Windows Analysis Report
ITC590-Script 2 V1-2024.exe

Overview

General Information

Sample name: ITC590-Script 2 V1-2024.exe
Analysis ID: 1522421
MD5: 4ac074744836b3742200b03807655bd9
SHA1: cec4e3902cab847249ca4e63750f8bbfdb503165
SHA256: 918bf06d20f2240938fc8a940a4b019cc573cee762ee169ce3e2fba155d5796b
Tags: exeuser-Dyrockful
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found pyInstaller with non standard icon
Uses cmd line tools excessively to alter registry or file data
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses reg.exe to modify the Windows registry

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ITC590-Script 2 V1-2024.exe ReversingLabs: Detection: 20%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.5% probability
Source: ITC590-Script 2 V1-2024.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: python312.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662247077.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662247077.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00007FF726E083C0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E09280 FindFirstFileExW,FindClose, 0_2_00007FF726E09280
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E21874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF726E21874
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E09280 FindFirstFileExW,FindClose, 1_2_00007FF726E09280
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E21874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF726E21874
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 1_2_00007FF726E083C0
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ACC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ACC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ACC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: unicodedata.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ACC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ACC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1663624506.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1665487911.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-3.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, python312.dll.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000003.1668988505.000002302F8EC000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1669028545.000002302F990000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1668949826.000002302F988000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1668815262.000002302F920000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1668789731.000002302F988000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676876257.000002302F75C000.00000004.00001000.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1668893784.000002302F990000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676876257.000002302F6E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676876257.000002302F75C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676876257.000002302F75C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676876257.000002302F7A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676876257.000002302F6E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000002.1677118965.000002302FB10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000002.1677118965.000002302FB10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676876257.000002302F76C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000003.1675473431.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1675426974.000002302DF27000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676838876.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1676257331.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1673910594.000002302DF23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000003.1675473431.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1675426974.000002302DF27000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1674319661.000002302DF37000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676838876.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1676257331.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1673910594.000002302DF23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676876257.000002302F6E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000003.1673910594.000002302DF23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000003.1675473431.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1675426974.000002302DF27000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1674319661.000002302DF37000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676838876.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1676257331.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1673910594.000002302DF23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000003.1675473431.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1675426974.000002302DF27000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1674319661.000002302DF37000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000002.1676838876.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1676257331.000002302DF2A000.00000004.00000020.00020000.00000000.sdmp, ITC590-Script 2 V1-2024.exe, 00000001.00000003.1673910594.000002302DF23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: ITC590-Script 2 V1-2024.exe, 00000001.00000002.1677118965.000002302FB10000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: https://peps.python.org/pep-0205/
Source: python312.dll.0.dr String found in binary or memory: https://peps.python.org/pep-0263/
Source: libcrypto-3.dll.0.dr String found in binary or memory: https://www.openssl.org/H
Source: python312.dll.0.dr String found in binary or memory: https://www.python.org/psf/license/
Source: python312.dll.0.dr String found in binary or memory: https://www.python.org/psf/license/)
Detected potential crypto function
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E01000 0_2_00007FF726E01000
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E208C8 0_2_00007FF726E208C8
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E089E0 0_2_00007FF726E089E0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E26964 0_2_00007FF726E26964
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E09800 0_2_00007FF726E09800
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E18794 0_2_00007FF726E18794
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E11F60 0_2_00007FF726E11F60
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E11740 0_2_00007FF726E11740
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E29728 0_2_00007FF726E29728
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E180E4 0_2_00007FF726E180E4
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E240AC 0_2_00007FF726E240AC
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E21874 0_2_00007FF726E21874
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E135A0 0_2_00007FF726E135A0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E1E570 0_2_00007FF726E1E570
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E11D54 0_2_00007FF726E11D54
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E15D30 0_2_00007FF726E15D30
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E1DEF0 0_2_00007FF726E1DEF0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E19EA0 0_2_00007FF726E19EA0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E25E7C 0_2_00007FF726E25E7C
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E23C10 0_2_00007FF726E23C10
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E12C10 0_2_00007FF726E12C10
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E25C00 0_2_00007FF726E25C00
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E11B50 0_2_00007FF726E11B50
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E0ACAD 0_2_00007FF726E0ACAD
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E0A47B 0_2_00007FF726E0A47B
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E26418 0_2_00007FF726E26418
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E208C8 0_2_00007FF726E208C8
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E139A4 0_2_00007FF726E139A4
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E12164 0_2_00007FF726E12164
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E11944 0_2_00007FF726E11944
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E0A2DB 0_2_00007FF726E0A2DB
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E1DA5C 0_2_00007FF726E1DA5C
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E01000 1_2_00007FF726E01000
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E26964 1_2_00007FF726E26964
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E09800 1_2_00007FF726E09800
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E18794 1_2_00007FF726E18794
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E11F60 1_2_00007FF726E11F60
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E11740 1_2_00007FF726E11740
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E29728 1_2_00007FF726E29728
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E180E4 1_2_00007FF726E180E4
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E208C8 1_2_00007FF726E208C8
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E240AC 1_2_00007FF726E240AC
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E21874 1_2_00007FF726E21874
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E135A0 1_2_00007FF726E135A0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E1E570 1_2_00007FF726E1E570
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E11D54 1_2_00007FF726E11D54
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E15D30 1_2_00007FF726E15D30
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E1DEF0 1_2_00007FF726E1DEF0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E19EA0 1_2_00007FF726E19EA0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E25E7C 1_2_00007FF726E25E7C
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E23C10 1_2_00007FF726E23C10
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E12C10 1_2_00007FF726E12C10
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E25C00 1_2_00007FF726E25C00
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E11B50 1_2_00007FF726E11B50
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E0ACAD 1_2_00007FF726E0ACAD
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E0A47B 1_2_00007FF726E0A47B
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E26418 1_2_00007FF726E26418
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E208C8 1_2_00007FF726E208C8
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E089E0 1_2_00007FF726E089E0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E139A4 1_2_00007FF726E139A4
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E12164 1_2_00007FF726E12164
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E11944 1_2_00007FF726E11944
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E0A2DB 1_2_00007FF726E0A2DB
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E1DA5C 1_2_00007FF726E1DA5C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: String function: 00007FF726E02910 appears 34 times
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: String function: 00007FF726E02710 appears 104 times
PE file contains executable resources (Code or Archives)
Source: unicodedata.pyd.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs ITC590-Script 2 V1-2024.exe
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs ITC590-Script 2 V1-2024.exe
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662247077.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs ITC590-Script 2 V1-2024.exe
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662468968.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs ITC590-Script 2 V1-2024.exe
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs ITC590-Script 2 V1-2024.exe
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs ITC590-Script 2 V1-2024.exe
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs ITC590-Script 2 V1-2024.exe
Source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs ITC590-Script 2 V1-2024.exe
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\TestSoftware" /v TestValue /d "Test Data" /f
Source: classification engine Classification label: mal60.winEXE@13/11@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802 Jump to behavior
Source: ITC590-Script 2 V1-2024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ITC590-Script 2 V1-2024.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File read: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe "C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe"
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Process created: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe "C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe"
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKCU\Software\TestSoftware" /v TestValue /d "Test Data" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\TestSoftware" /v TestValue /d "Test Data" /f
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKCU\Software\TestSoftware" /v TestValue /d "Modified Data-ITC590 2024" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\TestSoftware" /v TestValue /d "Modified Data-ITC590 2024" /f
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Process created: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe "C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKCU\Software\TestSoftware" /v TestValue /d "Test Data" /f Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKCU\Software\TestSoftware" /v TestValue /d "Modified Data-ITC590 2024" /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\TestSoftware" /v TestValue /d "Test Data" /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\TestSoftware" /v TestValue /d "Modified Data-ITC590 2024" /f Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: ITC590-Script 2 V1-2024.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: ITC590-Script 2 V1-2024.exe Static file information: File size 7246596 > 1048576
Source: ITC590-Script 2 V1-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ITC590-Script 2 V1-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ITC590-Script 2 V1-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ITC590-Script 2 V1-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ITC590-Script 2 V1-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ITC590-Script 2 V1-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ITC590-Script 2 V1-2024.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: ITC590-Script 2 V1-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666680527.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: python312.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1666826205.000001AF92AC0000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662611257.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662707659.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662362599.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662247077.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662247077.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: libcrypto-3.dll.0.dr
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: ITC590-Script 2 V1-2024.exe, 00000000.00000003.1662811507.000001AF92ABF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source: ITC590-Script 2 V1-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ITC590-Script 2 V1-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ITC590-Script 2 V1-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ITC590-Script 2 V1-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ITC590-Script 2 V1-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: VCRUNTIME140.dll.0.dr Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr Static PE information: section name: _RDATA
Source: libcrypto-3.dll.0.dr Static PE information: section name: .00cfg
Source: python312.dll.0.dr Static PE information: section name: PyRuntim

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Process created: "C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe"
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802\python312.dll Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe File created: C:\Users\user\AppData\Local\Temp\_MEI62802\_decimal.pyd Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E05830 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError, 0_2_00007FF726E05830
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\python312.dll Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_decimal.pyd Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe API coverage: 6.4 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00007FF726E083C0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E09280 FindFirstFileExW,FindClose, 0_2_00007FF726E09280
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E21874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF726E21874
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E09280 FindFirstFileExW,FindClose, 1_2_00007FF726E09280
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E21874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF726E21874
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 1_2_00007FF726E083C0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E1A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF726E1A614
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E23480 GetProcessHeap, 0_2_00007FF726E23480
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E0C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF726E0C8A0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E1A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF726E1A614
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E0D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF726E0D12C
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E0D30C SetUnhandledExceptionFilter, 0_2_00007FF726E0D30C
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E0C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FF726E0C8A0
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E1A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF726E1A614
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E0D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF726E0D12C
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 1_2_00007FF726E0D30C SetUnhandledExceptionFilter, 1_2_00007FF726E0D30C
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Process created: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe "C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe" Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKCU\Software\TestSoftware" /v TestValue /d "Test Data" /f Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKCU\Software\TestSoftware" /v TestValue /d "Modified Data-ITC590 2024" /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\TestSoftware" /v TestValue /d "Test Data" /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\TestSoftware" /v TestValue /d "Modified Data-ITC590 2024" /f Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E29570 cpuid 0_2_00007FF726E29570
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E0D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF726E0D010
Source: C:\Users\user\Desktop\ITC590-Script 2 V1-2024.exe Code function: 0_2_00007FF726E25E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF726E25E7C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522421 Sample: ITC590-Script 2 V1-2024.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 60 34 Multi AV Scanner detection for submitted file 2->34 36 AI detected suspicious sample 2->36 38 Found pyInstaller with non standard icon 2->38 8 ITC590-Script 2 V1-2024.exe 12 2->8         started        process3 file4 26 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 8->28 dropped 30 C:\Users\user\AppData\Local\...\python312.dll, PE32+ 8->30 dropped 32 7 other files (none is malicious) 8->32 dropped 11 ITC590-Script 2 V1-2024.exe 8->11         started        process5 process6 13 cmd.exe 1 11->13         started        16 cmd.exe 1 11->16         started        signatures7 40 Uses cmd line tools excessively to alter registry or file data 13->40 18 conhost.exe 13->18         started        20 reg.exe 1 13->20         started        22 conhost.exe 16->22         started        24 reg.exe 1 1 16->24         started        process8
No contacted IP infos