Windows Analysis Report
python-3.11.4-amd64.exe

Overview

General Information

Sample name: python-3.11.4-amd64.exe
Analysis ID: 1432014
MD5: e4413bb7448cd13b437dffffba294ca0
SHA1: 59dcc42113cd01346f7498a07c1265a4428b8864
SHA256: 47be821c0f1825d90fc40f83a3ee3d3a691a3e16c8e21ac0cd56371362aaad50
Infos:

Detection

Score: 8
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F5A096 DecryptFileW, 0_2_00F5A096
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F7FE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 0_2_00F7FE7F
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F59E7B DecryptFileW,DecryptFileW, 0_2_00F59E7B
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A2A096 DecryptFileW, 1_2_00A2A096
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A29E7B DecryptFileW,DecryptFileW, 1_2_00A29E7B
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A4FE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 1_2_00A4FE7F
Uses 32bit PE files
Source: python-3.11.4-amd64.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: python-3.11.4-amd64.exe Static PE information: certificate valid
Source: python-3.11.4-amd64.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr
Source: Binary string: D:\a\1\s\PCbuild\obj\311win32_Release\msi_pythonba\PythonBA.pdb source: python-3.11.4-amd64.exe, 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmp, PythonBA.dll.1.dr
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F8488B FindFirstFileW,FindClose, 0_2_00F8488B
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F59B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_00F59B24
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F43D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_00F43D89
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A5488B FindFirstFileW,FindClose, 1_2_00A5488B
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A29B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 1_2_00A29B24
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A13D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 1_2_00A13D89
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAA599C FindFirstFileW,FindClose, 1_2_6CAA599C
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAB4046 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 1_2_6CAB4046
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAF5DCD FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_6CAF5DCD
Source: python-3.11.4-amd64.exe String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: python-3.11.4-amd64.exe, 00000000.00000002.2911419257.00000000008FB000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://crl3.digic
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp, Default.wxl.1.dr String found in binary or memory: http://docs.python.org/
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: python-3.11.4-amd64.exe, 00000001.00000003.1662079168.0000000003830000.00000004.00000800.00020000.00000000.sdmp, Default.thm.1.dr String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Default.wxl.1.dr String found in binary or memory: https://discuss.python.org/c/users/7
Source: Default.wxl.1.dr String found in binary or memory: https://docs.python.org/
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012BF000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1662096169.000000000382F000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2912509644.0000000003640000.00000004.00000020.00020000.00000000.sdmp, Default.wxl.1.dr String found in binary or memory: https://www.python.org/downloads/
Source: BootstrapperApplicationData.xml.1.dr String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_d.msi
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_d.msia
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_d.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_d.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msik_
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/tcltk_d.msi
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/tcltk_d.msif
Source: python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/tcltk_pdb.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/tcltk_pdb.msit
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_d.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_d.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_d.msiv
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msi
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msif
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msir
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msit
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msi
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012BF000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msia
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msiy
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msi~
Contains functionality to communicate with device drivers
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAA8766: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, 1_2_6CAA8766
Detected potential crypto function
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F64085 0_2_00F64085
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F6C132 0_2_00F6C132
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F702B6 0_2_00F702B6
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F7F2A2 0_2_00F7F2A2
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F4635B 0_2_00F4635B
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F70571 0_2_00F70571
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F726D1 0_2_00F726D1
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F7A600 0_2_00F7A600
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F6F9D3 0_2_00F6F9D3
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F72905 0_2_00F72905
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F7AA98 0_2_00F7AA98
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F7DC1E 0_2_00F7DC1E
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F6FD45 0_2_00F6FD45
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F7DD42 0_2_00F7DD42
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F6FFEF 0_2_00F6FFEF
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A34085 1_2_00A34085
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A3C132 1_2_00A3C132
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A4F2A2 1_2_00A4F2A2
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A402B6 1_2_00A402B6
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A1635B 1_2_00A1635B
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A40571 1_2_00A40571
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A426D1 1_2_00A426D1
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A4A600 1_2_00A4A600
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A3F9D3 1_2_00A3F9D3
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A42905 1_2_00A42905
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A4AA98 1_2_00A4AA98
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A4DC1E 1_2_00A4DC1E
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A4DD42 1_2_00A4DD42
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A3FD45 1_2_00A3FD45
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A3FFEF 1_2_00A3FFEF
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CB0ECFE 1_2_6CB0ECFE
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADED3F 1_2_6CADED3F
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADE90A 1_2_6CADE90A
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADE4C2 1_2_6CADE4C2
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADE08D 1_2_6CADE08D
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADF733 1_2_6CADF733
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADF230 1_2_6CADF230
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADCFC6 1_2_6CADCFC6
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CB00F50 1_2_6CB00F50
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CB009F0 1_2_6CB009F0
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADCBA1 1_2_6CADCBA1
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADC78F 1_2_6CADC78F
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAC0184 1_2_6CAC0184
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CB00360 1_2_6CB00360
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADDC57 1_2_6CADDC57
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CABDF6E 1_2_6CABDF6E
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADD80E 1_2_6CADD80E
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CB0181A 1_2_6CB0181A
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CADD3D8 1_2_6CADD3D8
Found potential string decryption / allocating functions
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: String function: 00A1204D appears 54 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: String function: 6CA91BEA appears 50 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: String function: 00A50657 appears 684 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: String function: 6CA93FE4 appears 166 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: String function: 6CA93981 appears 59 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: String function: 00A138F5 appears 502 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: String function: 00A53770 appears 79 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: String function: 00A50B3E appears 34 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: String function: 6CAF8F7E appears 41 times
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: String function: 00F438F5 appears 502 times
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: String function: 00F80657 appears 684 times
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: String function: 00F4204D appears 54 times
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: String function: 00F80B3E appears 34 times
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: String function: 00F83770 appears 79 times
Uses 32bit PE files
Source: python-3.11.4-amd64.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: classification engine Classification label: clean8.winEXE@3/7@0/0
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F420A3 FormatMessageW,GetLastError,LocalFree, 0_2_00F420A3
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F44674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 0_2_00F44674
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A14674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 1_2_00A14674
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F834D0 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess, 0_2_00F834D0
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAB5DA2 FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError, 1_2_6CAB5DA2
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F66A02 ChangeServiceConfigW,GetLastError, 0_2_00F66A02
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe File created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\ Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Command line argument: cabinet.dll 0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Command line argument: msi.dll 0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Command line argument: version.dll 0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Command line argument: wininet.dll 0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Command line argument: comres.dll 0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Command line argument: clbcatq.dll 0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Command line argument: msasn1.dll 0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Command line argument: crypt32.dll 0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Command line argument: feclient.dll 0_2_00F41070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Command line argument: cabinet.dll 1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Command line argument: msi.dll 1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Command line argument: version.dll 1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Command line argument: wininet.dll 1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Command line argument: comres.dll 1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Command line argument: clbcatq.dll 1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Command line argument: msasn1.dll 1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Command line argument: crypt32.dll 1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Command line argument: feclient.dll 1_2_00A11070
Source: python-3.11.4-amd64.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: python-3.11.4-amd64.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: python-3.11.4-amd64.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: python-3.11.4-amd64.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe File read: C:\Users\user\Desktop\python-3.11.4-amd64.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\python-3.11.4-amd64.exe "C:\Users\user\Desktop\python-3.11.4-amd64.exe"
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Process created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe "C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\user\Desktop\python-3.11.4-amd64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=640
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Process created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe "C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\user\Desktop\python-3.11.4-amd64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=640 Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32 Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Window detected: Number of UI elements: 43
Source: python-3.11.4-amd64.exe Static PE information: certificate valid
Source: python-3.11.4-amd64.exe Static file information: File size 25426160 > 1048576
Source: python-3.11.4-amd64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: python-3.11.4-amd64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: python-3.11.4-amd64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: python-3.11.4-amd64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: python-3.11.4-amd64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: python-3.11.4-amd64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: python-3.11.4-amd64.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: python-3.11.4-amd64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr
Source: Binary string: D:\a\1\s\PCbuild\obj\311win32_Release\msi_pythonba\PythonBA.pdb source: python-3.11.4-amd64.exe, 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmp, PythonBA.dll.1.dr
Source: python-3.11.4-amd64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: python-3.11.4-amd64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: python-3.11.4-amd64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: python-3.11.4-amd64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: python-3.11.4-amd64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CA9C4E0 SetThreadLocale,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary, 1_2_6CA9C4E0
PE file contains sections with non-standard names
Source: python-3.11.4-amd64.exe Static PE information: section name: .wixburn
Source: python-3.11.4-amd64.exe.0.dr Static PE information: section name: .wixburn
Source: PythonBA.dll.1.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F6E916 push ecx; ret 0_2_00F6E929
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A3E916 push ecx; ret 1_2_00A3E929
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CA91BAE push ecx; ret 1_2_6CAB8F93
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CA910CD push ecx; ret 1_2_6CB10A20
Drops PE files
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe File created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Jump to dropped file
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe File created: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe File created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Jump to dropped file
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe File created: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dll Jump to dropped file
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Dropped PE file which has not been started: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe API coverage: 9.2 %
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F802DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00F80378h 0_2_00F802DD
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F802DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00F80371h 0_2_00F802DD
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A502DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00A50378h 1_2_00A502DD
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A502DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00A50371h 1_2_00A502DD
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F8488B FindFirstFileW,FindClose, 0_2_00F8488B
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F59B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_00F59B24
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F43D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_00F43D89
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A5488B FindFirstFileW,FindClose, 1_2_00A5488B
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A29B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 1_2_00A29B24
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A13D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 1_2_00A13D89
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAA599C FindFirstFileW,FindClose, 1_2_6CAA599C
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAB4046 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 1_2_6CAB4046
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAF5DCD FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_6CAF5DCD
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F89B11 VirtualQuery,GetSystemInfo, 0_2_00F89B11
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F6E684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F6E684
Contains functionality to dynamically determine API calls
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CA9C4E0 SetThreadLocale,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary, 1_2_6CA9C4E0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F78581 mov eax, dword ptr fs:[00000030h] 0_2_00F78581
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F74503 mov eax, dword ptr fs:[00000030h] 0_2_00F74503
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A48581 mov eax, dword ptr fs:[00000030h] 1_2_00A48581
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A44503 mov eax, dword ptr fs:[00000030h] 1_2_00A44503
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F43ADF GetProcessHeap,RtlFreeHeap,GetLastError, 0_2_00F43ADF
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F6E1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00F6E1B8
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F6E684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F6E684
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F7389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F7389A
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F6E817 SetUnhandledExceptionFilter, 0_2_00F6E817
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A3E1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00A3E1B8
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A3E684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00A3E684
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A4389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00A4389A
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_00A3E817 SetUnhandledExceptionFilter, 1_2_00A3E817
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAC6574 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6CAC6574
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAB8C2D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6CAB8C2D
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CA94188 SetUnhandledExceptionFilter, 1_2_6CA94188
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CAB82F2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6CAB82F2
Contains functionality to launch a program with higher privileges
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: 1_2_6CA9E275 ShellExecuteW, 1_2_6CA9E275
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Process created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe "C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\user\Desktop\python-3.11.4-amd64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=640 Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F81BB9 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree, 0_2_00F81BB9
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F83ED2 AllocateAndInitializeSid,CheckTokenMembership, 0_2_00F83ED2
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F6EA47 cpuid 0_2_00F6EA47
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_6CAFE46A
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: GetLocaleInfoW, 1_2_6CAFE0A5
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_6CAFE218
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: GetLocaleInfoW, 1_2_6CAFE35F
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: EnumSystemLocalesW, 1_2_6CAF89E4
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: EnumSystemLocalesW, 1_2_6CAF87E4
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: EnumSystemLocalesW, 1_2_6CAFDC50
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_6CAFDDBE
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: EnumSystemLocalesW, 1_2_6CAFDD11
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: EnumSystemLocalesW, 1_2_6CAFDBCE
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Code function: GetLocaleInfoW, 1_2_6CAF9562
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Queries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Queries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Queries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Queries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Queries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Queries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Queries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Queries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe Queries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F54F5A ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree, 0_2_00F54F5A
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F4609A GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError, 0_2_00F4609A
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F4623E GetUserNameW,GetLastError, 0_2_00F4623E
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F88C56 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime, 0_2_00F88C56
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exe Code function: 0_2_00F4520D GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize, 0_2_00F4520D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1432014 Sample: python-3.11.4-amd64.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 8 5 python-3.11.4-amd64.exe 3 2->5         started        file3 11 C:\Windows\Temp\...\python-3.11.4-amd64.exe, PE32 5->11 dropped 8 python-3.11.4-amd64.exe 12 5->8         started        process4 file5 13 C:\Windows\Temp\...\PythonBA.dll, PE32 8->13 dropped
No contacted IP infos