Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

python-3.11.4-amd64.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.997603851114176
Filename:	python-3.11.4-amd64.exe
Filesize:	25426160
MD5:	e4413bb7448cd13b437dffffba294ca0
SHA1:	59dcc42113cd01346f7498a07c1265a4428b8864
SHA256:	47be821c0f1825d90fc40f83a3ee3d3a691a3e16c8e21ac0cd56371362aaad50
SHA512:	a48ee8992eee60a0d620dced71b9f96596f5dd510e3024015aca55884cdb3f9e2405734bfc13f3f40b79106a77bc442cce02ac4c8f5d16207448052b368fd52a
SSDEEP:	786432:MHi7Bb2EJqoZYHzYoj8P3kajPHRKx2MlDMhzU:t21QYHzYojc31LHRKXxMZU
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.s...s...s.......s......$s.......s.......s.......s.......s.......s.......s...s...r.......s....Q..s...s9..s.......s..Rich.s.

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation Security Software Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading File and Directory Discovery
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
Found evasive API chain (date check)	Malware Analysis System Evasion	Access Token Manipulation
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API Access Token Manipulation Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Uses 32bit PE files	Compliance, System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
Uses the system / local time for branch decision (may execute only at specific dates)	Malware Analysis System Evasion
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to create pipes for IPC	Language, Device and Operating System Detection	Process Injection
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation Security Software Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to modify services (start/stop/modify)	System Summary	Service Execution Windows Service Access Token Manipulation
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Security Software Discovery Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates temporary files	System Summary	Security Software Discovery
Might use command line arguments	System Summary	Command and Scripting Interpreter
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Sample might require command line arguments	System Summary	Access Token Manipulation Security Software Discovery
Sample reads its own file content	System Summary	Access Token Manipulation Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)	System Summary	Security Software Discovery

C:\Users\user\AppData\Local\Temp\Python 3.11.4 (64-bit)_20240426093700.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Python 3.11.4 (64-bit)_20240426093700.log
Category:	dropped
Dump:	Python 3.11.4 (64-bit)_20240426093700.log.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.242247897134095
Encrypted:	false
Ssdeep:	96:QtsnW0RlnBxc6gnezEygyX2q/ezkZ9kDgLGdkDbkh3kPOdD3khkV+zDZk1k3bkde:dlnBxc6gnewfW2q/ekLGFmK2
Size:	14761
Whitelisted:	false
Reputation:	low

C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
Category:	dropped
Dump:	python-3.11.4-amd64.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\python-3.11.4-amd64.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.381277625665739
Encrypted:	false
Ssdeep:	24576:D5mWpI2jFM5sFzfTpi9GpNq2YSia0dLIqARMPAw4d:D5BjBbTpi9Kx3AEnYj4d
Size:	879104
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses 32bit PE files	Compliance, System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)	System Summary

C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\BootstrapperApplicationData.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (676), with CRLF line terminators

dropped

Details

File:	C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\BootstrapperApplicationData.xml
Category:	dropped
Dump:	BootstrapperApplicationData.xml.1.dr
ID:	dr_6
Target ID:	1
Process:	C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (676), with CRLF line terminators
Entropy:	3.7255837301231836
Encrypted:	false
Ssdeep:	768:XBgyB6JM/LpYizsYnXldL3lNeqdcXQpPKmb3jkuwG73LAyG3DcsGUX8Sg4091mYp:XFlhl4Yp
Size:	101404
Whitelisted:	false
Reputation:	low

C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\Default.thm

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\Default.thm
Category:	dropped
Dump:	Default.thm.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	5.202199468357687
Encrypted:	false
Ssdeep:	192:0cUc9Oa2cacjcPnfEUcUr80Mpcu5cmc0pc3:0cUcAa2cacjcPfFcUx4cu5cmcQc3
Size:	12050
Whitelisted:	false
Reputation:	moderate

C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\Default.wxl

XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (349), with CRLF line terminators

dropped

Details

File:	C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\Default.wxl
Category:	dropped
Dump:	Default.wxl.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (349), with CRLF line terminators
Entropy:	5.078827763136586
Encrypted:	false
Ssdeep:	96:JTqB3tcIyDykuiM7iIbY8gQOOeupqplqe7o7qiYici+iDF8zcz6/DuukOVZbRU84:k5J+nSuUBBr2NZK
Size:	9177
Whitelisted:	false
Reputation:	low

C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dll
Category:	dropped
Dump:	PythonBA.dll.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.000284662502105
Encrypted:	false
Ssdeep:	6144:rEEKaxe1tHVjwLqKmlDGH6NmpHx6mI+BoSbGwizRfucj6GOUetELpO:Izaxe13w+XGH62Hx7I+BYfucjxlO
Size:	690176
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png

PNG image data, 176 x 382, 8-bit/color RGB, non-interlaced

dropped

Details

File:	C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png
Category:	dropped
Dump:	SideBar.png.1.dr
ID:	dr_5
Target ID:	1
Process:	C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
Type:	PNG image data, 176 x 382, 8-bit/color RGB, non-interlaced
Entropy:	7.980841800703768
Encrypted:	false
Ssdeep:	1536:/c/aRsg1fYfJt0Bg74nWPMMCNBaeQzxxj8ckBo:UcsgGfP0yCWTAaeyxxjGBo
Size:	51948
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\python-3.11.4-amd64.exe

"C:\Users\user\Desktop\python-3.11.4-amd64.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6984
Target ID:	0
Parent PID:	2580
Name:	python-3.11.4-amd64.exe
Path:	C:\Users\user\Desktop\python-3.11.4-amd64.exe
Commandline:	"C:\Users\user\Desktop\python-3.11.4-amd64.exe"
Size:	25426160
MD5:	E4413BB7448CD13B437DFFFFBA294CA0
Time:	09:37:00
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf40000
Modulesize:	561152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe

"C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\user\Desktop\python-3.11.4-amd64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=640

Details

Is windows:	false
Is dropped:	true
PID:	7028
Target ID:	1
Parent PID:	6984
Name:	python-3.11.4-amd64.exe
Path:	C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
Commandline:	"C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\user\Desktop\python-3.11.4-amd64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=640
Size:	879104
MD5:	73084CDC98F16F144AEAA7CE8966A76A
Time:	09:37:00
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa10000
Modulesize:	561152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://www.python.org/downloads/

unknown

https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msiz

unknown

http://wixtoolset.org/schemas/thmutil/2010

unknown

https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msir

unknown

https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msiz

unknown

https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msiz

unknown

https://www.python.org/ftp/python/3.11.4/amd64/test_d.msie

unknown

https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msit

unknown

https://www.python.org/ftp/python/3.11.4/amd64/tcltk_d.msi

unknown

https://www.python.org/ftp/python/3.11.4/amd64/core_d.msia

unknown

https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msi

unknown

https://www.python.org/ftp/python/3.11.4/amd64/core_d.msie

unknown

https://www.python.org/ftp/python/3.11.4/amd64/test_d.msiv

unknown

https://discuss.python.org/c/users/7

unknown

https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msie

unknown

https://www.python.org/ftp/python/3.11.4/amd64/tcltk_pdb.msi

unknown

https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msi

unknown

https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msik_

unknown

https://www.python.org/ftp/python/3.11.4/amd64/tcltk_pdb.msit

unknown

https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msi

unknown

https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msiz

unknown

http://appsyndication.org/2006/appsynapplicationc:

unknown

https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msiy

unknown

https://docs.python.org/

unknown

https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msif

unknown

https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msi

unknown

https://www.python.org/ftp/python/3.11.4/amd64/core_d.msi

unknown

https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msie

unknown

https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msia

unknown

https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msi

unknown

https://www.python.org/ftp/python/3.11.4/amd64/

unknown

https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msi

unknown

https://www.python.org/

unknown

https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msiz

unknown

https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msi

unknown

https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msi~

unknown

https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msiz

unknown

https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msie

unknown

https://www.python.org/ftp/python/3.11.4/amd64/tcltk_d.msif

unknown

http://docs.python.org/

unknown

https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msie

unknown

https://www.python.org/ftp/python/3.11.4/amd64/core_d.msiz

unknown

https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msie

unknown

http://crl3.digic

unknown

https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msie

unknown

https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msi

unknown

https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msiz

unknown

http://appsyndication.org/2006/appsyn

unknown

https://www.python.org/ftp/python/3.11.4/amd64/test_d.msi

unknown

There are 39 hidden URLs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

4642000

heap

page read and write

F41000

unkown

page execute read

FAB000

unkown

page read and write

2FD6000

trusted library allocation

page read and write

4642000

heap

page read and write

13D0000

heap

page read and write

2CB0000

heap

page read and write

3817000

trusted library allocation

page read and write

EFC000

stack

page read and write

3815000

trusted library allocation

page read and write

A4D000

heap

page read and write

A1B000

heap

page read and write

A23000

heap

page read and write

3816000

trusted library allocation

page read and write

3248000

stack

page read and write

6CA90000

unkown

page readonly

3800000

trusted library allocation

page read and write

A21000

heap

page read and write

12ED000

heap

page read and write

12D6000

heap

page read and write

3821000

trusted library allocation

page read and write

FAB000

unkown

page write copy

4B10000

trusted library allocation

page read and write

12A1000

heap

page read and write

2FD5000

trusted library allocation

page read and write

FAE000

unkown

page readonly

12D5000

heap

page read and write

605F000

stack

page read and write

3382000

trusted library allocation

page read and write

9F3000

heap

page read and write

5BC000

stack

page read and write

A21000

heap

page read and write

380B000

trusted library allocation

page read and write

12BB000

heap

page read and write

12ED000

heap

page read and write

3814000

trusted library allocation

page read and write

A31000

heap

page read and write

A4F000

heap

page read and write

F8B000

unkown

page readonly

13B0000

heap

page read and write

2D80000

heap

page read and write

12EA000

heap

page read and write

A10000

unkown

page readonly

12EF000

heap

page read and write

A0A000

heap

page read and write

49D0000

trusted library allocation

page read and write

9D8000

heap

page read and write

33B0000

heap

page read and write

3823000

trusted library allocation

page read and write

F40000

unkown

page readonly

2FD3000

trusted library allocation

page read and write

37F0000

heap

page read and write

364E000

heap

page read and write

45EA000

stack

page read and write

382E000

trusted library allocation

page read and write

12BF000

heap

page read and write

4AC0000

trusted library allocation

page read and write

2FD8000

trusted library allocation

page read and write

3420000

heap

page read and write

334C000

stack

page read and write

3C00000

trusted library allocation

page read and write

2B50000

heap

page read and write

4B60000

trusted library allocation

page read and write

4A20000

trusted library allocation

page read and write

3484000

stack

page read and write

3808000

trusted library allocation

page read and write

5F5E000

stack

page read and write

3370000

trusted library allocation

page read and write

2FD9000

trusted library allocation

page read and write

34D0000

heap

page read and write

A7E000

unkown

page readonly

33B0000

unkown

page read and write

12BB000

heap

page read and write

A4D000

heap

page read and write

1293000

heap

page read and write

380C000

trusted library allocation

page read and write

2AF0000

trusted library allocation

page read and write

12D4000

heap

page read and write

1248000

heap

page read and write

4740000

heap

page read and write

12D4000

heap

page read and write

A4B000

heap

page read and write

3813000

trusted library allocation

page read and write

37D0000

trusted library section

page read and write

3493000

heap

page read and write

382F000

trusted library allocation

page read and write

4640000

heap

page read and write

4642000

heap

page read and write

1360000

heap

page read and write

3490000

heap

page read and write

A23000

heap

page read and write

A11000

unkown

page execute read

2FA0000

heap

page read and write

12D8000

heap

page read and write

2FDB000

trusted library allocation

page read and write

12BB000

heap

page read and write

12DA000

heap

page read and write

12DA000

heap

page read and write

A31000

heap

page read and write

3824000

trusted library allocation

page read and write

970000

heap

page read and write

3818000

trusted library allocation

page read and write

A5B000

unkown

page readonly

4642000

heap

page read and write

4930000

trusted library allocation

page read and write

2AD0000

trusted library allocation

page read and write

12A1000

heap

page read and write

4642000

heap

page read and write

2FDE000

trusted library allocation

page read and write

1312000

heap

page read and write

A21000

heap

page read and write

3630000

heap

page read and write

1170000

heap

page read and write

12EF000

heap

page read and write

3825000

trusted library allocation

page read and write

1293000

heap

page read and write

6CA98000

unkown

page execute read

990000

heap

page read and write

A31000

heap

page read and write

131D000

heap

page read and write

382C000

trusted library allocation

page read and write

6CB35000

unkown

page readonly

F20000

heap

page read and write

5F1F000

stack

page read and write

3370000

trusted library allocation

page read and write

6CB39000

unkown

page readonly

12D7000

heap

page read and write

381C000

trusted library allocation

page read and write

2C00000

heap

page read and write

380D000

trusted library allocation

page read and write

3440000

heap

page read and write

A11000

heap

page read and write

2FD7000

trusted library allocation

page read and write

8FB000

stack

page read and write

FAE000

unkown

page readonly

5E1E000

stack

page read and write

2FDC000

trusted library allocation

page read and write

A4B000

heap

page read and write

A4F000

heap

page read and write

4744000

heap

page read and write

381D000

trusted library allocation

page read and write

6CB16000

unkown

page execute read

2FDA000

trusted library allocation

page read and write

A4D000

heap

page read and write

12ED000

heap

page read and write

1264000

heap

page read and write

6CB18000

unkown

page readonly

12F5000

heap

page read and write

381E000

trusted library allocation

page read and write

6CA91000

unkown

page execute read

12EF000

heap

page read and write

382D000

trusted library allocation

page read and write

4642000

heap

page read and write

4890000

trusted library allocation

page read and write

1291000

heap

page read and write

3829000

trusted library allocation

page read and write

2DC0000

heap

page read and write

4980000

trusted library allocation

page read and write

A4F000

heap

page read and write

380A000

trusted library allocation

page read and write

9D0000

heap

page read and write

12A1000

heap

page read and write

381A000

trusted library allocation

page read and write

12A3000

heap

page read and write

37E0000

trusted library section

page read and write

380E000

trusted library allocation

page read and write

1293000

heap

page read and write

F40000

unkown

page readonly

127A000

heap

page read and write

3827000

trusted library allocation

page read and write

18A9000

heap

page read and write

2FD1000

trusted library allocation

page read and write

F41000

unkown

page execute read

48E0000

trusted library allocation

page read and write

2FDD000

trusted library allocation

page read and write

381B000

trusted library allocation

page read and write

3807000

trusted library allocation

page read and write

6CA9B000

unkown

page execute read

2FB0000

trusted library allocation

page read and write

3831000

trusted library allocation

page read and write

4630000

heap

page read and write

37C0000

trusted library section

page read and write

2FD2000

trusted library allocation

page read and write

FFB000

stack

page read and write

A7B000

unkown

page write copy

A5B000

unkown

page readonly

3819000

trusted library allocation

page read and write

A10000

unkown

page readonly

1300000

heap

page read and write

4642000

heap

page read and write

12ED000

heap

page read and write

3410000

heap

page read and write

A23000

heap

page read and write

12D6000

heap

page read and write

A1B000

heap

page read and write

1291000

heap

page read and write

3830000

trusted library allocation

page read and write

18A6000

heap

page read and write

18A0000

heap

page read and write

A7E000

unkown

page readonly

382B000

trusted library allocation

page read and write

2FD4000

trusted library allocation

page read and write

33A0000

trusted library allocation

page read and write

12D4000

heap

page read and write

A11000

unkown

page execute read

6CB32000

unkown

page read and write

12BF000

heap

page read and write

4A70000

trusted library allocation

page read and write

3640000

heap

page read and write

4642000

heap

page read and write

3822000

trusted library allocation

page read and write

382A000

trusted library allocation

page read and write

380F000

trusted library allocation

page read and write

4642000

heap

page read and write

A33000

heap

page read and write

3828000

trusted library allocation

page read and write

3826000

trusted library allocation

page read and write

A7B000

unkown

page read and write

12F0000

heap

page read and write

3390000

heap

page read and write

1240000

heap

page read and write

1291000

heap

page read and write

12D4000

heap

page read and write

33D0000

heap

page read and write

F8B000

unkown

page readonly

3360000

heap

page read and write

A4B000

heap

page read and write

920000

heap

page read and write

12F6000

heap

page read and write

12D5000

heap

page read and write

There are 220 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
python-3.11.4-amd64.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportpython-3.11.4-amd64.exe

Files

Processes

URLs

Memdumps

IOC Report
python-3.11.4-amd64.exe