5bcf0ce02d6de9edee44cc30287b59bba3625089ac85f7486538bcd5d3766b37

Analysis

max time kernel
106s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2023, 10:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

python-3.11.1-amd64.exe
Size

24.1MB
MD5

3a02deed11f7ff4dbc1188d201ad164a
SHA1

5c935f5c25c2975ef384878bb094567fb19519c9
SHA256

5bcf0ce02d6de9edee44cc30287b59bba3625089ac85f7486538bcd5d3766b37
SHA512

47537d434724e6ca5edee6d342ecddc1082ec2a2641b8dca18fd249dbb68c6beb0a0e24921ea08ba987c167b56efada241d3b9b8d2dcf6c34b977db2d25e8d12
SSDEEP

786432:jZDkYdlC5lt5b8Jl3A9Nlqivxo/qoj3AbTS60zD:i/5bcl3Z6xorrAHpaD

Score

10^/10

discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Programs\Python\Python311\NEWS.txt

Ransom Note

+++++++++++ Python News +++++++++++ What's New in Python 3.11.1 final? ================================== *Release date: 2022-12-06* Security -------- - gh-issue-100001: ``python -m http.server`` no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the :mod:`http.server` :class:`BaseHTTPRequestHandler` ``.log_message`` method to replace control characters with a ``\xHH`` hex escape before printing. - gh-issue-87604: Avoid publishing list of active per-interpreter audit hooks via the :mod:`gc` module - gh-issue-98433: The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio` related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker to supply such a name. - gh-issue-98739: Update bundled libexpat to 2.5.0 - gh-issue-97612: Fix a shell code injection vulnerability in the ``get-remote-certificate.py`` example script. The script no longer uses a shell to run ``openssl`` commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner. Core and Builtins ----------------- - gh-issue-99886: Fix a crash when an object which does not have a dictionary frees its instance values. - gh-issue-99891: Fix a bug in the tokenizer that could cause infinite recursion when showing syntax warnings that happen in the first line of the source. Patch by Pablo Galindo - gh-issue-99729: Fix an issue that could cause frames to be visible to Python code as they are being torn down, possibly leading to memory corruption or hard crashes of the interpreter. - gh-issue-99578: Fix a reference bug in :func:`_imp.create_builtin()` after the creation of the first sub-interpreter for modules ``builtins`` and ``sys``. Patch by Victor Stinner. - gh-issue-99581: Fixed a bug that was causing a buffer overflow if the tokenizer copies a line missing the newline caracter from a file that is as long as the available tokenizer buffer. Patch by Pablo galindo - gh-issue-99553: Fix bug where an :exc:`ExceptionGroup` subclass can wrap a :exc:`BaseException`. - gh-issue-99370: Fix zip path for venv created from a non-installed python on POSIX platforms. - gh-issue-99298: Fix an issue that could potentially cause incorrect error handling for some bytecode instructions. - gh-issue-99205: Fix an issue that prevented :c:type:`PyThreadState` and :c:type:`PyInterpreterState` memory from being freed properly. - gh-issue-99181: Fix failure in :keyword:`except* <except_star>` with unhashable exceptions. - gh-issue-99204: Fix calculation of :data:`sys._base_executable` when inside a POSIX virtual environment using copies of the python binary when the base installation does not provide the executable name used by the venv. Calculation will fall back to alternative names ("python<MAJOR>", "python<MAJOR>.<MINOR>"). - gh-issue-96055: Update :mod:`faulthandler` to emit an error message with the proper unexpected signal number. Patch by Dong-hee Na. - gh-issue-99153: Fix location of :exc:`SyntaxError` for a :keyword:`try` block with both :keyword:`except` and :keyword:`except* <except_star>`. - gh-issue-99103: Fix the error reporting positions of specialized traceback anchors when the source line contains Unicode characters. - gh-issue-98852: Fix subscription of type aliases containing bare generic types or types like :class:`~typing.TypeVar`: for example ``tuple[A, T][int]`` and ``tuple[TypeVar, T][int]``, where ``A`` is a generic type, and ``T`` is a type variable. - gh-issue-98925: Lower the recursion depth for marshal on WASI to support wasmtime 2.0/main. - gh-issue-98783: Fix multiple crashes in debug mode when ``str`` subclasses are used instead of ``str`` itself. - gh-issue-99257: Fix an issue where member descriptors (such as those for :attr:`~object.__slots__`) could behave incorrectly or crash instead of raising a :exc:`TypeError` when accessed via an instance of an invalid type. - gh-issue-98374: Suppress ImportError for invalid query for help() command. Patch by Dong-hee Na. - gh-issue-98415: Fix detection of MAC addresses for :mod:`uuid` on certain OSs. Patch by Chaim Sanders - gh-issue-92119: Print exception class name instead of its string representation when raising errors from :mod:`ctypes` calls. - gh-issue-96078: :func:`os.sched_yield` now release the GIL while calling sched_yield(2). Patch by Dong-hee Na. - gh-issue-93354: Fix an issue that could delay the specialization of :opcode:`PRECALL` instructions. - gh-issue-97943: Bugfix: :func:`PyFunction_GetAnnotations` should return a borrowed reference. It was returning a new reference. - gh-issue-97779: Ensure that all Python frame objects are backed by "complete" frames. - gh-issue-97591: Fixed a missing incref/decref pair in ``Exception.__setstate__()``. Patch by Ofey Chan. - gh-issue-94526: Fix the Python path configuration used to initialized :data:`sys.path` at Python startup. Paths are no longer encoded to UTF-8/strict to avoid encoding errors if it contains surrogate characters (bytes paths are decoded with the surrogateescape error handler). Patch by Victor Stinner. - gh-issue-95921: Fix overly-broad source position information for chained comparisons used as branching conditions. - gh-issue-96387: At Python exit, sometimes a thread holding the GIL can wait forever for a thread (usually a daemon thread) which requested to drop the GIL, whereas the thread already exited. To fix the race condition, the thread which requested the GIL drop now resets its request before exiting. Issue discovered and analyzed by Mingliang ZHAO. Patch by Victor Stinner. - gh-issue-96864: Fix a possible assertion failure, fatal error, or :exc:`SystemError` if a line tracing event raises an exception while opcode tracing is enabled. - gh-issue-96678: Fix undefined behaviour in C code of null pointer arithmetic. - gh-issue-96754: Make sure that all frame objects created are created from valid interpreter frames. Prevents the possibility of invalid frames in backtraces and signal handlers. - gh-issue-95196: Disable incorrect pickling of the C implemented classmethod descriptors. - gh-issue-96005: On WASI :data:`~errno.ENOTCAPABLE` is now mapped to :exc:`PermissionError`. The :mod:`errno` modules exposes the new error number. ``getpath.py`` now ignores :exc:`PermissionError` when it cannot open landmark files ``pybuilddir.txt`` and ``pyenv.cfg``. - gh-issue-93696: Allow :mod:`pdb` to locate source for frozen modules in the standard library. - bpo-31718: Raise :exc:`ValueError` instead of :exc:`SystemError` when methods of uninitialized :class:`io.IncrementalNewlineDecoder` objects are called. Patch by Oren Milman. - bpo-38031: Fix a possible assertion failure in :class:`io.FileIO` when the opener returns an invalid file descriptor. Library ------- - gh-issue-100001: Also \ escape \s in the http.server BaseHTTPRequestHandler.log_message so that it is technically possible to parse the line and reconstruct what the original data was. Without this a \xHH is ambiguious as to if it is a hex replacement we put in or the characters r"\x" came through in the original request line. - gh-issue-93453: :func:`asyncio.get_event_loop` now only emits a deprecation warning when a new event loop was created implicitly. It no longer emits a deprecation warning if the current event loop was set. - gh-issue-51524: Fix bug when calling trace.CoverageResults with valid infile. - gh-issue-99645: Fix a bug in handling class cleanups in :class:`unittest.TestCase`. Now ``addClassCleanup()`` uses separate lists for different ``TestCase`` subclasses, and ``doClassCleanups()`` only cleans up the particular class. - gh-issue-97001: Release the GIL when calling termios APIs to avoid blocking threads. - gh-issue-99341: Fix :func:`ast.increment_lineno` to also cover :class:`ast.TypeIgnore` when changing line numbers. - gh-issue-99418: Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin with a digit, a plus sign, or a minus sign to be parsed incorrectly. - gh-issue-99382: Check the number of arguments in substitution in user generics containing a :class:`~typing.TypeVarTuple` and one or more :class:`~typing.TypeVar`. - gh-issue-99379: Fix substitution of :class:`~typing.ParamSpec` followed by :class:`~typing.TypeVarTuple` in generic aliases. - gh-issue-99344: Fix substitution of :class:`~typing.TypeVarTuple` and :class:`~typing.ParamSpec` together in user generics. - gh-issue-74044: Fixed bug where :func:`inspect.signature` reported incorrect arguments for decorated methods. - gh-issue-99275: Fix ``SystemError`` in :mod:`ctypes` when exception was not set during ``__initsubclass__``. - gh-issue-99277: Remove older version of ``_SSLProtocolTransport.get_write_buffer_limits`` in :mod:`!asyncio.sslproto` - gh-issue-99248: fix negative numbers failing in verify() - gh-issue-99155: Fix :class:`statistics.NormalDist` pickle with ``0`` and ``1`` protocols. - gh-issue-93464: ``enum.auto()`` is now correctly activated when combined with other assignment values. E.g. ``ONE = auto(), 'some text'`` will now evaluate as ``(1, 'some text')``. - gh-issue-99134: Update the bundled copy of pip to version 22.3.1. - gh-issue-83004: Clean up refleak on failed module initialisation in :mod:`_zoneinfo` - gh-issue-83004: Clean up refleaks on failed module initialisation in in :mod:`_pickle` - gh-issue-83004: Clean up refleak on failed module initialisation in :mod:`_io`. - gh-issue-98897: Fix memory leak in :func:`math.dist` when both points don't have the same dimension. Patch by Kumar Aditya. - gh-issue-98706: [3.11] Applied changes from importlib_metadata `4.11.4 through 4.13 <https://importlib-metadata.readthedocs.io/en/latest/history.html#v4-13-0>`_, including compatibility and robustness fixes for ``Distribution`` objects without ``_normalized_name``, disallowing invalid inputs to ``Distribution.from_name``, and refined behaviors in ``PathDistribution._name_from_stem`` and ``PathDistribution._normalized_name``. - gh-issue-98793: Fix argument typechecks in :func:`!_overlapped.WSAConnect` and :func:`!_overlapped.Overlapped.WSASendTo` functions. - gh-issue-98744: Prevent crashing in :mod:`traceback` when retrieving the byte-offset for some source files that contain certain unicode characters. - gh-issue-98740: Fix internal error in the :mod:`re` module which in very rare circumstances prevented compilation of a regular expression containing a :ref:`conditional expression <re-conditional-expression>` without the "else" branch. - gh-issue-98703: Fix :meth:`asyncio.StreamWriter.drain` to call ``protocol.connection_lost`` callback only once on Windows. - gh-issue-98624: Add a mutex to unittest.mock.NonCallableMock to protect concurrent access to mock attributes. - gh-issue-89237: Fix hang on Windows in ``subprocess.wait_closed()`` in :mod:`asyncio` with :class:`~asyncio.ProactorEventLoop`. Patch by Kumar Aditya. - gh-issue-98458: Fix infinite loop in unittest when a self-referencing chained exception is raised - gh-issue-97928: :meth:`tkinter.Text.count` raises now an exception for options starting with "-" instead of silently ignoring them. - gh-issue-97966: On ``uname_result``, restored expectation that ``_fields`` and ``_asdict`` would include all six properties including ``processor``. - gh-issue-98307: A :meth:`~logging.handlers.SysLogHandler.createSocket` method was added to :class:`~logging.handlers.SysLogHandler`. - gh-issue-96035: Fix bug in :func:`urllib.parse.urlparse` that causes certain port numbers containing whitespace, underscores, plus and minus signs, or non-ASCII digits to be incorrectly accepted. - gh-issue-98251: Allow :mod:`venv` to pass along :envvar:`PYTHON*` variables to ``ensurepip`` and ``pip`` when they do not impact path resolution - gh-issue-98178: On macOS, fix a crash in :func:`syslog.syslog` in multi-threaded applications. On macOS, the libc ``syslog()`` function is not thread-safe, so :func:`syslog.syslog` no longer releases the GIL to call it. Patch by Victor Stinner. - gh-issue-96151: Allow ``BUILTINS`` to be a valid field name for frozen dataclasses. - gh-issue-87730: Wrap network errors consistently in urllib FTP support, so the test suite doesn't fail when a network is available but the public internet is not reachable. - gh-issue-98086: Make sure ``patch.dict()`` can be applied on async functions. - gh-issue-90985: Earlier in 3.11 we deprecated ``asyncio.Task.cancel("message")``. We realized we were too harsh, and have undeprecated it. - gh-issue-97837: Change deprecate warning message in :mod:`unittest` from ``It is deprecated to return a value!=None`` to ``It is deprecated to return a value that is not None from a test case`` - gh-issue-97825: Fixes :exc:`AttributeError` when :meth:`subprocess.check_output` is used with argument ``input=None`` and either of the arguments *encoding* or *errors* are used. - gh-issue-82836: Fix :attr:`~ipaddress.IPv4Address.is_private` properties in the :mod:`ipaddress` module. Previously non-private networks (0.0.0.0/0) would return True from this method; now they correctly return False. - gh-issue-96827: Avoid spurious tracebacks from :mod:`asyncio` when default executor cleanup is delayed until after the event loop is closed (e.g. as the result of a keyboard interrupt). - gh-issue-97592: Avoid a crash in the C version of :meth:`asyncio.Future.remove_done_callback` when an evil argument is passed. - gh-issue-97639: Remove ``tokenize.NL`` check from :mod:`tabnanny`. - gh-issue-73588: Fix generation of the default name of :class:`tkinter.Checkbutton`. Previously, checkbuttons in different parent widgets could have the same short name and share the same state if arguments "name" and "variable" are not specified. Now they are globally unique. - gh-issue-97005: Update bundled libexpat to 2.4.9 - gh-issue-85760: Fix race condition in :mod:`asyncio` where :meth:`~asyncio.SubprocessProtocol.process_exited` called before the :meth:`~asyncio.SubprocessProtocol.pipe_data_received` leading to inconsistent output. Patch by Kumar Aditya. - gh-issue-96819: Fixed check in :mod:`multiprocessing.resource_tracker` that guarantees that the length of a write to a pipe is not greater than ``PIPE_BUF``. - gh-issue-96741: Corrected type annotation for dataclass attribute ``pstats.FunctionProfile.ncalls`` to be ``str``. - gh-issue-95987: Fix ``repr`` of ``Any`` subclasses. - gh-issue-96388: Work around missing socket functions in :class:`~socket.socket`'s ``__repr__``. - gh-issue-96073: In :mod:`inspect`, fix overeager replacement of "``typing.``" in formatting annotations. - gh-issue-96192: Fix handling of ``bytes`` :term:`path-like objects <path-like object>` in :func:`os.ismount()`. - gh-issue-96052: Fix handling compiler warnings (SyntaxWarning and DeprecationWarning) in :func:`codeop.compile_command` when checking for incomplete input. Previously it emitted warnings and raised a SyntaxError. Now it always returns ``None`` for incomplete input without emitting any warnings. - gh-issue-88863: To avoid apparent memory leaks when :func:`asyncio.open_connection` raises, break reference cycles generated by local exception and future instances (which has exception instance as its member var). Patch by Dong Uk, Kang. - gh-issue-91212: Fixed flickering of the turtle window when the trac

Emails

<[email protected]>

a@[email protected]

URLs

http.server``

http

http.server

http.HTTPMethod

https://gitlab.com/warsaw/pynche

https://www.blake2.net/

https://github.com/python/peps/pull/689

https://invisible-island.net/ncurses/NEWS.html#index-t20170401

https://bugs.python.org/issue26903

https://mail.python.org/archives/list/[email protected]/thread/CLVXXPQ2T2LQ5MP2Y53VVQFCXYWQJHKZ/

https://www.openssl.org/docs/man1.1.1/man7/proxy-certificates.html

https://bugzilla.redhat.com/show_bug.cgi?id=1866884

http.client.putrequest

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242274

http.client

https://www.w3.org/TR/xml/#sec-prolog-dtd

https://fishshell.com/docs/current/commands.html#source

httplib

http.client.InvalidURL

http://www.example.com

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
28	1544	msiexec.exe
29	1544	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
4000	python-3.11.1-amd64.exe
2220	python-3.11.1-amd64.exe
2620	python.exe
1340	python.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32\ = "C:\\Windows\\pyshellext.amd64.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	python-3.11.1-amd64.exe

Loads dropped DLL 29 IoCs

pid	Process
4000	python-3.11.1-amd64.exe
2636	MsiExec.exe
2620	python.exe
2620	python.exe
2620	python.exe
2620	python.exe
2620	python.exe
2620	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe
1340	python.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{fca95908-8c70-405d-9e72-cd746e2f7786} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{fca95908-8c70-405d-9e72-cd746e2f7786}\\python-3.11.1-amd64.exe\" /burn.runonce"	python-3.11.1-amd64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 59 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56d8a2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE5E.tmp	msiexec.exe
File created	C:\Windows\Installer\e56d8ad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d8ae.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFFC2C23-AEE2-4867-998C-5F5A902496C0}	msiexec.exe
File created	C:\Windows\Installer\e56d8b6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d8a6.msi	msiexec.exe
File created	C:\Windows\Installer\e56d8a9.msi	msiexec.exe
File created	C:\Windows\pyw.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d8b6.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5EB7FFE8-5B05-4DD3-9DE0-D0F20D93FA6C}	msiexec.exe
File created	C:\Windows\Installer\e56d8c5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e56d8b2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B39.tmp	msiexec.exe
File created	C:\Windows\Installer\e56d8ba.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BD3.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5D1EFF51-4740-4E62-8E49-11C13DEC34C3}	msiexec.exe
File created	C:\Windows\Installer\e56d8c9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d8a2.msi	msiexec.exe
File created	C:\Windows\Installer\e56d8be.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d8be.msi	msiexec.exe
File created	C:\Windows\pyshellext.amd64.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE247.tmp	msiexec.exe
File created	C:\Windows\Installer\e56d8aa.msi	msiexec.exe
File created	C:\Windows\Installer\e56d8ae.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{66CA643F-68B2-4063-8F87-34D48A2C49ED}	msiexec.exe
File created	C:\Windows\py.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{8A19B72D-62A8-4198-BEBD-CAEF117194C8}\ARPIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8AE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7F6.tmp	msiexec.exe
File created	C:\Windows\Installer\e56d8b9.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E63D4F21-1B1F-43DC-9347-4FB51A71704C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d8c6.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{988799D6-A7CE-4F51-89AF-1E4A64FA7ECA}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF729.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51DF.tmp	msiexec.exe
File created	C:\Windows\Installer\e56d8bd.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8A19B72D-62A8-4198-BEBD-CAEF117194C8}	msiexec.exe
File created	C:\Windows\Installer\{8A19B72D-62A8-4198-BEBD-CAEF117194C8}\ARPIcon	msiexec.exe
File created	C:\Windows\Installer\e56d8a5.msi	msiexec.exe
File created	C:\Windows\Installer\e56d8a6.msi	msiexec.exe
File created	C:\Windows\Installer\e56d8b1.msi	msiexec.exe
File created	C:\Windows\Installer\e56d8b5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d8ba.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A7DE96A8-2F75-44B2-B46E-5D50DE5B1B80}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d8aa.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C5FAF3D9-A03D-4F6A-AAC9-87735DDA5DCF}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{21EEFB31-6A96-4CAE-9A3B-B7FD6374C155}	msiexec.exe
File created	C:\Windows\Installer\e56d8c1.msi	msiexec.exe
File created	C:\Windows\Installer\e56d8c6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d8b2.msi	msiexec.exe
File created	C:\Windows\Installer\e56d8c2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d8c2.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D27B91A88A268914EBDBACFE1117498C\SourceList\PackageName = "launcher.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{21EEFB31-6A96-4CAE-9A3B-B7FD6374C155}	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Python.NoConFile\Shell\editwithidle\MUIVerb = "&Edit with IDLE"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{5D1EFF51-4740-4E62-8E49-11C13DEC34C3}\Dependents\{fca95908-8c70-405d-9e72-cd746e2f7786}	python-3.11.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{EFFC2C23-AEE2-4867-998C-5F5A902496C0}\Dependents	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{66CA643F-68B2-4063-8F87-34D48A2C49ED}\DisplayName = "Python 3.11.1 Tcl/Tk Support (64-bit)"	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.ArchiveFile\shell\open\command\ = "\"C:\\Windows\\py.exe\" \"%L\" %*"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyzw	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyzw\ = "Python.NoConArchiveFile"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{A7DE96A8-2F75-44B2-B46E-5D50DE5B1B80}\DisplayName = "Python 3.11.1 Executables (64-bit)"	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{E63D4F21-1B1F-43DC-9347-4FB51A71704C}\ = "{E63D4F21-1B1F-43DC-9347-4FB51A71704C}"	python-3.11.1-amd64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.CompiledFile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open\command\ = "\"C:\\Windows\\py.exe\" \"%L\" %*"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\CPython-3.11	python-3.11.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{5D1EFF51-4740-4E62-8E49-11C13DEC34C3}\Dependents	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile\shell\open\command\ = "\"C:\\Windows\\pyw.exe\" \"%L\" %*"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{C5FAF3D9-A03D-4F6A-AAC9-87735DDA5DCF}\DisplayName = "Python 3.11.1 pip Bootstrap (64-bit)"	python-3.11.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{A7DE96A8-2F75-44B2-B46E-5D50DE5B1B80}\Dependents	python-3.11.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{66CA643F-68B2-4063-8F87-34D48A2C49ED}	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{66CA643F-68B2-4063-8F87-34D48A2C49ED}\ = "{66CA643F-68B2-4063-8F87-34D48A2C49ED}"	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\open\command\ = "\"C:\\Windows\\py.exe\" \"%L\" %*"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{21EEFB31-6A96-4CAE-9A3B-B7FD6374C155}\DisplayName = "Python 3.11.1 Standard Library (64-bit)"	python-3.11.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{21EEFB31-6A96-4CAE-9A3B-B7FD6374C155}\Dependents\{fca95908-8c70-405d-9e72-cd746e2f7786}	python-3.11.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{5EB7FFE8-5B05-4DD3-9DE0-D0F20D93FA6C}\Dependents\{fca95908-8c70-405d-9e72-cd746e2f7786}	python-3.11.1-amd64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.CompiledFile\shellex\DropHandler	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.Extension\DefaultIcon\ = "\"C:\\Windows\\py.exe\",3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.ArchiveFile\DefaultIcon\ = "\"C:\\Windows\\py.exe\",5"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex\DropHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.Extension	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\CPython-3.11\Version = "3.11.1150.0"	python-3.11.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{EFFC2C23-AEE2-4867-998C-5F5A902496C0}\Dependents\{fca95908-8c70-405d-9e72-cd746e2f7786}	python-3.11.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Python.File	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D27B91A88A268914EBDBACFE1117498C\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D27B91A88A268914EBDBACFE1117498C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\CPython-3.11\ = "{fca95908-8c70-405d-9e72-cd746e2f7786}"	python-3.11.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Python.File\Shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\ = "Python File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\DefaultIcon\ = "\"C:\\Windows\\py.exe\",1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyw	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\ = "Compiled Python File"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{5D1EFF51-4740-4E62-8E49-11C13DEC34C3}	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{988799D6-A7CE-4F51-89AF-1E4A64FA7ECA}\DisplayName = "Python 3.11.1 Development Libraries (64-bit)"	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{66CA643F-68B2-4063-8F87-34D48A2C49ED}\Version = "3.11.1150.0"	python-3.11.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Python.File\Shell\editwithidle\shell\edit311	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\ = "Python File (no console)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex\DropHandler\ = "{BEA218D2-6950-497B-9434-61683EC065FE}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE0A86B13DD4431548E03758B480361F\D27B91A88A268914EBDBACFE1117498C	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Installer\Dependencies\{EFFC2C23-AEE2-4867-998C-5F5A902496C0}\ = "{EFFC2C23-AEE2-4867-998C-5F5A902496C0}"	python-3.11.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Python.File\Shell\editwithidle\shell\edit311\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python311\\pythonw.exe\" -m idlelib \"%L\" %*"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.NoConArchiveFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D27B91A88A268914EBDBACFE1117498C	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D27B91A88A268914EBDBACFE1117498C\InstanceType = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	3080	vssvc.exe
Token: SeRestorePrivilege	3080	vssvc.exe
Token: SeAuditPrivilege	3080	vssvc.exe
Token: SeShutdownPrivilege	4000	python-3.11.1-amd64.exe
Token: SeIncreaseQuotaPrivilege	4000	python-3.11.1-amd64.exe
Token: SeSecurityPrivilege	1544	msiexec.exe
Token: SeCreateTokenPrivilege	4000	python-3.11.1-amd64.exe
Token: SeAssignPrimaryTokenPrivilege	4000	python-3.11.1-amd64.exe
Token: SeLockMemoryPrivilege	4000	python-3.11.1-amd64.exe
Token: SeIncreaseQuotaPrivilege	4000	python-3.11.1-amd64.exe
Token: SeMachineAccountPrivilege	4000	python-3.11.1-amd64.exe
Token: SeTcbPrivilege	4000	python-3.11.1-amd64.exe
Token: SeSecurityPrivilege	4000	python-3.11.1-amd64.exe
Token: SeTakeOwnershipPrivilege	4000	python-3.11.1-amd64.exe
Token: SeLoadDriverPrivilege	4000	python-3.11.1-amd64.exe
Token: SeSystemProfilePrivilege	4000	python-3.11.1-amd64.exe
Token: SeSystemtimePrivilege	4000	python-3.11.1-amd64.exe
Token: SeProfSingleProcessPrivilege	4000	python-3.11.1-amd64.exe
Token: SeIncBasePriorityPrivilege	4000	python-3.11.1-amd64.exe
Token: SeCreatePagefilePrivilege	4000	python-3.11.1-amd64.exe
Token: SeCreatePermanentPrivilege	4000	python-3.11.1-amd64.exe
Token: SeBackupPrivilege	4000	python-3.11.1-amd64.exe
Token: SeRestorePrivilege	4000	python-3.11.1-amd64.exe
Token: SeShutdownPrivilege	4000	python-3.11.1-amd64.exe
Token: SeDebugPrivilege	4000	python-3.11.1-amd64.exe
Token: SeAuditPrivilege	4000	python-3.11.1-amd64.exe
Token: SeSystemEnvironmentPrivilege	4000	python-3.11.1-amd64.exe
Token: SeChangeNotifyPrivilege	4000	python-3.11.1-amd64.exe
Token: SeRemoteShutdownPrivilege	4000	python-3.11.1-amd64.exe
Token: SeUndockPrivilege	4000	python-3.11.1-amd64.exe
Token: SeSyncAgentPrivilege	4000	python-3.11.1-amd64.exe
Token: SeEnableDelegationPrivilege	4000	python-3.11.1-amd64.exe
Token: SeManageVolumePrivilege	4000	python-3.11.1-amd64.exe
Token: SeImpersonatePrivilege	4000	python-3.11.1-amd64.exe
Token: SeCreateGlobalPrivilege	4000	python-3.11.1-amd64.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4000	python-3.11.1-amd64.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 4000	3536	python-3.11.1-amd64.exe	79
PID 3536 wrote to memory of 4000	3536	python-3.11.1-amd64.exe	79
PID 3536 wrote to memory of 4000	3536	python-3.11.1-amd64.exe	79
PID 4000 wrote to memory of 2220	4000	python-3.11.1-amd64.exe	86
PID 4000 wrote to memory of 2220	4000	python-3.11.1-amd64.exe	86
PID 4000 wrote to memory of 2220	4000	python-3.11.1-amd64.exe	86
PID 1544 wrote to memory of 2636	1544	msiexec.exe	100
PID 1544 wrote to memory of 2636	1544	msiexec.exe	100
PID 1544 wrote to memory of 2636	1544	msiexec.exe	100
PID 2636 wrote to memory of 2620	2636	MsiExec.exe	101
PID 2636 wrote to memory of 2620	2636	MsiExec.exe	101
PID 2620 wrote to memory of 1340	2620	python.exe	103
PID 2620 wrote to memory of 1340	2620	python.exe	103
PID 1340 wrote to memory of 1484	1340	python.exe	104
PID 1340 wrote to memory of 1484	1340	python.exe	104

C:\Users\Admin\AppData\Local\Temp\python-3.11.1-amd64.exe
"C:\Users\Admin\AppData\Local\Temp\python-3.11.1-amd64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\Temp\{0ECBC427-5516-4838-B734-D8C34EDA4489}\.cr\python-3.11.1-amd64.exe
  "C:\Windows\Temp\{0ECBC427-5516-4838-B734-D8C34EDA4489}\.cr\python-3.11.1-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.11.1-amd64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=696
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\Temp\{02272A69-1C4C-4769-92A3-95D66F61A653}\.be\python-3.11.1-amd64.exe
    "C:\Windows\Temp\{02272A69-1C4C-4769-92A3-95D66F61A653}\.be\python-3.11.1-amd64.exe" -q -burn.elevated BurnPipe.{EC8DCD19-1DF8-4CF1-AB22-D14F0F242623} {7AF57C49-B24D-4DA7-9D16-75A7B9F5B1D9} 4000
    3⤵
    - Executes dropped EXE
    PID:2220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 566D84C971B40C6356BAA5290D0CAF4E
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Local\Programs\Python\Python311\python.exe
    "C:\Users\Admin\AppData\Local\Programs\Python\Python311\python.exe" -E -s -m ensurepip -U --default-pip
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Programs\Python\Python311\python.exe
      C:\Users\Admin\AppData\Local\Programs\Python\Python311\python.exe -W ignore::DeprecationWarning -c " import runpy import sys sys.path = ['C:\\Users\\Admin\\AppData\\Local\\Temp\\tmptrg1m92x\\setuptools-65.5.0-py3-none-any.whl', 'C:\\Users\\Admin\\AppData\\Local\\Temp\\tmptrg1m92x\\pip-22.3.1-py3-none-any.whl'] + sys.path sys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\Users\\Admin\\AppData\\Local\\Temp\\tmptrg1m92x', '--upgrade', 'setuptools', 'pip'] runpy.run_module(\"pip\", run_name=\"__main__\", alter_sys=True) "
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Package Cache\{21EEFB31-6A96-4CAE-9A3B-B7FD6374C155}v3.11.1150.0\lib.msi

Filesize
8.1MB

MD5
1136d20e7672f5e66d816f6199f83996

SHA1
e8970ad1e95792ea9270a49bb51e528657bad663

SHA256
37e09e434c25ec8b51dab6464828d3eff1597efd3629d128c8cc7ed3a257ff0d

SHA512
23da41e02120e0b38863fc48d256cd5d45e8e060f48a698aa0f2dd1333c97668c8a568f508d36ae660625713fba9b41f81952b2b6d60ae0298c9968d787abeb0

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{5D1EFF51-4740-4E62-8E49-11C13DEC34C3}v3.11.1150.0\core.msi

Filesize
1.8MB

MD5
87facfc186dfa7f596d9a011e0c14624

SHA1
22c81473af3fad08cbd4d25c4fc0400ae12b9856

SHA256
a9135df544b729dd2b7fdf2b2a75c4de3b6b766c26836fbde35b5f14cff8d886

SHA512
91382064b1ab221f2e1b86a9809d9feb1e98dc4f387f5681af46dd9e4d167020a0aec1b29c929904792429062b695639d55fc166db8b575bef274fd4161b15d9

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{5EB7FFE8-5B05-4DD3-9DE0-D0F20D93FA6C}v3.11.1150.0\doc.msi

Filesize
5.0MB

MD5
f3b046e75773da9263aab2d40f8d9e3f

SHA1
93d6511e42d1c70e51bd66549e1bc61efea67163

SHA256
ec60761a11ea09b2decb1e29fc57edf68d9810774742a562ddf7d040fcb016d3

SHA512
371cdb04b7548d377a2a6e9271ba7523dfdd372d78885bb4eb86548d8373d7ee6f680e5de25f759727b0566e1ef4529320317f9eb75c47e8227b4f889e503a54

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{66CA643F-68B2-4063-8F87-34D48A2C49ED}v3.11.1150.0\tcltk.msi

Filesize
3.4MB

MD5
854a0b2e4b816aafc372b37f4a12099b

SHA1
3b592ce49f613d906224a088a94b567735e0dfb5

SHA256
6f1fb247094ffaa30762df810cbfa72d28babf85ed0f653be2d310ad2515d226

SHA512
7873ca2ad97f65e10563afe196d7906c5cc9c568bbc44534f05cf54346627915a5255abe0bdfc247a695b94fa29738b6127c9f133723807e89096383ed331a4b

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{988799D6-A7CE-4F51-89AF-1E4A64FA7ECA}v3.11.1150.0\dev.msi

Filesize
328KB

MD5
f063127fbb98b38e43a9cb2fcc5406c4

SHA1
13e3726b8462b0db5cb6620f2501aaf0e85af20d

SHA256
fcfb3a406b570b2b31b16f6f0043573738d8760b634b217b88035f915f9a9256

SHA512
b140c08bf70822d6498c5c2f6ae589a88a9a939938a94a4114401dad803d35c52247c21b73362a06873a43d125d9e26452b0e43c7c9490f6ef6b2f88dca08b57

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{A7DE96A8-2F75-44B2-B46E-5D50DE5B1B80}v3.11.1150.0\exe.msi

Filesize
648KB

MD5
1775d57aaa10aab8e1d4845bdb6e5b03

SHA1
e699f8f2630a4fc4ee206af9abb2d3bd11d2eb3f

SHA256
75b41cc761325d33c5891cc4e028a62a60363049035ca18fe9a661941e5d9600

SHA512
f18e4d62c4c48a0be4f9f5ae7fb86cd2688aefd077da16564214195d88a4493a9d8f765042f0392de73964ae25d8af1a8fb6230eb0dbc6403b75e2c89079f087

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{C5FAF3D9-A03D-4F6A-AAC9-87735DDA5DCF}v3.11.1150.0\pip.msi

Filesize
268KB

MD5
0a9e2f93ae4b53f9b5f6c4d3a26d7416

SHA1
bd34a007a638f6915b6b4f0c27be95eaaf84a117

SHA256
a7649ff1796812d15073b46a63aec0092269255e6f1a9ea9d364ebdab79e757d

SHA512
3f241011e47c21f7385a0543d6d4392477f64fe6d0fd94b4d7b7172c2ddd8893e28a047b4c3b848f5bf6b688e7272933dddad110af93939de1976aa2e00d8413

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{E63D4F21-1B1F-43DC-9347-4FB51A71704C}v3.11.1150.0\tools.msi

Filesize
204KB

MD5
5e877b287afba0d17d8e622afa4c9731

SHA1
e6ea26541187157acdddbbb6e53e63151bedeb1c

SHA256
956c8d74dd6f66616d2829a59c79a1828be37aa74d04202600834b5b3b4c066e

SHA512
853e66998c79109a2567a1fb77029118be27935a17aa3417b1262cefaff9b8718cd95c267d87bce85df2ad7cc6b0f2e616b482b2482a80651e1d3905f4ab8bb8

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{EFFC2C23-AEE2-4867-998C-5F5A902496C0}v3.11.1150.0\test.msi

Filesize
3.7MB

MD5
35fc14b852af06963e355d4832467f72

SHA1
0d0b5fb0b748df495d7d05352cefde2f14c78068

SHA256
98538242cdd2e2f0afcf66f3a1df6dd91cd5d16045d3809b20566339286cfe2c

SHA512
e6758216b6219b3694c8a31e03be5e1f33af74d02f1f25151a1a3ac27bd1e3efda1324c57da5ee3ec9c60e3c56d9cd1c585053a97fe18a5ba709e06ded8ead7f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\_weakrefset.py

Filesize
5KB

MD5
06c63c4624fb2be6befd2e832b3b4bc2

SHA1
d373f09fcac33928e9f5330b0c6d1cfdb2f73b0a

SHA256
cf8031a6e21150438f3d2964c4152615b91a03894616d5b6930e0f14f44dabda

SHA512
24d7cd2e0959e90de5e4d252bcb655376833a948b03e99e2ce727ce115bffe0247475d9ef096a4aacafdbd1d3681031f44e63de9a77b221b444c4fc40574a86e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\collections\__init__.py

Filesize
52KB

MD5
b7d67883927331924fde841bc6aaaedc

SHA1
16cfadcb59513007b24eed1905bb73926b63f166

SHA256
f0067232ba9d4e8f7186e7c9c78aea16cc78494089d299e91dbd1f55f54161de

SHA512
e6ace2f207b939a67a57e1522055aad0528d244da4ef4dbe3a365afa675653f150c6663f15f40bb75902462d0fee79bb6576715add951f27b799c4152f21e3df

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\contextlib.py

Filesize
27KB

MD5
41742901f9dd3a17929d260734e42ff8

SHA1
8795b7e49cbb9ee0d62e95d026902ea335533b76

SHA256
afc1635de4b3a8e842735928e26ff444106df01c807d0f914744fd97bd8b6a5f

SHA512
aaebfc26f19a508b12c9ef5319a0f092ec484775eb26e15828b3299762cf9d7b4b6c354102888318c864c71a19fa307a3bffa5578e007c98210695e6e2196258

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\copyreg.py

Filesize
7KB

MD5
70a09bf8ac68a980f4feca675901b936

SHA1
7e191da9f8ce1651495ff79b097d69ad50433bbc

SHA256
a04efa4d0f7034a190700f4df14893f09b37bc51e8ad6ed441fa9200a7f0bd52

SHA512
1672de79feacfaa088ebca9e70b7fb536eeaa85cefbbafb1934541b4e64a82d21f4bae6da172cd375f1c018d5e9c49f66ec646ed63fc1408ad688e552044b617

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\encodings\__init__.py

Filesize
5KB

MD5
ea0e0d20c2c06613fd5a23df78109cba

SHA1
b0cb1bedacdb494271ac726caf521ad1c3709257

SHA256
8b997e9f7beef09de01c34ac34191866d3ab25e17164e08f411940b070bc3e74

SHA512
d8824b315aa1eb44337ff8c3da274e07f76b827af2a5ac0e84d108f7a4961d0c5a649f2d7d8725e02cd6a064d6069be84c838fb92e8951784d6e891ef54737a3

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\encodings\aliases.py

Filesize
15KB

MD5
ff23f6bb45e7b769787b0619b27bc245

SHA1
60172e8c464711cf890bc8a4feccff35aa3de17a

SHA256
1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8

SHA512
ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\encodings\cp1252.py

Filesize
13KB

MD5
52084150c6d8fc16c8956388cdbe0868

SHA1
368f060285ea704a9dc552f2fc88f7338e8017f2

SHA256
7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519

SHA512
77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\encodings\utf_8.py

Filesize
1KB

MD5
f932d95afcaea5fdc12e72d25565f948

SHA1
2685d94ba1536b7870b7172c06fe72cf749b4d29

SHA256
9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e

SHA512
a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\ensurepip\__init__.py

Filesize
9KB

MD5
cedf57ee00c6e3fda3eb9de90f64e11e

SHA1
9ec4c330d70992010a01fb058b60ae147e3140c5

SHA256
f9a75f735b947559d50067121991cade17b6fcdb65bd4ca83a6844ee89f5d0f7

SHA512
e4fa29de6fe05e4f9030074f140991bf9ba0cf256434e02a415b31c346753896ce4af337ddf3249216ecead803059a57f6a501848b293f21c9ff5852d4437534

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\enum.py

Filesize
78KB

MD5
6b81cc48af320fa73fe614458f1f8b63

SHA1
0fa1d12a5ba3d4214b7c46b17f532337087eda18

SHA256
5d24be1ea17a4ed6169aa8c2c6155e1b3a9d2e7dd05a33332f855115f0e94190

SHA512
6d0f13c1401e79a7733db7cb490ad0cf4067c5f12ce511509f93a5a7d8f31caab4b87296b8c38f2e709ac6e5c9742274d33d892b8a50bed2a1011509de5f66f0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\fnmatch.py

Filesize
6KB

MD5
25330cc531d5b235acef733f724a4d2c

SHA1
c2d58aa844c8ae698b214c40d37a12210508594b

SHA256
146d27a2853cd14c95ee49cc6130b9f84e2a56618dd1be695cddb20489460425

SHA512
1d0182832a5438068a17c51bd984d58ec7f9db8afcd4eae10d2943794a269a096caa501ad74a333756d15bd5f5275e01cbd55e2e4625570cd5ba44fcfbad30af

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\functools.py

Filesize
38KB

MD5
44ce9caeacd866e002aa69dd120b2093

SHA1
a43c2514d637afa2d3acbf234be5e4adbc083251

SHA256
4c54da1d6c7adc78e975315929d6dc8d1262c189d8eec81e2fd70335bcb6ddb3

SHA512
baa7758b6656e3ed46aad5fe38feda5e0abc8520d57b12bb81efeea5818c312379d8efcd79a91f1e973903d7a626962a27bcde2fb6781040b8c2e35d646aa78b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\importlib\__init__.py

Filesize
6KB

MD5
dbe317f92fe33213aa2410a2479b9c54

SHA1
29ddc88364c936e2d4ff3ea9b14f2176ac6a4230

SHA256
6d4ab4726790393388b483a56966276861eb3353731646572774ffa90b68289e

SHA512
07d0e99b5cfa1608e74279b5ff5e03d49b714c5b78f2b4fb3839cbe9a3133fe076650bf2c490736f7d88bb3584701f5931d9bb457c3a618aea5c8ddea3112431

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\importlib\_abc.py

Filesize
1KB

MD5
cbccc8e431a338f393ccd4d3f244ccc5

SHA1
77ff0adcb6f35d675030bec62bb55aa076692037

SHA256
c4376232da9464a27b02a530473489486d570f25a063715f3ad5a24d92ffe527

SHA512
27f28525a50f068f9327613ae5a71fae25984292ed9cdedf92b93e9de4e00e8121bd397e34c7e728e5849289285677ed88c43f6ab6efb60da36331e9c2e6cc0c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\keyword.py

Filesize
1KB

MD5
dc5106aabd333f8073ffbf67d63f1dee

SHA1
e203519ccd77f8283e1ea9d069c6e8de110e31d9

SHA256
ebd724ed7e01ce97ecb3a6b296001fa4395bb48161658468855b43cff0e6eebb

SHA512
a2817944d4d2fb9edd2e577fb0d6b93337e1b3f98d31ad157557363146751c4b23174d69c35ee5d292845dedcd5ef32eeac52b877d96eb108c819415d5cf300e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\locale.py

Filesize
78KB

MD5
9c7133f216a9f37c4a30420550a0eb3f

SHA1
2ca4e5283954f75dacb5bc61972d97741c10d25e

SHA256
899d81ac7fe6669377d1241fadd723096fc6df0293e24244373ff25e7b100376

SHA512
c8c34a79e506b481929145256acda16c42e3606ff6bf8f6525bc4211dd281417e70866a7a6f807d1eaaafa6e8cc53e00ff997094626baaf894b739f8002c5ec2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\operator.py

Filesize
11KB

MD5
dc7484406cad1bf2dc4670f25a22e5b4

SHA1
189cd94b6fdca83aa16d24787af1083488f83db2

SHA256
c57b6816cfddfa6e4a126583fca0a2563234018daec2cfb9b5142d855546955c

SHA512
ac55baced6c9eb24bc5ecbc9eff766688b67550e46645df176f6c8a6f3f319476a59ab6fc8357833863895a4ef7f3f99a8dfe0c928e382580dfff0c28ca0d808

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\re\__init__.py

Filesize
15KB

MD5
ad69e5ac359f2eed09294c2d4454eaec

SHA1
101bd31c8aaf22ab35c333324128291d0b282ab1

SHA256
e912249b8b1e2880ff212ef728e8becba893ce31bcb68aa2bfbcab2c812e61be

SHA512
810305d37bd8cda0033a9dffbe0f54b7b5018da0b3ba70f9a976228fa91de4a00234d13a4be2c9f5a22201c91c75bd17dd29f4b2246234d88060fe7adc36bd92

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\re\_casefix.py

Filesize
5KB

MD5
8818057719ac1352408739df89c9a0e0

SHA1
03e5515c56dbbd68abed896e2b42baa9923c1518

SHA256
a1a8ce5d2051c96abb0c854f4a9c513c219e821f7285d28330f84eca71c341e2

SHA512
0b958d0e675369bd7e33faa449d21ae47cf61b1c37baefbc9f253da721be16a7f1df9a64d1b3b2566afb82081ea578e838f8abe39b5e676441b8ac613ab07748

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\re\_compiler.py

Filesize
26KB

MD5
5e3ad0b6d357a84899a32604699c0c49

SHA1
bbb5ba8e76ae8278293368ede6152ca85f215f6b

SHA256
712bb32f1d9d71e4f08486e5336c1303d65200d3249b1f6e0bef770f68164bbd

SHA512
7d96cfa8b608206af615cfa04180bc7ef59f687fdf38e307aa96072911d475a01211fba5091fb5d538221ca62f969b0ba1c53befda0a0e19e900246ead99d53b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\re\_constants.py

Filesize
6KB

MD5
59937863320eb6d9823c206349e144a6

SHA1
aac93867a51cf279ff5201bb2d9782d42988f1bc

SHA256
581e6c50e7f71e73f909567a4f2a06bed6b0f95098fdb60a18b8e3d39aa5b5e8

SHA512
95544491495cd61b80f5ba1abc6be7ee9cc19e537c6dee32502b40cd3e3070f557794b9c366e1957223943b87d706c6568b319b121ae203f0d7bc7bdecc46019

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\re\_parser.py

Filesize
42KB

MD5
2153bc591eceefa14ac6def85475877c

SHA1
fa396be048abc3bec353a3d72aead8b7787e0f8e

SHA256
43c6a6d0873cfbbb1d76a74e72a5f7f6c8d0b09c4e9f427b27288d02d130384d

SHA512
0a59c3ee7c217698e30d2b8fa525dae7253e5e90a9999a5103d8a4b5dab907c0f7d8792af932a2500d9ba8c173780be2e98c27585f499c32faf03a7c7c0e9ce5

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\reprlib.py

Filesize
5KB

MD5
4391da050fa6fa8ddf241de229b5d3fc

SHA1
7d74c22a7517c82b230f751dbf35a25f63357514

SHA256
e66e66eae80b0300b332df07949520bc59c8193f38b6fb848957c02985f3659b

SHA512
dbe00984da9263d5b8b293e9ce34d75c0f9bbf527761c890de1f856699f5e7c59079daa2fadb1034a3eddcc5f4ca3c0620d7ea662eed4213d23f753b13381a08

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\shutil.py

Filesize
55KB

MD5
6187ec974cbdbc6b2f1bbc80c9b43cd9

SHA1
3e29e81f04219e7db8e798fb1677ed517c268547

SHA256
2a6b6cfcf64df6a423cfe9d5c568e28eb8e1df03eb802418e131d96c952f0277

SHA512
5290349f027004caae4d09e260043933b3c417c8ba3e6b0fb2fd0455e4bc956a216b9edb9749605e1033735e29ee16e619527b876cde5b265d17227ae2382f5b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\signal.py

Filesize
2KB

MD5
0dca73844d3b73c9802f6210c70dd4de

SHA1
eabeaba84b410a8e97ca2d42b2ae48ca2b78d8ec

SHA256
d470d65c87914ae671a202b8987437a6918aae477942e58bdb1d0056528115f7

SHA512
440149abe836ffd5e4716f2474a6d0c6a0460f543a39bec68e15651b5bc3e3294f7fc0d85c41c449224f234219809f710743e0002501d734a721b68377d39036

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\subprocess.py

Filesize
85KB

MD5
76e535fab3a014c8d28a819f2494b97d

SHA1
585c2ab1c9806240df9e0a193826c1a2f3a68995

SHA256
ccfa7f509807124034b90febd5753deecc75e3686f69442c7ac44ec7cdd0a650

SHA512
a047be65faa76971511a8cf7b0ab9801cbae77e27ef15a8ac5aee2833b4629b305d0df1aa28298456ebe32a23058c3ebfb31639d14e16bb9cfc94ed4751b6265

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\sysconfig.py

Filesize
30KB

MD5
9654ad62a1c369519066182e68244f43

SHA1
3fe32528690dce1ca7ce61418c4a5ad582b74d39

SHA256
7a4778f7124f839c2314e2ece29b867b190ede5a1d4c3a571f0dae722b596ae3

SHA512
b4dc58345b2166633e24530e5608df568965d2d864e9e4af2deca6b9c7b47ce78b4891b942154e67d2bbd09dc8ed2cfb22a753f2ba43bcead3bf388bac779cf4

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\tempfile.py

Filesize
30KB

MD5
21e2d83fffaad48806985fa28bcece55

SHA1
1a14a7b37f5260240ec8e20cced48603efb1b288

SHA256
130f717f7787a52064572f3138ef204f2be65773b831c947b4960b84359480b6

SHA512
c932c16a618986e83f319e6d37e18be194ac5f7a03ba6eeaa570682724f31c12945f0a642cca99597da253a1ba4af73bf5a5052ef5fd307b7495d19a4d6aaa78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\threading.py

Filesize
58KB

MD5
f7fed8605142cbd193b37726970665f2

SHA1
01c9995e4d516bdbeedd9682ff59d25eeb2add08

SHA256
2c886ad38c75a1c7060fcf40ba60857ba5db4037bcfb5b190160a9f3cc4086f5

SHA512
fa70035f27ae3405f33a6c074c7bc268a9f0a03f00f6b95c96e7e5dbc1980d15c556345903bb1c16290975ce020d2e2adc279e24f6cbb525e3f91ba6eafcf441

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\types.py

Filesize
10KB

MD5
a226432e4c8e57487655abfd4b840665

SHA1
cc4db73107ee715332cefa79b0b6ee64d9be10db

SHA256
c762d2321a143aa9a7eaeb30f8ed8042c10a3e98e4fa678e4f659e2136bf85b5

SHA512
26b0d6b9bfda2f8f88200123eecdbfbba39203d65620997ac93630f4614ff8665d372dd1a6a4889fc34d932831ae88aca486569c47bda066e3b8a2c0edefdd6d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\Lib\warnings.py

Filesize
21KB

MD5
13114c0b8478d3b2aee7fa6e56971e9f

SHA1
8f8f5aa7dfc2d6c1804da0e22e5820b99a26c219

SHA256
dd8d3b7cead8aa956c330be2ac6f615409c2f42cee7c3ec5968989b624048f38

SHA512
46995fc8fcc4c32ff70a0e588a698e742805a7f7e3261e635b9e12956a5ec4bfb95c537b16524094ecc516a1f9235fc797e6078661827ad3a7f76562fc340e6b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\python.exe

Filesize
99KB

MD5
c793995b4be06c17bf4aae2e1302196b

SHA1
2db036cd60fcf917daffc47dda63e46ec3b16e9c

SHA256
0cbf71efa09ec4ce62d95c1448553314728ed5850720c8ad40352bfbb39be99a

SHA512
46b12b2969fd3c0221b179f82cd8c10dc9077937362f96759b5a447d45affc3e4a77d45e5f40cdef3f5255353c109f98cdce4cb828caad5bbd67ba6945becd85

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\python.exe

Filesize
99KB

MD5
c793995b4be06c17bf4aae2e1302196b

SHA1
2db036cd60fcf917daffc47dda63e46ec3b16e9c

SHA256
0cbf71efa09ec4ce62d95c1448553314728ed5850720c8ad40352bfbb39be99a

SHA512
46b12b2969fd3c0221b179f82cd8c10dc9077937362f96759b5a447d45affc3e4a77d45e5f40cdef3f5255353c109f98cdce4cb828caad5bbd67ba6945becd85

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\python311.dll

Filesize
5.5MB

MD5
a72993488cecd88b3e19487d646f88f6

SHA1
5d359f4121e0be04a483f9ad1d8203ffc958f9a0

SHA256
aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038

SHA512
c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\python311.dll

Filesize
5.5MB

MD5
a72993488cecd88b3e19487d646f88f6

SHA1
5d359f4121e0be04a483f9ad1d8203ffc958f9a0

SHA256
aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038

SHA512
c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

Download Submit
C:\Users\Admin\AppData\Local\Programs\Python\Python311\vcruntime140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.11.1 (64-bit)_20230112113401_000_core_JustForMe.log

Filesize
1KB

MD5
e03266b981626e8683eb2e2f2ede5d71

SHA1
e223c5602154d9ca822a11ed0a2e99ef88df768f

SHA256
3ce4a5e2cd0329e8bfbba169e4c96beebedd468928a56bb3ca2ea6552b1398ba

SHA512
192996f9b96ecbc565e7ac07f9e4b5570504193cd8a34d686bf3496eee8689a90be7ec0d4fbec718dad925b820dbed6214f589e98805454c3abcd3f3f6820fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.11.1 (64-bit)_20230112113401_001_exe_JustForMe.log

Filesize
1KB

MD5
b769692c766e51bd843efcf992fffb21

SHA1
3d6be617a852114d038be08d9bce8c19146978ab

SHA256
6e1ec8353acf6d2ca5006e94b3f9609e627ac04ece525a5f015bdba2bd0c33eb

SHA512
6e74df52b2d2b2e37b4a19bf2a3c4e2f3bd3332807fed7c5cb834059a42809ab8ac41298e189900c752d4e92bbb9311369a51abbc4627c260279f99ee47b984e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.11.1 (64-bit)_20230112113401_002_dev_JustForMe.log

Filesize
1KB

MD5
201667226a1d60fd55f7886ab450737d

SHA1
7a8cfe475fb54492e84d9bb70f849c9a097c1aba

SHA256
cde0ac0972eeb9acf1d9e7c7c170c037e0637807970e1f8dbfeed4ae13991cf7

SHA512
e12f2c50a871c3b972363faec7d753005c808f91d7a4fbbc1401c0013659b18c1df06bfd4f820d1109af22534a0e8ce67a10353c82e9310ee74d65f9912fb139

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.11.1 (64-bit)_20230112113401_003_lib_JustForMe.log

Filesize
1KB

MD5
ffc48abcd698a89cf12bd65a0dc08991

SHA1
5588a9b691d25c0b7327241e278295c704589d7e

SHA256
3510f29e93d2f8d56cd655ac20a2b79b6ac77d7d4f074a1024690fd62f03578d

SHA512
2316272e74fd5cc22c429f66b1435d8ec5a235c6b407d3776c63c5e32310b9bff37f7bbecb4860a0b9ef81705398f606a7d69a51acfaabd7a74029146d2ed759

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.11.1 (64-bit)_20230112113401_004_test_JustForMe.log

Filesize
1KB

MD5
2160a428c326e32b50397e49e3d70e3c

SHA1
88d61d06ba9052f57ffd52e9a2d6ffb3db1946b5

SHA256
2b4854a6102f3a2cd60b57702ead7044b25afa0fa458fc4e606d2dd678e56bed

SHA512
75fd6876e4f459d6303077389b60475e03641b39c8cc90fbfe1720a6141961b1c222c14440b85525200ce77b43a9c813540e251df6de9f57438e53c36e23da53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.11.1 (64-bit)_20230112113401_005_doc_JustForMe.log

Filesize
1KB

MD5
96ab9318243301e01b09944e08986a2c

SHA1
559eeb4ecddce70036b451ead5b21bc9e9e98fe3

SHA256
b67debf6e9b90422810423bd9b886a62b2d0ceb506c265b921314fb2f8156a9a

SHA512
3ba8de10b0d6c3bf40029fa67e13a35022500f35662fe93c950b4d93d3bb0c85a4fd02b1530a983b00a4cb08167a6668ca5aed94af84723bd870079bdde7b13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.11.1 (64-bit)_20230112113401_006_tools_JustForMe.log

Filesize
1KB

MD5
1510a156f27c4b56aca908a53b1efed9

SHA1
1ecd3ae8bacced3e98391fb3a0f97b113b62de2b

SHA256
ccbceb8d4dca03a01eef21628064e03c5da3e1f2806071cb5526a55ba82953e2

SHA512
3d14d6b31e2b68ba5dd788d2ad1eb38905b13a8d4be26857cef082d126981520cdbdabcf4cd47d0ee82dd17917bc7de2c84cc987719d97410a2a22e1a9b40ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.11.1 (64-bit)_20230112113401_007_tcltk_JustForMe.log

Filesize
1KB

MD5
f20075d2913f2890d715641ce38c1f9b

SHA1
85118fc47c631a967e891341e7cabb158f1b762e

SHA256
446c61e422522c2b911f8cd869fcb3f4d080110f54bf3307f48b06c772a70de7

SHA512
d37d33a872cd47199a57d4c875d0162605d1d56be149b2a8b5a4a88c1165a9845d884c24e83e5244421375751c0045f29e248b6d93780ddbfb2fcd4e4f16da77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.11.1 (64-bit)_20230112113401_008_launcher_AllUsers.log

Filesize
1KB

MD5
a7959c90c527aad54326e768d4aaf363

SHA1
8a82b7b790b00b253fa639e07ec32baee96f1cb9

SHA256
195cc08194e3ed0898dd13b83d4d3c22d1d9d8483fec7e19e330e82090060aa1

SHA512
88bf2b64281463fca9ab19cc58da97b604c708c613868ba98853a752f211c90803edad421ae478920a5eb2997e0d4c5e99ee9e3471d986c7b0078bafc9c4d614

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.11.1 (64-bit)_20230112113401_009_pip_JustForMe.log

Filesize
1KB

MD5
c528baea91abe15b616bfe97ae200966

SHA1
756215b1b02da43595a3dc3e0b1cfa370e7b5050

SHA256
30fca468636ec81ff30b1fcfb256d23c75e7b5368c6d58483a8c20b0f716f231

SHA512
acebdcbeaba7df303e480b94145dedf1e1b24c77d2c587ef41df2916e045449ade6bfc96eca27e8adf87a22890774f14dea87a150cfc7cc26a4155d409a5afea

Download Submit
C:\Windows\Installer\MSI8C2D.tmp

Filesize
216KB

MD5
98ace1c283f1723e3c1fc935f57d3a33

SHA1
e8051f238f00f806dbf643bcbd15c6dfb1a04563

SHA256
d1a0d6c7c19384251145f7064d2e3955e7a1c69b9c9f2afd0d7effa6672ff20c

SHA512
b5c590c101de11f823793d5694c7015bcb58a311e58da6e0d9773f4a32f2451bc750f66717b360595483cb5fc2344677afe7df3e383be6047a3e74c0b9812178

Download Submit
C:\Windows\Installer\MSI8C2D.tmp

Filesize
216KB

MD5
98ace1c283f1723e3c1fc935f57d3a33

SHA1
e8051f238f00f806dbf643bcbd15c6dfb1a04563

SHA256
d1a0d6c7c19384251145f7064d2e3955e7a1c69b9c9f2afd0d7effa6672ff20c

SHA512
b5c590c101de11f823793d5694c7015bcb58a311e58da6e0d9773f4a32f2451bc750f66717b360595483cb5fc2344677afe7df3e383be6047a3e74c0b9812178

Download Submit
C:\Windows\Temp\{02272A69-1C4C-4769-92A3-95D66F61A653}\.ba\PythonBA.dll

Filesize
671KB

MD5
6406031fb98e7d0b5ad71511952987ed

SHA1
ace0aa6402a3618e2b95749f4a25391897e3a4e1

SHA256
95f2922b9b5dc3b381793636fc417c78b53b2ac6133da9d77fa344d53e0b0e2f

SHA512
9697919fab4747d4d7ba441c0c3deade0406d97bd8637d5d955bb42b0f8319d75e12fc3ed7b4fb9488fbe28ef6e5c7b9831e6d8fce54b0494a5e259c0fda6fb2

Download Submit
C:\Windows\Temp\{02272A69-1C4C-4769-92A3-95D66F61A653}\.be\python-3.11.1-amd64.exe

Filesize
855KB

MD5
8bd3db6a9ce3c9e797d8aa9b90219d45

SHA1
c63b4c1634b87549c8f44ed36c6063020fd02523

SHA256
d106aa33a32fb3330dcbb712084e7332e548e713b2b02683f364d98fa9e3d4e9

SHA512
8201c6311899652c14fea42c101ae8b1ef4b9c27d7a31f08523ab59e7e8a6ffdeb2afb2eeef3fadd86d8316b41eb428ca56dbd955e11326ddab897e90240cfac

Download Submit
C:\Windows\Temp\{02272A69-1C4C-4769-92A3-95D66F61A653}\.be\python-3.11.1-amd64.exe

Filesize
855KB

MD5
8bd3db6a9ce3c9e797d8aa9b90219d45

SHA1
c63b4c1634b87549c8f44ed36c6063020fd02523

SHA256
d106aa33a32fb3330dcbb712084e7332e548e713b2b02683f364d98fa9e3d4e9

SHA512
8201c6311899652c14fea42c101ae8b1ef4b9c27d7a31f08523ab59e7e8a6ffdeb2afb2eeef3fadd86d8316b41eb428ca56dbd955e11326ddab897e90240cfac

Download Submit
C:\Windows\Temp\{02272A69-1C4C-4769-92A3-95D66F61A653}\launcher_AllUsers

Filesize
528KB

MD5
a7b3272d952e4158053c20ed64325489

SHA1
6d268bf4104be16269a1b47707d469d280f7da7b

SHA256
cf5dc227058a1fdd27f4e3007a2882fb0ebe923c4ea8e25bdbce1fb7113b5ea7

SHA512
856b9afc6fa215b3d49d0fa15bb20f5eeaed2b54feb1efc9f9c82cfcd8aa0fb1eb5c87745b89220adea4033b15d8380fb437f22925e8cc76a45291c6d045b951

Download Submit
C:\Windows\Temp\{0ECBC427-5516-4838-B734-D8C34EDA4489}\.cr\python-3.11.1-amd64.exe

Filesize
855KB

MD5
8bd3db6a9ce3c9e797d8aa9b90219d45

SHA1
c63b4c1634b87549c8f44ed36c6063020fd02523

SHA256
d106aa33a32fb3330dcbb712084e7332e548e713b2b02683f364d98fa9e3d4e9

SHA512
8201c6311899652c14fea42c101ae8b1ef4b9c27d7a31f08523ab59e7e8a6ffdeb2afb2eeef3fadd86d8316b41eb428ca56dbd955e11326ddab897e90240cfac

Download Submit
C:\Windows\Temp\{0ECBC427-5516-4838-B734-D8C34EDA4489}\.cr\python-3.11.1-amd64.exe

Filesize
855KB

MD5
8bd3db6a9ce3c9e797d8aa9b90219d45

SHA1
c63b4c1634b87549c8f44ed36c6063020fd02523

SHA256
d106aa33a32fb3330dcbb712084e7332e548e713b2b02683f364d98fa9e3d4e9

SHA512
8201c6311899652c14fea42c101ae8b1ef4b9c27d7a31f08523ab59e7e8a6ffdeb2afb2eeef3fadd86d8316b41eb428ca56dbd955e11326ddab897e90240cfac

Download Submit