeC:\Users\admin\AppData\Local\Temp\python-embed.zipcompressed
MD5:9199879FBAD4884ED93DDF77E8764920
SHA256:6347068CA56BF4DD6319F7EF5695F5A03F1ADE3E9AA2D6A095AB27FAA77A1290
7260rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:33D2D137026DB71567E1F19E0DB7C7A9
SHA256:1902265C22DFCEE941C2A9DE71785D06DACC68606828411F8ABA6227DDD993D4
7260rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_26B14BC5FFF8CCADF0E4994815CF2509binary
MD5:4032035908341951C534A9EA4453C0B1
SHA256:759DEF7F88344DF15BE80E9D28108F36A8AA21B60B17E16C0D043D5A1BD0C615
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
42
DNS requests
20
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2800
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2800
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
151.101.128.223:443
https://www.python.org/ftp/python/3.11.8/python-3.11.8-embed-amd64.zip
unknown
compressed
10.6 Mb
whitelisted
7260
rundll32.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
7316
powershell.exe
GET
200
34.160.111.145:80
http://ifconfig.me/ip
unknown
shared
7260
rundll32.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D
unknown
whitelisted
GET
200
151.101.0.223:443
https://pypi.org/simple/pip/
unknown
binary
136 Kb
whitelisted
GET
200
151.101.192.175:443
https://bootstrap.pypa.io/get-pip.py
unknown
text
2.17 Mb
whitelisted
GET
200
151.101.128.223:443
https://files.pythonhosted.org/packages/29/a2/d40fb2460e883eca5199c62cfc2463fd261f760556ae6290f88488c362c0/pip-25.1.1-py3-none-any.whl.metadata
unknown
text
3.56 Kb
whitelisted
GET
200
151.101.0.223:443
https://pypi.org/simple/setuptools/
unknown
binary
747 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2800
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2800
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2800
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7316
powershell.exe
34.160.111.145:80
ifconfig.me
GOOGLE
US
shared
7316
powershell.exe
151.101.0.223:443
www.python.org
FASTLY
US
whitelisted
7260
rundll32.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7316
powershell.exe
151.101.128.175:443
bootstrap.pypa.io
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
ifconfig.me
  • 34.160.111.145
shared
www.python.org
  • 151.101.0.223
  • 151.101.64.223
  • 151.101.128.223
  • 151.101.192.223
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
bootstrap.pypa.io
  • 151.101.128.175
  • 151.101.0.175
  • 151.101.64.175
  • 151.101.192.175
whitelisted
pypi.org
  • 151.101.128.223
  • 151.101.64.223
  • 151.101.0.223
  • 151.101.192.223
whitelisted
files.pythonhosted.org
  • 151.101.0.223
  • 151.101.64.223
  • 151.101.128.223
  • 151.101.192.223
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
7316
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7316
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ifconfig .me)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7316
powershell.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2196
svchost.exe
Misc activity
ET FILE_SHARING File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
5056
python.exe
Misc activity
ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)
No debug info