File name:

python-3.12.4-amd64.exe

Full analysis: https://app.any.run/tasks/cf2d2852-9d08-4e14-bc0d-2921c96bf163
Verdict: Malicious activity
Analysis date: July 16, 2024, 23:39:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
spam
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F3DF1BE26CC7CBD8252AB5632B62D740

SHA1:

3B1F54802B4CB8C02D1EB78FC79F95F91E8E49E4

SHA256:

DA5809DF5CB05200B3A528A186F39B7D6186376CE051B0A393F1DDF67C995258

SSDEEP:

196608:4gsIfchCGRMxZQYerpLO13Ku+r2dph5t50bnpTZQ6NRT7CUpiRc:4G0RMxZQxNO1a0dPb50bnlJRXCTRc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)
      • python-3.12.4-amd64.exe (PID: 3152)

    • Changes the autorun value in the registry

      • python-3.12.4-amd64.exe (PID: 3104)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • python-3.12.4-amd64.exe (PID: 3152)
      • python-3.12.4-amd64.exe (PID: 3104)

    • Creates a software uninstall entry

      • python-3.12.4-amd64.exe (PID: 3104)

    • The process drops C-runtime libraries

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Loads Python modules

      • python-3.12.4-amd64.exe (PID: 3104)

    • Searches for installed software

      • python-3.12.4-amd64.exe (PID: 3104)

    • Process drops legitimate windows executable

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 3724)

    • Process drops python dynamic module

      • msiexec.exe (PID: 3724)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3724)

  • INFO

    • Checks supported languages

      • python-3.12.4-amd64.exe (PID: 3152)
      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Create files in a temporary directory

      • python-3.12.4-amd64.exe (PID: 3152)
      • python-3.12.4-amd64.exe (PID: 3104)

    • Reads the computer name

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Creates files or folders in the user directory

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Reads the machine GUID from the registry

      • python-3.12.4-amd64.exe (PID: 3104)
      • msiexec.exe (PID: 3724)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3724)

    • Reads the software policy settings

      • msiexec.exe (PID: 3724)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:22 15:58:18+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.16
CodeSize: 302080
InitializedDataSize: 239104
UninitializedDataSize: -
EntryPoint: 0x2e082
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.12.4150.0
ProductVersionNumber: 3.12.4150.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Python Software Foundation
FileDescription: Python 3.12.4 (64-bit)
FileVersion: 3.12.4150.0
InternalName: setup
LegalCopyright: Copyright (c) Python Software Foundation. All rights reserved.
OriginalFileName: python-3.12.4-amd64.exe
ProductName: Python 3.12.4 (64-bit)
ProductVersion: 3.12.4150.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start python-3.12.4-amd64.exe python-3.12.4-amd64.exe msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
3104"C:\Users\admin\AppData\Local\Temp\{B9158195-77AE-43C9-ABE1-A02C40469E9D}\.cr\python-3.12.4-amd64.exe" -burn.clean.room="C:\Users\admin\Desktop\python-3.12.4-amd64.exe" -burn.filehandle.attached=736 -burn.filehandle.self=588 C:\Users\admin\AppData\Local\Temp\{B9158195-77AE-43C9-ABE1-A02C40469E9D}\.cr\python-3.12.4-amd64.exe
python-3.12.4-amd64.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python 3.12.4 (64-bit)
Version:
3.12.4150.0
Modules
Images
c:\users\admin\appdata\local\temp\{b9158195-77ae-43c9-abe1-a02c40469e9d}\.cr\python-3.12.4-amd64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3152"C:\Users\admin\Desktop\python-3.12.4-amd64.exe" C:\Users\admin\Desktop\python-3.12.4-amd64.exe
explorer.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python 3.12.4 (64-bit)
Version:
3.12.4150.0
Modules
Images
c:\users\admin\desktop\python-3.12.4-amd64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3724C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
27 360
Read events
24 199
Write events
3 116
Delete events
45

Modification events

(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleCachePath
Value:
C:\Users\admin\AppData\Local\Package Cache\{fb355cb0-c07e-4095-85a7-81c5a2838da6}\python-3.12.4-amd64.exe
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleUpgradeCode
Value:
{114AEC44-152B-5746-952F-F20CE3CAB54A}
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleAddonCode
Value:
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleDetectCode
Value:
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundlePatchCode
Value:
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleVersion
Value:
3.12.4150.0
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:VersionMajor
Value:
3
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:VersionMinor
Value:
12
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleProviderKey
Value:
CPython-3.12
(PID) Process:(3104) python-3.12.4-amd64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{fb355cb0-c07e-4095-85a7-81c5a2838da6}
Operation:writeName:BundleTag
Value:
Executable files
73
Suspicious files
173
Text files
2 174
Unknown types
11

Dropped files

PID
Process
Filename
Type
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Temp\{265DF4CB-19E3-43A7-9E70-5D80FAE63DD6}\lib_JustForMe
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Temp\{265DF4CB-19E3-43A7-9E70-5D80FAE63DD6}\test_JustForMe
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Temp\{265DF4CB-19E3-43A7-9E70-5D80FAE63DD6}\doc_JustForMe
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Temp\{265DF4CB-19E3-43A7-9E70-5D80FAE63DD6}\.ba\Default.thmxml
MD5:4A006BB0FD949404E628D26F833C994B
SHA256:BE2BAED45BCFB013E914E9D5BF6BC7C77A311F6F1723AFBB7EB1FAA7DA497E1B
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Temp\{265DF4CB-19E3-43A7-9E70-5D80FAE63DD6}\.ba\BootstrapperApplicationData.xmlxml
MD5:EFF250110E5B9C5B2AB87D1737CDEA02
SHA256:044A06F0F7AAC23839DEA1DE85788ACEC40EC758A45382ED7225192C16B3B2D7
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Package Cache\.unverified\lib_JustForMe
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Package Cache\{62DD7DAF-6279-46FA-A06B-C4A541244045}v3.12.4150.0\lib.msi
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Package Cache\.unverified\test_JustForMe
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Package Cache\{AC669800-A797-444D-A450-A5109BBC74DE}v3.12.4150.0\test.msi
MD5:
SHA256:
3104python-3.12.4-amd64.exeC:\Users\admin\AppData\Local\Package Cache\.unverified\doc_JustForMe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
32
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4724
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3724
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
1280
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3724
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
3724
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D
unknown
whitelisted
3724
msiexec.exe
GET
200
192.229.221.95:80
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
unknown
whitelisted
4724
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1280
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
104.126.37.145:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=re&setlang=en-US&cc=US&nohs=1&qfm=1&cp=2&cvid=917f2af1fe65416cbd620a4b992edbf0&ig=886f7dfaf8a943d7ac515843550c84b9
unknown
binary
5.08 Kb
unknown
GET
200
104.126.37.161:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=regedi&setlang=en-US&cc=US&nohs=1&qfm=1&cp=6&cvid=917f2af1fe65416cbd620a4b992edbf0&ig=46856f19730442d7bfc8a588e4a577aa
unknown
binary
4.00 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4724
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1280
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4752
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1280
RUXIMICS.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4724
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4724
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
1280
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl3.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.140
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.187
whitelisted
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
python-3.12.4-amd64.exe