| File name: | pytan.exe |
| Full analysis: | https://app.any.run/tasks/75ffe49d-dfc8-4d3b-9e12-968cf84ab62b |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | July 07, 2025, 06:25:39 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | E518874A5B352B480B6109D7456EF64E |
| SHA1: | 203D2D3A0707E4C02A707E882A7CDDC4C70ABEA1 |
| SHA256: | C7F49ADB16DBB9BF1524D5BB2E35A6725BFD9590AEA899D9C1F0647E899C3980 |
| SSDEEP: | 98304:uC3CpABkPu8M4HhwIsRjKOVWjtKxgADpNm9XLDbenkuA83wpYp2twybfnAPailmb:7GroULYCZ3pIwfI49M |
MALICIOUS
Scans artifacts that could help determine the target
- IntegratedOffice.exe (PID: 18196)
- IntegratedOffice.exe (PID: 21536)
- OfficeC2RClient.exe (PID: 21024)
- OfficeC2RClient.exe (PID: 25496)
- OfficeClickToRun.exe (PID: 38268)
- IntegratedOffice.exe (PID: 38276)
Antivirus name has been found in the command line (generic signature)
- MsMpEng.exe (PID: 46376)
- sfc.exe (PID: 65080)
- systemreset.exe (PID: 64528)
- reset.exe (PID: 64744)
- WSReset.exe (PID: 62772)
RANSOMWARE has been detected
- wmpshare.exe (PID: 49512)
- wmpshare.exe (PID: 52404)
Registers / Runs the DLL via REGSVR32.EXE
- pytan.exe (PID: 5060)
Actions looks like stealing of personal data
- SenseTVM.exe (PID: 46496)
Execute application with conhost.exe as parent process
- cmd.exe (PID: 59968)
SUSPICIOUS
Executable content was dropped or overwritten
- pytan.exe (PID: 6732)
- uninstall.exe (PID: 25304)
- Un_A.exe (PID: 33368)
- helper.exe (PID: 38428)
Process drops legitimate windows executable
- pytan.exe (PID: 6732)
Application launched itself
- pytan.exe (PID: 6732)
- AcroCEF.exe (PID: 7356)
- Acrobat.exe (PID: 17492)
- setup.exe (PID: 30048)
- msedgewebview2.exe (PID: 51864)
- msedge.exe (PID: 52140)
- msedgewebview2.exe (PID: 52152)
- msedge.exe (PID: 51856)
- msedge.exe (PID: 55236)
- msedge.exe (PID: 21832)
- setup.exe (PID: 52004)
- setup.exe (PID: 6296)
- identity_helper.exe (PID: 52540)
- GoogleUpdate.exe (PID: 51224)
- updater.exe (PID: 51212)
Process drops python dynamic module
- pytan.exe (PID: 6732)
Loads Python modules
- pytan.exe (PID: 5060)
The process drops C-runtime libraries
- pytan.exe (PID: 6732)
Starts CMD.EXE for commands execution
- pytan.exe (PID: 5060)
- conhost.exe (PID: 60772)
There is functionality for taking screenshot (YARA)
- pytan.exe (PID: 6732)
- pytan.exe (PID: 5060)
Reads security settings of Internet Explorer
- IntegratedOffice.exe (PID: 18196)
- OfficeC2RClient.exe (PID: 19708)
- culauncher.exe (PID: 25128)
- IntegratedOffice.exe (PID: 21536)
- OfficeClickToRun.exe (PID: 22232)
- OfficeC2RClient.exe (PID: 25496)
- OfficeC2RClient.exe (PID: 21024)
- OfficeC2RClient.exe (PID: 21828)
- IntegratedOffice.exe (PID: 38276)
- OfficeClickToRun.exe (PID: 38268)
- msoadfsb.exe (PID: 36384)
- OLicenseHeartbeat.exe (PID: 37420)
- Microsoft.Mashup.Container.exe (PID: 36896)
- SDXHelper.exe (PID: 36716)
- protocolhandler.exe (PID: 36704)
- wmpshare.exe (PID: 49512)
- wmplayer.exe (PID: 49156)
- wmpshare.exe (PID: 52404)
Possible usage of Discord/Telegram API has been detected (YARA)
- pytan.exe (PID: 5060)
Searches for installed software
- OfficeC2RClient.exe (PID: 21024)
- SenseTVM.exe (PID: 46496)
Starts itself from another location
- uninstall.exe (PID: 25304)
- javaws.exe (PID: 38864)
- javaws.exe (PID: 50856)
Executes application which crashes
- chrome_pwa_launcher.exe (PID: 27884)
- default-browser-agent.exe (PID: 38328)
- GUP.exe (PID: 38624)
Detected use of alternative data streams (AltDS)
- ONENOTE.EXE (PID: 36588)
Checks for Java to be installed
- ssvagent.exe (PID: 34712)
- javaws.exe (PID: 50856)
- javaws.exe (PID: 38864)
- javaw.exe (PID: 50940)
- javaw.exe (PID: 50828)
- jusched.exe (PID: 51104)
Loads DLL from Mozilla Firefox
- private_browsing.exe (PID: 38396)
- default-browser-agent.exe (PID: 38328)
- plugin-container.exe (PID: 38404)
- crashreporter.exe (PID: 38316)
Reads Mozilla Firefox installation path
- ssvagent.exe (PID: 34712)
Creates/Modifies COM task schedule object
- ssvagent.exe (PID: 34712)
The process creates files with name similar to system file names
- helper.exe (PID: 38428)
Malware-specific behavior (creating "System.dll" in Temp)
- helper.exe (PID: 38428)
Reads the date of Windows installation
- CCleaner64.exe (PID: 18208)
- CCleaner64.exe (PID: 24776)
- wmplayer.exe (PID: 49156)
Uses ATTRIB.EXE to modify file attributes
- pytan.exe (PID: 5060)
Uses ICACLS.EXE to modify access control lists
- pytan.exe (PID: 5060)
Searches and executes a command on selected files
- forfiles.exe (PID: 61580)
Using 'findstr.exe' to search for text patterns in files and output
- pytan.exe (PID: 5060)
Uses DRIVERQUERY.EXE to obtain a list of installed device drivers
- pytan.exe (PID: 5060)
Process uses IPCONFIG to get network configuration information
- pytan.exe (PID: 5060)
Uses NLTEST.EXE to test domain trust
- pytan.exe (PID: 5060)
Uses NSLOOKUP.EXE to check DNS info
- pytan.exe (PID: 5060)
Uses QWINSTA.EXE to read information about user sessions on remote desktops
- pytan.exe (PID: 5060)
Suspicious use of NETSH.EXE
- pytan.exe (PID: 5060)
The system shut down or reboot
- pytan.exe (PID: 5060)
Starts SC.EXE for service management
- pytan.exe (PID: 5060)
Start notepad (likely ransomware note)
- pytan.exe (PID: 5060)
Uses powercfg.exe to modify the power settings
- pytan.exe (PID: 5060)
Get information on the list of running processes
- pytan.exe (PID: 5060)
Starts another process probably with elevated privileges via RUNAS.EXE
- runas.exe (PID: 65064)
Uses ROUTE.EXE to obtain the routing table information
- pytan.exe (PID: 5060)
Uses SYSTEMINFO.EXE to read the environment
- pytan.exe (PID: 5060)
Uses TIMEOUT.EXE to delay execution
- pytan.exe (PID: 5060)
Windows service management via SC.EXE
- sc.exe (PID: 64728)
Uses QUSER.EXE to read information about current user sessions
- pytan.exe (PID: 5060)
Query current time using 'w32tm.exe'
- pytan.exe (PID: 5060)
Uses TASKKILL.EXE to kill process
- pytan.exe (PID: 5060)
Identifying current user with WHOAMI command
- pytan.exe (PID: 5060)
Uses WEVTUTIL.EXE to event management in Windows
- pytan.exe (PID: 5060)
Process copies executable file
- pytan.exe (PID: 5060)
Uses WMIC.EXE
- pytan.exe (PID: 5060)
Starts POWERSHELL.EXE for commands execution
- pytan.exe (PID: 5060)
INFO
Checks supported languages
- pytan.exe (PID: 6732)
- pytan.exe (PID: 5060)
- MavInject32.exe (PID: 19712)
- AcroCEF.exe (PID: 19024)
- appvcleaner.exe (PID: 16544)
- AcroCEF.exe (PID: 19100)
- AppVShNotify.exe (PID: 8068)
- OfficeC2RClient.exe (PID: 19708)
- IntegratedOffice.exe (PID: 18196)
- AcroCEF.exe (PID: 19064)
- CCleanerReactivator.exe (PID: 19048)
- OfficeClickToRun.exe (PID: 18204)
- AcroCEF.exe (PID: 7356)
- Acrobat.exe (PID: 21460)
- IntegratedOffice.exe (PID: 21536)
- CCleaner.exe (PID: 18232)
- mip.exe (PID: 22188)
- CCleaner64.exe (PID: 18208)
- OfficeC2RClient.exe (PID: 21024)
- ShapeCollector.exe (PID: 24080)
- OfficeClickToRun.exe (PID: 22232)
- msinfo32.exe (PID: 24288)
- LICLUA.EXE (PID: 24340)
- VSTOInstaller.exe (PID: 23952)
- culauncher.exe (PID: 25128)
- CRLogTransport.exe (PID: 7300)
- CCleaner64.exe (PID: 24776)
- OfficeC2RClient.exe (PID: 25496)
- OfficeC2RClient.exe (PID: 21828)
- filezilla.exe (PID: 25296)
- InputPersonalization.exe (PID: 23348)
- chrome_pwa_launcher.exe (PID: 27884)
- chrome_proxy.exe (PID: 27716)
- elevated_tracing_service.exe (PID: 28200)
- notification_helper.exe (PID: 26536)
- uninstall.exe (PID: 25304)
- os_update_handler.exe (PID: 28860)
- ExtExport.exe (PID: 21168)
- ielowutil.exe (PID: 4552)
- javaw.exe (PID: 31200)
- javacpl.exe (PID: 31272)
- setup.exe (PID: 30048)
- javaws.exe (PID: 9280)
- elevation_service.exe (PID: 28192)
- ieinstal.exe (PID: 25104)
- jp2launcher.exe (PID: 32728)
- ShapeCollector.exe (PID: 32940)
- javaw.exe (PID: 34492)
- ssvagent.exe (PID: 34712)
- Un_A.exe (PID: 33368)
- PerfBoost.exe (PID: 36640)
- CNFNOT32.EXE (PID: 36308)
- IEContentService.exe (PID: 36348)
- ONENOTEM.EXE (PID: 36600)
- msoasb.exe (PID: 36396)
- setup.exe (PID: 37648)
- DW20.EXE (PID: 37268)
- PDFREFLOW.EXE (PID: 36668)
- Microsoft.Mashup.Container.NetFX40.exe (PID: 36916)
- Microsoft.Mashup.Container.NetFX45.exe (PID: 36924)
- aimgr.exe (PID: 38008)
- Wordconv.exe (PID: 36780)
- MSOXMLED.EXE (PID: 37428)
- AppSharingHookController.exe (PID: 38056)
- MSOHTMED.EXE (PID: 36420)
- SCANPST.EXE (PID: 36660)
- operfmon.exe (PID: 37472)
- AppVLP.exe (PID: 36080)
- GRAPH.EXE (PID: 36328)
- msoadfsb.exe (PID: 36384)
- MSOSREC.EXE (PID: 36428)
- ORGCHART.EXE (PID: 36652)
- officeappguardwin32.exe (PID: 36504)
- aimgr.exe (PID: 37316)
- MSQRY32.EXE (PID: 36452)
- VPREVIEW.EXE (PID: 36748)
- OfficeScrSanBroker.exe (PID: 36552)
- SELFCERT.EXE (PID: 36732)
- OfficeClickToRun.exe (PID: 38268)
- GUP.exe (PID: 38624)
- OSE.EXE (PID: 37796)
- OLCFG.EXE (PID: 36576)
- private_browsing.exe (PID: 38396)
- IntegratedOffice.exe (PID: 38276)
- NAMECONTROLSERVER.EXE (PID: 36496)
- MSOHTMED.EXE (PID: 38064)
- SETLANG.EXE (PID: 36756)
- updater.exe (PID: 38412)
- SKYPESERVER.EXE (PID: 37256)
- plugin-container.exe (PID: 38404)
- default-browser-agent.exe (PID: 38328)
- MSPUB.EXE (PID: 36440)
- SDXHelper.exe (PID: 36716)
- helper.exe (PID: 38428)
- AcroCEF.exe (PID: 30924)
- crashreporter.exe (PID: 38316)
- protocolhandler.exe (PID: 36704)
- Microsoft.Mashup.Container.exe (PID: 36896)
- OLicenseHeartbeat.exe (PID: 37420)
- disktoast.exe (PID: 41928)
- OfficeC2RClient.exe (PID: 41568)
- OfficeClickToRun.exe (PID: 37872)
- RUXIMIH.exe (PID: 39060)
- vlc.exe (PID: 45796)
- MsMpEng.exe (PID: 46376)
- SenseAadAuthenticator.exe (PID: 34808)
- SenseSampleUploader.exe (PID: 46424)
- SenseTVM.exe (PID: 46496)
- SenseIR.exe (PID: 46836)
- SenseNdr.exe (PID: 44812)
- SenseImdsCollector.exe (PID: 46472)
- wab.exe (PID: 48564)
- PCHealthCheck.exe (PID: 38764)
- wmpnscfg.exe (PID: 49180)
- wabmig.exe (PID: 49024)
- wmlaunch.exe (PID: 39040)
- wmpshare.exe (PID: 49512)
- wmprph.exe (PID: 49172)
- wmplayer.exe (PID: 49156)
- SenseCE.exe (PID: 48188)
- ImagingDevices.exe (PID: 47720)
- setup_wm.exe (PID: 44860)
- notification_click_helper.exe (PID: 51916)
- notification_helper.exe (PID: 52188)
- ie_to_edge_stub.exe (PID: 51088)
- elevation_service.exe (PID: 52116)
- msedge.exe (PID: 52140)
- setup.exe (PID: 6296)
- msedgewebview2.exe (PID: 51864)
- pwahelper.exe (PID: 51952)
- javaws.exe (PID: 50856)
- wabmig.exe (PID: 52352)
- pipanel.exe (PID: 51120)
- msinfo32.exe (PID: 51176)
- ExtExport.exe (PID: 51256)
- GoogleUpdate.exe (PID: 51224)
- updater.exe (PID: 51212)
- cookie_exporter.exe (PID: 52092)
- ielowutil.exe (PID: 51408)
- jucheck.exe (PID: 51112)
- msedgewebview2.exe (PID: 52152)
- wmpshare.exe (PID: 52404)
- javaw.exe (PID: 50940)
- msedge.exe (PID: 51856)
- jusched.exe (PID: 51104)
- wab.exe (PID: 52332)
- pwahelper.exe (PID: 51664)
- cookie_exporter.exe (PID: 51720)
- elevated_tracing_service.exe (PID: 52104)
- msedge_proxy.exe (PID: 52164)
- wmlaunch.exe (PID: 52388)
- ImagingDevices.exe (PID: 52448)
- setup.exe (PID: 52004)
- elevation_service.exe (PID: 51792)
- msedge_pwa_launcher.exe (PID: 52176)
- setup_wm.exe (PID: 52368)
- javaw.exe (PID: 50828)
- msedge_proxy.exe (PID: 51876)
- ieinstal.exe (PID: 51316)
- wordpad.exe (PID: 52440)
- pwahelper.exe (PID: 52200)
- elevated_tracing_service.exe (PID: 51772)
- wmprph.exe (PID: 52420)
- msedgewebview2.exe (PID: 54296)
- msedge_pwa_launcher.exe (PID: 51884)
- msedge.exe (PID: 54304)
- wmplayer.exe (PID: 52412)
- msedge.exe (PID: 55236)
- msedgewebview2.exe (PID: 55040)
- identity_helper.exe (PID: 52128)
- javaws.exe (PID: 38864)
- msedge_proxy.exe (PID: 51644)
- msedge.exe (PID: 55772)
- msedge.exe (PID: 21832)
- msedge.exe (PID: 55708)
- msedge.exe (PID: 55720)
- notification_helper.exe (PID: 52700)
- identity_helper.exe (PID: 52540)
- agentactivationruntimestarter.exe (PID: 55928)
- MicrosoftEdge_X64_133.0.3065.92.exe (PID: 52260)
- SDXHelper.exe (PID: 61292)
- setup.exe (PID: 59588)
- AcroCEF.exe (PID: 59540)
- javaws.exe (PID: 59576)
- javaws.exe (PID: 60656)
- setup.exe (PID: 60236)
- CPLUtl64.exe (PID: 59068)
- deploymentcsphelper.exe (PID: 61160)
Reads the computer name
- pytan.exe (PID: 6732)
- AppVShNotify.exe (PID: 8068)
- pytan.exe (PID: 5060)
- OfficeC2RClient.exe (PID: 19708)
- InputPersonalization.exe (PID: 23348)
- CCleaner.exe (PID: 18232)
- AppVShNotify.exe (PID: 21372)
- AcroCEF.exe (PID: 19100)
- IntegratedOffice.exe (PID: 18196)
- IntegratedOffice.exe (PID: 21536)
- OfficeClickToRun.exe (PID: 22232)
- CCleaner64.exe (PID: 18208)
- CCleaner64.exe (PID: 24776)
- OfficeC2RClient.exe (PID: 21828)
- LICLUA.EXE (PID: 24340)
- elevated_tracing_service.exe (PID: 28200)
- msinfo32.exe (PID: 24288)
- OfficeC2RClient.exe (PID: 21024)
- culauncher.exe (PID: 25128)
- ShapeCollector.exe (PID: 24080)
- OfficeC2RClient.exe (PID: 25496)
- elevation_service.exe (PID: 28192)
- VSTOInstaller.exe (PID: 23952)
- Acrobat.exe (PID: 21460)
- mip.exe (PID: 22188)
- setup.exe (PID: 30048)
- OSE.EXE (PID: 37796)
- PerfBoost.exe (PID: 36640)
- ONENOTEM.EXE (PID: 36600)
- Wordconv.exe (PID: 36780)
- MSOXMLED.EXE (PID: 37428)
- AppVLP.exe (PID: 36080)
- IEContentService.exe (PID: 36348)
- CNFNOT32.EXE (PID: 36308)
- msoadfsb.exe (PID: 36384)
- MSQRY32.EXE (PID: 36452)
- NAMECONTROLSERVER.EXE (PID: 36496)
- ShapeCollector.exe (PID: 32940)
- SCANPST.EXE (PID: 36660)
- ORGCHART.EXE (PID: 36652)
- MSOHTMED.EXE (PID: 36420)
- MSPUB.EXE (PID: 36440)
- PDFREFLOW.EXE (PID: 36668)
- MSOSREC.EXE (PID: 36428)
- IntegratedOffice.exe (PID: 38276)
- officeappguardwin32.exe (PID: 36504)
- SDXHelper.exe (PID: 36716)
- OLicenseHeartbeat.exe (PID: 37420)
- javaw.exe (PID: 34492)
- AppSharingHookController.exe (PID: 38056)
- OLCFG.EXE (PID: 36576)
- protocolhandler.exe (PID: 36704)
- OfficeClickToRun.exe (PID: 38268)
- SELFCERT.EXE (PID: 36732)
- GRAPH.EXE (PID: 36328)
- VPREVIEW.EXE (PID: 36748)
- AcroCEF.exe (PID: 30924)
- Un_A.exe (PID: 33368)
- Microsoft.Mashup.Container.exe (PID: 36896)
- msoasb.exe (PID: 36396)
- OfficeClickToRun.exe (PID: 37872)
- OfficeC2RClient.exe (PID: 41568)
- PCHealthCheck.exe (PID: 38764)
- SenseImdsCollector.exe (PID: 46472)
- SKYPESERVER.EXE (PID: 37256)
- wmpnscfg.exe (PID: 49180)
- vlc.exe (PID: 45796)
- SenseIR.exe (PID: 46836)
- helper.exe (PID: 38428)
- wmlaunch.exe (PID: 39040)
- setup_wm.exe (PID: 44860)
- SenseTVM.exe (PID: 46496)
- elevation_service.exe (PID: 52116)
- armsvc.exe (PID: 51004)
- elevated_tracing_service.exe (PID: 52104)
- elevated_tracing_service.exe (PID: 51772)
- setup_wm.exe (PID: 52368)
- wmlaunch.exe (PID: 52388)
- setup.exe (PID: 6296)
- agentactivationruntimestarter.exe (PID: 55928)
- elevation_service.exe (PID: 51792)
- identity_helper.exe (PID: 52128)
- setup.exe (PID: 52004)
- identity_helper.exe (PID: 52540)
- wmpshare.exe (PID: 49512)
- wmprph.exe (PID: 49172)
- GoogleUpdate.exe (PID: 51224)
- wmplayer.exe (PID: 49156)
- updater.exe (PID: 51212)
- wmprph.exe (PID: 52420)
- MicrosoftEdge_X64_133.0.3065.92.exe (PID: 52260)
- SDXHelper.exe (PID: 61292)
Create files in a temporary directory
- pytan.exe (PID: 6732)
- IntegratedOffice.exe (PID: 18196)
- OfficeC2RClient.exe (PID: 19708)
- OfficeClickToRun.exe (PID: 18204)
- OfficeC2RClient.exe (PID: 21024)
- IntegratedOffice.exe (PID: 21536)
- OfficeClickToRun.exe (PID: 22232)
- javaw.exe (PID: 31200)
- uninstall.exe (PID: 25304)
- javaw.exe (PID: 34492)
- OfficeC2RClient.exe (PID: 25496)
- OfficeC2RClient.exe (PID: 21828)
- Un_A.exe (PID: 33368)
- IntegratedOffice.exe (PID: 38276)
- OfficeClickToRun.exe (PID: 38268)
- OLicenseHeartbeat.exe (PID: 37420)
- OfficeClickToRun.exe (PID: 37872)
- MSPUB.EXE (PID: 36440)
- helper.exe (PID: 38428)
- GRAPH.EXE (PID: 36328)
- MSOSREC.EXE (PID: 36428)
- protocolhandler.exe (PID: 36704)
- SCANPST.EXE (PID: 36660)
- SETLANG.EXE (PID: 36756)
- OLCFG.EXE (PID: 36576)
- SDXHelper.exe (PID: 36716)
- javaw.exe (PID: 50940)
- javaw.exe (PID: 50828)
- msdt.exe (PID: 12856)
- unregmp2.exe (PID: 15508)
- jucheck.exe (PID: 51112)
The sample compiled with english language support
- pytan.exe (PID: 6732)
- uninstall.exe (PID: 25304)
Reads the machine GUID from the registry
- pytan.exe (PID: 5060)
- appvcleaner.exe (PID: 16544)
- culauncher.exe (PID: 25128)
- IntegratedOffice.exe (PID: 18196)
- VSTOInstaller.exe (PID: 23952)
- IntegratedOffice.exe (PID: 21536)
- OfficeClickToRun.exe (PID: 22232)
- OfficeC2RClient.exe (PID: 21828)
- Microsoft.Mashup.Container.NetFX45.exe (PID: 36924)
- Microsoft.Mashup.Container.NetFX40.exe (PID: 36916)
- msoadfsb.exe (PID: 36384)
- IntegratedOffice.exe (PID: 38276)
- OfficeClickToRun.exe (PID: 38268)
- helper.exe (PID: 38428)
- Microsoft.Mashup.Container.exe (PID: 36896)
- OLicenseHeartbeat.exe (PID: 37420)
- SDXHelper.exe (PID: 36716)
- protocolhandler.exe (PID: 36704)
Checks proxy server information
- pytan.exe (PID: 5060)
- AcroCEF.exe (PID: 7356)
- OfficeC2RClient.exe (PID: 19708)
- IntegratedOffice.exe (PID: 18196)
- OfficeClickToRun.exe (PID: 18204)
- OfficeClickToRun.exe (PID: 22232)
- IntegratedOffice.exe (PID: 21536)
- OfficeC2RClient.exe (PID: 25496)
- OfficeC2RClient.exe (PID: 21828)
- OfficeC2RClient.exe (PID: 21024)
- IntegratedOffice.exe (PID: 38276)
- OfficeClickToRun.exe (PID: 38268)
- Microsoft.Mashup.Container.exe (PID: 36896)
- OfficeClickToRun.exe (PID: 37872)
- msoadfsb.exe (PID: 36384)
- OLicenseHeartbeat.exe (PID: 37420)
- SDXHelper.exe (PID: 36716)
- protocolhandler.exe (PID: 36704)
- AppHostRegistrationVerifier.exe (PID: 57388)
- DeviceCensus.exe (PID: 61188)
Application launched itself
- Acrobat.exe (PID: 7256)
- chrome.exe (PID: 27224)
- chrmstp.exe (PID: 29208)
- chrome.exe (PID: 30528)
- firefox.exe (PID: 38340)
- firefox.exe (PID: 40916)
- chrome.exe (PID: 43032)
- chrome.exe (PID: 40980)
- msedge.exe (PID: 51516)
- msedge.exe (PID: 55424)
Creates files or folders in the user directory
- AcroCEF.exe (PID: 7356)
- IntegratedOffice.exe (PID: 18196)
- OfficeClickToRun.exe (PID: 22232)
- OfficeC2RClient.exe (PID: 21828)
- AcroCEF.exe (PID: 19100)
- filezilla.exe (PID: 25296)
- OfficeC2RClient.exe (PID: 21024)
- OfficeClickToRun.exe (PID: 38268)
- msoadfsb.exe (PID: 36384)
- protocolhandler.exe (PID: 36704)
- InputPersonalization.exe (PID: 23348)
- msedge.exe (PID: 54304)
Process checks computer location settings
- IntegratedOffice.exe (PID: 18196)
- AcroCEF.exe (PID: 7356)
- IntegratedOffice.exe (PID: 21536)
- OfficeClickToRun.exe (PID: 22232)
- OfficeC2RClient.exe (PID: 21024)
- OfficeC2RClient.exe (PID: 21828)
- OfficeClickToRun.exe (PID: 38268)
- CCleaner64.exe (PID: 18208)
- CCleaner64.exe (PID: 24776)
- wmplayer.exe (PID: 49156)
Reads Microsoft Office registry keys
- OfficeC2RClient.exe (PID: 19708)
- OfficeClickToRun.exe (PID: 18204)
- IntegratedOffice.exe (PID: 18196)
- IntegratedOffice.exe (PID: 21536)
- OfficeClickToRun.exe (PID: 22232)
- OfficeC2RClient.exe (PID: 21828)
- OfficeC2RClient.exe (PID: 21024)
- OfficeC2RClient.exe (PID: 25496)
- OfficeClickToRun.exe (PID: 38268)
- OLCFG.EXE (PID: 36576)
- IntegratedOffice.exe (PID: 38276)
- Wordconv.exe (PID: 36780)
- MSQRY32.EXE (PID: 36452)
- SELFCERT.EXE (PID: 36732)
- ORGCHART.EXE (PID: 36652)
- IEContentService.exe (PID: 36348)
- officeappguardwin32.exe (PID: 36504)
- MSOHTMED.EXE (PID: 36420)
- PerfBoost.exe (PID: 36640)
- msoadfsb.exe (PID: 36384)
- OLicenseHeartbeat.exe (PID: 37420)
- PDFREFLOW.EXE (PID: 36668)
- SDXHelper.exe (PID: 36716)
- ONENOTEM.EXE (PID: 36600)
- CNFNOT32.EXE (PID: 36308)
- VPREVIEW.EXE (PID: 36748)
- GRAPH.EXE (PID: 36328)
- NAMECONTROLSERVER.EXE (PID: 36496)
- SETLANG.EXE (PID: 36756)
- SCANPST.EXE (PID: 36660)
- MSOSREC.EXE (PID: 36428)
- MSOXMLED.EXE (PID: 37428)
- AppVLP.exe (PID: 36080)
- protocolhandler.exe (PID: 36704)
- OfficeClickToRun.exe (PID: 37872)
- AppSharingHookController.exe (PID: 38056)
- MSPUB.EXE (PID: 36440)
- MSOHTMED.EXE (PID: 38064)
- OfficeC2RClient.exe (PID: 41568)
Reads Environment values
- CCleaner.exe (PID: 18232)
- culauncher.exe (PID: 25128)
- CCleaner64.exe (PID: 18208)
- CCleaner64.exe (PID: 24776)
- IntegratedOffice.exe (PID: 18196)
- IntegratedOffice.exe (PID: 21536)
- OfficeC2RClient.exe (PID: 21024)
- OfficeC2RClient.exe (PID: 25496)
- GRAPH.EXE (PID: 36328)
- MSOSREC.EXE (PID: 36428)
- MSQRY32.EXE (PID: 36452)
- SenseTVM.exe (PID: 46496)
- OfficeClickToRun.exe (PID: 38268)
- IntegratedOffice.exe (PID: 38276)
- SCANPST.EXE (PID: 36660)
- NAMECONTROLSERVER.EXE (PID: 36496)
- OLicenseHeartbeat.exe (PID: 37420)
- OLCFG.EXE (PID: 36576)
- protocolhandler.exe (PID: 36704)
PyInstaller has been detected (YARA)
- pytan.exe (PID: 6732)
- pytan.exe (PID: 5060)
FileZilla executable
- pytan.exe (PID: 5060)
- uninstall.exe (PID: 25304)
Attempting to use instant messaging service
- pytan.exe (PID: 5060)
Reads the software policy settings
- culauncher.exe (PID: 25128)
- IntegratedOffice.exe (PID: 18196)
- IntegratedOffice.exe (PID: 21536)
- OfficeClickToRun.exe (PID: 22232)
- OfficeC2RClient.exe (PID: 21828)
- Microsoft.Mashup.Container.exe (PID: 36896)
- OfficeClickToRun.exe (PID: 38268)
- IntegratedOffice.exe (PID: 38276)
- PCHealthCheck.exe (PID: 38764)
- msoadfsb.exe (PID: 36384)
- OLicenseHeartbeat.exe (PID: 37420)
- SDXHelper.exe (PID: 36716)
- protocolhandler.exe (PID: 36704)
- DeviceCensus.exe (PID: 61188)
Creates files in the program directory
- javaw.exe (PID: 31200)
- MusNotificationUx.exe (PID: 63512)
Reads product name
- SenseTVM.exe (PID: 46496)
- OLicenseHeartbeat.exe (PID: 37420)
- protocolhandler.exe (PID: 36704)
Uses BITSADMIN.EXE
- pytan.exe (PID: 5060)
Execution of CURL command
- pytan.exe (PID: 5060)
Displays MAC addresses of computer network adapters
- getmac.exe (PID: 61820)
Modifies the entries in the local IP routing table
- ROUTE.EXE (PID: 65520)
Manages system restore points
- SrTasks.exe (PID: 15004)
Encodes the UEFI Secure Boot certificates
- SecureBootEncodeUEFI.exe (PID: 2348)
Reads CPU info
- OfficeClickToRun.exe (PID: 38268)
- SDXHelper.exe (PID: 36716)
Reads security settings of Internet Explorer
- AppHostRegistrationVerifier.exe (PID: 57388)
Disables trace logs
- cmmon32.exe (PID: 60580)
- cmstp.exe (PID: 60604)
- cmdl32.exe (PID: 60560)
Reads the time zone
- MusNotificationUx.exe (PID: 63512)
JAVA mutex has been found
- jucheck.exe (PID: 51112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
ims-api
(PID) Process(5060) pytan.exe
Discord-Webhook-Tokens (1)1391665687981854720/o3KTd2SvMkws6gLuC4lVlZo7nvw3fj2yC-36Rn2N7kAXGis2rF8WzysLbCUOv7B4MMvw
Discord-Info-Links
1391665687981854720/o3KTd2SvMkws6gLuC4lVlZo7nvw3fj2yC-36Rn2N7kAXGis2rF8WzysLbCUOv7B4MMvw
Get Webhook Infohttps://discord.com/api/webhooks/1391665687981854720/o3KTd2SvMkws6gLuC4lVlZo7nvw3fj2yC-36Rn2N7kAXGis2rF8WzysLbCUOv7B4MMvw
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:07:07 06:23:52+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.43 |
| CodeSize: | 174592 |
| InitializedDataSize: | 157184 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xd0d0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
3 370
Monitored processes
2 863
Malicious processes
9
Suspicious processes
12
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 436 | cmd.exe | C:\Windows\System32\cmd.exe | — | pytan.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 536 | C:\Windows\System32\dfrgui.exe | C:\Windows\System32\dfrgui.exe | — | pytan.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Drive Optimizer Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 640 | cmd.exe | C:\Windows\System32\cmd.exe | — | pytan.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 768 | cmd.exe | C:\Windows\System32\cmd.exe | — | pytan.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 856 | C:\Windows\System32\Dism.exe | C:\Windows\System32\Dism.exe | — | pytan.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 864 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 868 | C:\Windows\System32\tscon.exe | C:\Windows\System32\tscon.exe | — | pytan.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Session Connection Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 868 | C:\Windows\System32\xwizard.exe | C:\Windows\System32\xwizard.exe | — | pytan.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extensible Wizards Host Process Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1136 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1156 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
93 559
Read events
92 583
Write events
930
Delete events
46
Modification events
| (PID) Process: | (17492) Acrobat.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934 |
| Operation: | write | Name: | DisplayName |
Value: Adobe Acrobat Reader Protected Mode | |||
| (PID) Process: | (18196) IntegratedOffice.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (18196) IntegratedOffice.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 2 | |||
| (PID) Process: | (18196) IntegratedOffice.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | fr-fr |
Value: 2 | |||
| (PID) Process: | (18196) IntegratedOffice.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | es-es |
Value: 2 | |||
| (PID) Process: | (18196) IntegratedOffice.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-it |
Value: 2 | |||
| (PID) Process: | (18196) IntegratedOffice.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ja-jp |
Value: 2 | |||
| (PID) Process: | (18196) IntegratedOffice.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ko-kr |
Value: 2 | |||
| (PID) Process: | (18196) IntegratedOffice.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | pt-br |
Value: 2 | |||
| (PID) Process: | (18196) IntegratedOffice.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ru-ru |
Value: 2 | |||
Executable files
74
Suspicious files
34
Text files
42
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6732 | pytan.exe | C:\Users\admin\AppData\Local\Temp\_MEI67322\_asyncio.pyd | executable | |
MD5:33D0B6DE555DDBBBD5CA229BFA91C329 | SHA256:A9A99A2B847E46C0EFCE7FCFEFD27F4BCE58BAF9207277C17BFFD09EF4D274E5 | |||
| 6732 | pytan.exe | C:\Users\admin\AppData\Local\Temp\_MEI67322\VCRUNTIME140.dll | executable | |
MD5:F34EB034AA4A9735218686590CBA2E8B | SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1 | |||
| 6732 | pytan.exe | C:\Users\admin\AppData\Local\Temp\_MEI67322\_bz2.pyd | executable | |
MD5:86D1B2A9070CD7D52124126A357FF067 | SHA256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E | |||
| 6732 | pytan.exe | C:\Users\admin\AppData\Local\Temp\_MEI67322\_cffi_backend.cp310-win_amd64.pyd | executable | |
MD5:2BAAA98B744915339AE6C016B17C3763 | SHA256:4F1CE205C2BE986C9D38B951B6BCB6045EB363E06DACC069A41941F80BE9068C | |||
| 6732 | pytan.exe | C:\Users\admin\AppData\Local\Temp\_MEI67322\api-ms-win-core-errorhandling-l1-1-0.dll | executable | |
MD5:C2F8C03ECCE9941492BFBE4B82F7D2D5 | SHA256:D56CE7B1CD76108AD6C137326EC694A14C99D48C3D7B0ACE8C3FF4D9BCEE3CE8 | |||
| 6732 | pytan.exe | C:\Users\admin\AppData\Local\Temp\_MEI67322\_ssl.pyd | executable | |
MD5:7910FB2AF40E81BEE211182CFFEC0A06 | SHA256:D2A7999E234E33828888AD455BAA6AB101D90323579ABC1095B8C42F0F723B6F | |||
| 6732 | pytan.exe | C:\Users\admin\AppData\Local\Temp\_MEI67322\_socket.pyd | executable | |
MD5:819166054FEC07EFCD1062F13C2147EE | SHA256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F | |||
| 6732 | pytan.exe | C:\Users\admin\AppData\Local\Temp\_MEI67322\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:226A5983AE2CBBF0C1BDA85D65948ABC | SHA256:591358EB4D1531E9563EE0813E4301C552CE364C912CE684D16576EABF195DC3 | |||
| 6732 | pytan.exe | C:\Users\admin\AppData\Local\Temp\_MEI67322\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:9F746F4F7D845F063FEA3C37DCEBC27C | SHA256:88ACE577A9C51061CB7D1A36BABBBEFA48212FADC838FFDE98FDFFF60DE18386 | |||
| 6732 | pytan.exe | C:\Users\admin\AppData\Local\Temp\_MEI67322\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:8F8EB9CB9E78E3A611BC8ACAEC4399CB | SHA256:1BD81DFD19204B44662510D9054852FB77C9F25C1088D647881C9B976CC16818 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
66
DNS requests
34
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 400 | 20.190.160.4:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | GET | 200 | 2.20.245.139:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.20.245.139:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.160.4:443 | https://login.live.com/RST2.srf | unknown | xml | 1.24 Kb | whitelisted |
— | — | GET | 204 | 13.107.6.156:443 | https://nexusrules.officeapps.live.com/nexus/rules?Application=integratedoffice.exe&Version=16.0.16026.20086&OSEnvironment=10&MsoAppId=37&AudienceName=DCWin8_CC_Production&AudienceGroup=Production&AppVersion=16.0.16026.20086& | unknown | — | — | — |
— | — | POST | 400 | 20.190.160.132:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.64:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 2.20.245.139:80 | crl.microsoft.com | Akamai International B.V. | SE | whitelisted |
1268 | svchost.exe | 2.20.245.139:80 | crl.microsoft.com | Akamai International B.V. | SE | whitelisted |
5944 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
5060 | pytan.exe | 162.159.135.232:443 | discord.com | CLOUDFLARENET | — | whitelisted |
2520 | svchost.exe | 20.190.160.64:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
discord.com |
| whitelisted |
login.live.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
ecs.office.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2200 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
2200 | svchost.exe | Misc activity | ET INFO Discord Chat Service Domain in DNS Lookup (discord .com) |
5060 | pytan.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
5060 | pytan.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |
— | — | Misc activity | ET INFO Observed UA-CPU Header |
Process | Message |
|---|---|
elevated_tracing_service.exe | [0707/062612.643:ERROR:service.cc(225)] Failed to connect to the service control manager: The service process could not connect to the service controller. (0x427)
|
elevation_service.exe | [0707/062613.800:ERROR:service.cc(225)] Failed to connect to the service control manager: The service process could not connect to the service controller. (0x427)
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: error while getting certificate informations
|
vlc.exe | main libvlc debug: VLC media player - 3.0.11 Vetinari
|
vlc.exe | main libvlc debug: Copyright © 1996-2020 the VideoLAN team
|
vlc.exe | main libvlc debug: revision 3.0.11-0-gdc0c5ced72
|