File name:

python-3.12.4-amd64.exe

Full analysis: https://app.any.run/tasks/cf2d2852-9d08-4e14-bc0d-2921c96bf163
Verdict: Malicious activity
Analysis date: July 16, 2024, 23:39:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
spam
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F3DF1BE26CC7CBD8252AB5632B62D740

SHA1:

3B1F54802B4CB8C02D1EB78FC79F95F91E8E49E4

SHA256:

DA5809DF5CB05200B3A528A186F39B7D6186376CE051B0A393F1DDF67C995258

SSDEEP:

196608:4gsIfchCGRMxZQYerpLO13Ku+r2dph5t50bnpTZQ6NRT7CUpiRc:4G0RMxZQxNO1a0dPb50bnlJRXCTRc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • python-3.12.4-amd64.exe (PID: 3104)
      • python-3.12.4-amd64.exe (PID: 3152)
      • msiexec.exe (PID: 3724)

    • Changes the autorun value in the registry

      • python-3.12.4-amd64.exe (PID: 3104)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • python-3.12.4-amd64.exe (PID: 3152)
      • python-3.12.4-amd64.exe (PID: 3104)

    • Loads Python modules

      • python-3.12.4-amd64.exe (PID: 3104)

    • Searches for installed software

      • python-3.12.4-amd64.exe (PID: 3104)

    • Creates a software uninstall entry

      • python-3.12.4-amd64.exe (PID: 3104)

    • The process drops C-runtime libraries

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Process drops legitimate windows executable

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3724)

    • Process drops python dynamic module

      • msiexec.exe (PID: 3724)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 3724)

  • INFO

    • Checks supported languages

      • python-3.12.4-amd64.exe (PID: 3152)
      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Create files in a temporary directory

      • python-3.12.4-amd64.exe (PID: 3104)
      • python-3.12.4-amd64.exe (PID: 3152)

    • Reads the computer name

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Creates files or folders in the user directory

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Reads the machine GUID from the registry

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3724)

    • Reads the software policy settings

      • msiexec.exe (PID: 3724)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:22 15:58:18+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.16
CodeSize: 302080
InitializedDataSize: 239104
UninitializedDataSize: -
EntryPoint: 0x2e082
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.12.4150.0
ProductVersionNumber: 3.12.4150.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Python Software Foundation
FileDescription: Python 3.12.4 (64-bit)
FileVersion: 3.12.4150.0
InternalName: setup
LegalCopyright: Copyright (c) Python Software Foundation. All rights reserved.
OriginalFileName: python-3.12.4-amd64.exe
ProductName: Python 3.12.4 (64-bit)
ProductVersion: 3.12.4150.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start python-3.12.4-amd64.exe python-3.12.4-amd64.exe msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
3104"C:\Users\admin\AppData\Local\Temp\{B9158195-77AE-43C9-ABE1-A02C40469E9D}\.cr\python-3.12.4-amd64.exe" -burn.clean.room="C:\Users\admin\Desktop\python-3.12.4-amd64.exe" -burn.filehandle.attached=736 -burn.filehandle.self=588 C:\Users\admin\AppData\Local\Temp\{B9158195-77AE-43C9-ABE1-A02C40469E9D}\.cr\python-3.12.4-amd64.exe
python-3.12.4-amd64.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python 3.12.4 (64-bit)
Version:
3.12.4150.0
Modules
Images
c:\users\admin\appdata\local\temp\{b9158195-77ae-43c9-abe1-a02c40469e9d}\.cr\python-3.12.4-amd64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3152"C:\Users\admin\Desktop\python-3.12.4-amd64.exe" C:\Users\admin\Desktop\python-3.12.4-amd64.exe
explorer.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python 3.12.4 (64-bit)
Version:
3.12.4150.0
Modules
Images
c:\users\admin\desktop\python-3.12.4-amd64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3724C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
27 360
Read events
24 199
Write events
3 116
Delete events
45

Modification events

(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleCachePath
Value:
C:\Users\admin\AppData\Local\Package Cache\{fb355cb0-c07e-4095-85a7-81c5a2838da6}\python-3.12.4-amd64.exe
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleUpgradeCode
Value:
{114AEC44-152B-5746-952F-F20CE3CAB54A}
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleAddonCode
Value:
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleDetectCode
Value:
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundlePatchCode
Value:
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleVersion
Value:
3.12.4150.0
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:VersionMajor
Value:
3
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:VersionMinor
Value:
12
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleProviderKey
Value:
CPython-3.12
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleTag
Value:
Executable files
73
Suspicious files
173
Text files
2 174
Unknown types
11

Dropped files

PID
Process
Filename
Type
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Temp\{265DF4CB-19E3-43A7-9E70-5D80FAE63DD6}\lib_JustForMe
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Temp\{265DF4CB-19E3-43A7-9E70-5D80FAE63DD6}\test_JustForMe
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Temp\{265DF4CB-19E3-43A7-9E70-5D80FAE63DD6}\doc_JustForMe
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Temp\{265DF4CB-19E3-43A7-9E70-5D80FAE63DD6}\.ba\SideBar.pngimage
MD5:888EB713A0095756252058C9727E088A
SHA256:79434BD1368F47F08ACF6DB66638531D386BF15166D78D9BFEA4DA164C079067
3152python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Temp\{B9158195-77AE-43C9-ABE1-A02C40469E9D}\.cr\python-3.12.4-amd64.exeexecutable
MD5:504FDAEAA19B2055FFC58D23F830E104
SHA256:8F211F3B8AF3A2E6FD4AFF1AC27A1AD9CD9737524E016B2E3BFC689DFDAD95FB
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Package Cache\.unverified\lib_JustForMe
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Package Cache\{62DD7DAF-6279-46FA-A06B-C4A541244045}v3.12.4150.0\lib.msi
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Package Cache\.unverified\test_JustForMe
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Package Cache\{AC669800-A797-444D-A450-A5109BBC74DE}v3.12.4150.0\test.msi
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Package Cache\.unverified\doc_JustForMe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
32
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1280
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4724
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1280
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4724
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3724
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
3724
msiexec.exe
GET
200
192.229.221.95:80
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
unknown
whitelisted
3724
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
3724
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D
unknown
whitelisted
GET
200
104.126.37.161:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=reged&setlang=en-US&cc=US&nohs=1&qfm=1&cp=5&cvid=917f2af1fe65416cbd620a4b992edbf0&ig=d9fc350f72484720963919f484813311
unknown
binary
4.71 Kb
GET
200
104.126.37.145:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=re&setlang=en-US&cc=US&nohs=1&qfm=1&cp=2&cvid=917f2af1fe65416cbd620a4b992edbf0&ig=886f7dfaf8a943d7ac515843550c84b9
unknown
binary
5.08 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4724
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1280
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4752
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1280
RUXIMICS.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4724
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4724
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
1280
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl3.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.140
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.187
whitelisted
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
python-3.12.4-amd64.exe