General Info

File name

D_Encode.exe

Full analysis
https://app.any.run/tasks/1ee4bf25-c105-4aea-a955-5311817d7c81
Verdict
Malicious activity
Analysis date
7/18/2019, 04:05:17
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

stealer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (console) Intel 80386, for MS Windows
MD5

df2c26d399d530a0c90ed03073fe7caf

SHA1

4c8a15cc96376b65163499b0d00d0f788ca617f5

SHA256

c8b3bf6106c408dacdb369845901cc2ceb316ec99bc8544568f442f1649b6961

SSDEEP

196608:0RqScnFUkLqQll8WgNs2It/4vx14egOcqxu1aS:rnFUKqzWgZGW7vczMS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Stealing of credential data
  • D_Encode.exe (PID: 3292)
Loads dropped or rewritten executable
  • D_Encode.exe (PID: 3292)
Application launched itself
  • D_Encode.exe (PID: 3432)
Starts CMD.EXE for commands execution
  • D_Encode.exe (PID: 3292)
Executable content was dropped or overwritten
  • D_Encode.exe (PID: 3292)
  • D_Encode.exe (PID: 3432)
Creates files in the user directory
  • D_Encode.exe (PID: 3292)
Reads the cookies of Google Chrome
  • D_Encode.exe (PID: 3292)
Loads Python modules
  • D_Encode.exe (PID: 3292)
Dropped object may contain Bitcoin addresses
  • D_Encode.exe (PID: 3432)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   InstallShield setup (50.1%)
.exe
|   Win64 Executable (generic) (32.2%)
.dll
|   Win32 Dynamic Link Library (generic) (7.6%)
.exe
|   Win32 Executable (generic) (5.2%)
.exe
|   Generic Win/DOS Executable (2.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:09:04 16:42:13+02:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
128000
InitializedDataSize:
120320
UninitializedDataSize:
null
EntryPoint:
0x779a
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows command line
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date:
04-Sep-2018 14:42:13
TLS Callbacks:
1 callback(s) detected.
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000108
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
8
Time date stamp:
04-Sep-2018 14:42:13
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0001F224 0x0001F400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.65269
.rdata 0x00021000 0x0000B0EC 0x0000B200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.10091
.data 0x0002D000 0x0000E680 0x00000A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 1.94098
.gfids 0x0003C000 0x000000B8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 1.89006
.rsrc 0x0003D000 0x0000FE28 0x00010000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.50467
.reloc 0x0004D000 0x000017B8 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.65088
no 0x00050000 0x00043000 0x00043000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.99796
Resources
0

1

2

3

4

5

6

7

101

Imports
    kernel32.dll

    user32.dll

    advapi32.dll

    oleaut32.dll

    ole32.dll

    ntdll.dll

    SHFolder.dll

    shlwapi.dll

Exports

    No exports.

Screenshots

Processes

Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start d_encode.exe d_encode.exe cmd.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3432
CMD
"C:\Users\admin\AppData\Local\Temp\D_Encode.exe"
Path
C:\Users\admin\AppData\Local\Temp\D_Encode.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\d_encode.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll

PID
3292
CMD
"C:\Users\admin\AppData\Local\Temp\D_Encode.exe"
Path
C:\Users\admin\AppData\Local\Temp\D_Encode.exe
Indicators
Parent process
D_Encode.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\d_encode.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\users\admin\appdata\local\temp\_mei34322\python36.dll
c:\windows\system32\version.dll
c:\users\admin\appdata\local\temp\_mei34322\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-process-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-conio-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\_mei34322\_ctypes.pyd
c:\users\admin\appdata\local\temp\_mei34322\_socket.pyd
c:\users\admin\appdata\local\temp\_mei34322\select.pyd
c:\users\admin\appdata\local\temp\_mei34322\_bz2.pyd
c:\users\admin\appdata\local\temp\_mei34322\_lzma.pyd
c:\users\admin\appdata\local\temp\_mei34322\_ssl.pyd
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\users\admin\appdata\local\temp\_mei34322\_hashlib.pyd
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\users\admin\appdata\local\temp\_mei34322\unicodedata.pyd
c:\users\admin\appdata\local\temp\_mei34322\cryptography\hazmat\bindings\_constant_time.cp36-win32.pyd
c:\users\admin\appdata\local\temp\_mei34322\_cffi_backend.cp36-win32.pyd
c:\users\admin\appdata\local\temp\_mei34322\cryptography\hazmat\bindings\_openssl.cp36-win32.pyd
c:\windows\system32\bcrypt.dll
c:\users\admin\appdata\local\temp\_mei34322\multidict\_multidict.cp36-win32.pyd
c:\users\admin\appdata\local\temp\_mei34322\_overlapped.pyd
c:\windows\system32\wshtcpip.dll
c:\users\admin\appdata\local\temp\_mei34322\_multiprocessing.pyd
c:\users\admin\appdata\local\temp\_mei34322\_asyncio.pyd
c:\users\admin\appdata\local\temp\_mei34322\win32crypt.pyd
c:\users\admin\appdata\local\temp\_mei34322\pywintypes36.dll
c:\users\admin\appdata\local\temp\_mei34322\_elementtree.pyd
c:\users\admin\appdata\local\temp\_mei34322\pyexpat.pyd
c:\users\admin\appdata\local\temp\_mei34322\_sqlite3.pyd
c:\users\admin\appdata\local\temp\_mei34322\sqlite3.dll
c:\users\admin\appdata\local\temp\_mei34322\win32clipboard.pyd
c:\users\admin\appdata\local\temp\evbc072.tmp
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\apphelp.dll

PID
3756
CMD
C:\Windows\system32\cmd.exe /c cls
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
D_Encode.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
284
Read events
284
Write events
0
Delete events
0

Modification events

No registry activity.

Files activity

Executable files
27
Suspicious files
2
Text files
12
Unknown types
2

Dropped files

PID
Process
Filename
Type
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_cffi_backend.cp36-win32.pyd
executable
MD5: 37870c71b315b371553fc91ee1d84643
SHA256: 4cbc9def520e2faf4699b546fd383254f301357c9abc1340c53c84df619a6b3f
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\win32wnet.pyd
executable
MD5: 331c339db50c248e4b49139fa27d4f97
SHA256: 11593a9dc05a5466bce5818a59ef289b8bad0bfc628912fd3629996d1c208a8e
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_hashlib.pyd
executable
MD5: ea2d8f0c9320c1363640bf3a7a9ea21f
SHA256: 161f6ec2a08e4955e2c2850539bd61cd18f96a93b2f340ea7b244121fbed9cf6
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\win32clipboard.pyd
executable
MD5: d5723be61ec74c137d05c3dddadae837
SHA256: 616ec3c58f63ac77a4a8e7868f5b0ae7762a91e4f3e2573a6eb5e09d47d5d134
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_decimal.pyd
executable
MD5: 2ba5187c121b584a3d6bdac2c6d3fa71
SHA256: b1a7011bf56081cfca8efb9423ad6feb2833d1f24a7e87244d94d40f1ace3b71
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\sqlite3.dll
executable
MD5: 647ffe50ba324b12c1b955a487e88cb4
SHA256: 372d66efb14d841fc62501203ea19b2fbb64b214c20f15c6c3d9752d2a4bb08c
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\VCRUNTIME140.dll
executable
MD5: a2523ea6950e248cbdf18c9ea1a844f6
SHA256: 6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\pywintypes36.dll
executable
MD5: 5a66c1a15e04a1415139243f5a5743cb
SHA256: bcc57c05d138985952d425bc41b02133b8ec8e8e90edb6cded8db03de7e1817d
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_ctypes.pyd
executable
MD5: d0b0aacac633ee2eda0075eb85d43c06
SHA256: a9c70c16cbd27d15b4d76f68f8d7663c27f7b4d89ab1641abe6c4a2ed2227032
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\select.pyd
executable
MD5: 02aaefa1473499a116ed8ce166881637
SHA256: 733808629fa4903b844ef854cbab30323442cc62d015858f72a2d28253d5a8ab
3292
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\evbC072.tmp
executable
MD5: c2c580faea1ab96d68615d25c9abfa35
SHA256: c66896969d56bf3d282326b734f60082f60c33db204d95b5d878637da128be02
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\win32crypt.pyd
executable
MD5: c07f8d694a7f25c25f80e04e23f14758
SHA256: 469cccadcd8d7e4a57fe06b53b5b49ad864446991bdd94e6fefdf7fc6e89750a
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\multidict\_multidict.cp36-win32.pyd
executable
MD5: 06341b093952e067237789429c168d42
SHA256: be8d9e208d7d85b2b8b69cbbc6d928aed28a4f386085c52ac0e6adf9f6b86461
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\unicodedata.pyd
executable
MD5: 3dab23edfef785febe08bb96688f4634
SHA256: 8e220bc1c4966525ad5616a1a8e28ecd6ad2aa1623a38582d08f4d5fdfc8c8ea
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_elementtree.pyd
executable
MD5: f2d229ea5c830066b4642b947b27fe61
SHA256: c5cefc7702556ee5542d2116774275c61f20ee2a173b851ee1c7319b4b8d2357
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_ssl.pyd
executable
MD5: b951c75d9bb2d04fb60867209a76996f
SHA256: aaca0e4cc304efa02dce48d9b6561616a48fb8c2e0141fc84f12a035e7f18a2d
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\pyexpat.pyd
executable
MD5: 23ed0a03a2b8ae756c459caae2859d02
SHA256: 5e94b9c35c4ef0188bdd57fc08afd0f982849f8e100ae8ff9b90844e6f9f0edc
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_lzma.pyd
executable
MD5: 2b6cf186eba511e0903c9314b865d3b9
SHA256: b1a6d7cb4f88a5eb2c30908836f7eed1f1c8294baaee94e9ab4b8bb47fe0f6dc
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_asyncio.pyd
executable
MD5: 9e0bf979d96da416ecfd84766b3329b3
SHA256: 55ef976673c85c09ae911bdb1e2d5eaf3012299d5ae3d4f62c6d0daf6aeb9956
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_overlapped.pyd
executable
MD5: 440cf071b97f040c0352d714ccc0f110
SHA256: eac03ee05572a3a9247dbdaed60b1c3253ed070c7a742d6c6d10d9ed42f80d1c
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography\hazmat\bindings\_openssl.cp36-win32.pyd
executable
MD5: 09a6a2d3999bb5bd08197ea86e6388b4
SHA256: 9b77b0b0895249bb7dbebc360d64c3c4b616f3553dce187bd26322239eeeb6fd
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_multiprocessing.pyd
executable
MD5: 7bc556656109dbc68e247482a4a9db2c
SHA256: 62f024653eef024149750483cd50fa9365a3818723163b7bacc4e78282c70800
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_sqlite3.pyd
executable
MD5: 3a6c9c518da65bd0d04e0bd51c9cf5dc
SHA256: 74625e8d5db4c25e0886ac8ce60ba665472e8147a19ad37fc34a22a665be8855
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_socket.pyd
executable
MD5: fb4db1e9eb7c4e3d7f74f1e31d7f2f02
SHA256: 62ea60c77915fb24bdde4afa3b4639ccf4898929a79bec2d1d1b3f7f42e8e095
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\python36.dll
executable
MD5: 1ac97dbe4a81fc2beb509f8da5a3e8b6
SHA256: 258dd151e3ec9632d0b49488cc689bcbab172648854e121dc6b5f2e43e58cb62
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography\hazmat\bindings\_constant_time.cp36-win32.pyd
executable
MD5: 0128ee6c24d1fff6c343185ee51c5568
SHA256: bd5d0970675a7bcd45f32cb22524aec66dd25086d5f0633671d15873316076b9
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\_bz2.pyd
executable
MD5: f97c69209c208c1dd472c5e0ed760456
SHA256: 9a0b806e6a764d6109da7762f57a92381db329d1b3ec5adbfbd3cf61ef81e3c0
3292
D_Encode.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data2
sqlite
MD5: acfe428573bc93a1c2d167fa95961bb0
SHA256: beb40a8a26a3a77b8542de111f274c42b9095c5152322de1ea4e112308441338
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography-2.6.1-py3.6.egg-info\WHEEL
text
MD5: fc9db5707f7cfe3cf810dc724ffdeb56
SHA256: 273c0b24928a2af7cce5a6bcba08c7cc265b4cd3d527aa747877ebc6c82b704f
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\base_library.zip
compressed
MD5: db74eb05948c12efbeaa5b026beb2e16
SHA256: d507b260afda2a8c077b7dbeaf4451e21c5f9cb92ee8c0475a17a022f23e8dd6
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography-2.6.1-py3.6.egg-info\AUTHORS.rst
text
MD5: 9c3acb375812b3915d58b89c653fe892
SHA256: 32829394feb23a69cb0bf2976ab1d540fd2c22d064d7576d67b2f3574561341d
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography-2.6.1-py3.6.egg-info\LICENSE.APACHE
text
MD5: 4e168cce331e5c827d4c2b68a6200e1b
SHA256: aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\certifi\cacert.pem
text
MD5: dd2dd543395692705f7dda0f5e7750fa
SHA256: 397b833e5acf89a2709b964401a9aca68d24b62349b72bbe38684e586aa07a27
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography-2.6.1-py3.6.egg-info\INSTALLER
text
MD5: 365c9bfeb7d89244f2ce01c1de44cb85
SHA256: ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography-2.6.1-py3.6.egg-info\LICENSE
text
MD5: 097f805837700cfac572ac274cd38124
SHA256: 35452b557fab0efb1e80d7edb9c4e5118b9384082adaa051dde342102cb9de8d
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\d_encode.exe.manifest
xml
MD5: 3d76ab58b2c179511a3e78cad73485ab
SHA256: a6e98850284adeacb08441154c9385e6c4ef0c7704aa263a5c82d1f26c1c1aa9
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography-2.6.1-py3.6.egg-info\LICENSE.BSD
text
MD5: 5ae30ba4123bc4f2fa49aa0b0dce887b
SHA256: 602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography-2.6.1-py3.6.egg-info\RECORD
text
MD5: 60dc14c397de300df1b41b9ae8cd7f6e
SHA256: 747828d3370b79e36d3608c9144e518988b50a6445dc81f65acb310e2c0a8783
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography-2.6.1-py3.6.egg-info\METADATA
text
MD5: 87a26ba9ec7e6306c4f3b81ad8a192d2
SHA256: 40e5a0421c246a4475268dce58c722848a62d21646b874e3095444e83b8697dd
3432
D_Encode.exe
C:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography-2.6.1-py3.6.egg-info\top_level.txt
text
MD5: ddd9b5640a3051bcb8ca132eb1b2fb1b
SHA256: 402918404e07241a6a22bf9a06a6ce67bd0d95f6de8ca9c313a3836cd814c308
3292
D_Encode.exe
C:\Users\admin\AppData\Local\temp\run.log
text
MD5: 72b64b840a699fb8aa8323cdb9ab7f71
SHA256: 15a0ab7525236c028614dea3d8165b29155ff83e77642e082251f8dcef420d25
3292
D_Encode.exe
C:\Users\admin\AppData\Local\temp\logs.zip
compressed
MD5: d281667512a3f5c149fe794536fae1dc
SHA256: dd15a1338d401482c2214f439c9bd8bbc13afbc287c57ad9e80e0c326666a97f
3292
D_Encode.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies2
sqlite
MD5: dd9640af5f03807cf2e3921cba16af0d
SHA256: ecf72c454fef08c5948a565464839a554567e499f995483d6c8b54b32ea2c5f0

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
4
Threats
3

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3292 D_Encode.exe 104.20.209.21:443 Cloudflare Inc US shared
3292 D_Encode.exe 54.235.124.112:443 Amazon.com, Inc. US suspicious
3292 D_Encode.exe 162.159.135.233:443 Cloudflare Inc –– unknown
3292 D_Encode.exe 149.154.167.220:443 Telegram Messenger LLP GB malicious

DNS requests

Domain IP Reputation
pastebin.com 104.20.209.21
104.20.208.21
shared
api.ipify.org 54.235.124.112
50.19.247.198
54.243.198.12
23.21.121.219
54.204.36.156
107.22.215.20
54.243.147.226
50.16.229.140
shared
discordapp.com 162.159.135.233
162.159.129.233
162.159.134.233
162.159.133.233
162.159.130.233
whitelisted
api.telegram.org 149.154.167.220
malicious

Threats

PID Process Class Message
3292 D_Encode.exe Misc activity SUSPICIOUS [PTsecurity] ipify.org External IP Check
3292 D_Encode.exe Misc activity SUSPICIOUS [PTsecurity] ipify.org External IP Check

1 ETPRO signatures available at the full report

Debug output strings

No debug info.