Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Revised PI_2024.exe

Overview

General Information

Sample name:Revised PI_2024.exe
Analysis ID:1476760
MD5:3a78393aeba62548f630b8db173b21fc
SHA1:ef48bee35127d470f759f7e4c0c23852ef4d360c
SHA256:e95df2cc1ac0d157ac28cec5b9ec404298d65bff11c6da736072a394dd541f79
Tags:exe
Infos:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Mass process execution to delay analysis
Obfuscated command line found
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Revised PI_2024.exe (PID: 1664 cmdline: "C:\Users\user\Desktop\Revised PI_2024.exe" MD5: 3A78393AEBA62548F630B8DB173B21FC)
    • cmd.exe (PID: 1096 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6564 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6472 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5176 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2748 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1756 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6104 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3660 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3488 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3224 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5276 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5248 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 340 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5960 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5040 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3652 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2800 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2736 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3968 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2836 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2444 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 884 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3224 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4876 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4816 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1052 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3084 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6392 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6620 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3940 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2748 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2448 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 992 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3660 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5200 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6432 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5308 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5264 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5616 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1428 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1292 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5064 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2800 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2020 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1816 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2992 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7064 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2244 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6844 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6812 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3796 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1096 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7160 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2548 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5052 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3652 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 612 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2128 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2448 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7080 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7144 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3488 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6972 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5660 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4531250790.00000000007DD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
    00000000.00000002.4531250790.00000000007BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000000.00000002.4531863647.0000000004195000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: Revised PI_2024.exe PID: 1664JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Revised PI_2024.exeReversingLabs: Detection: 28%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.0% probability
          Source: Revised PI_2024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: Revised PI_2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00405464 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405464
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00405EA8 FindFirstFileA,FindClose,0_2_00405EA8
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
          Source: Revised PI_2024.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Revised PI_2024.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00404FCD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FCD
          Source: Conhost.exeProcess created: 109
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_004030E2 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030E2
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_0040480C0_2_0040480C
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_004062CF0_2_004062CF
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00406AA60_2_00406AA6
          Source: Revised PI_2024.exe, 00000000.00000002.4531091818.0000000000440000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameopsplitningen.exeH vs Revised PI_2024.exe
          Source: Revised PI_2024.exeBinary or memory string: OriginalFilenameopsplitningen.exeH vs Revised PI_2024.exe
          Source: Revised PI_2024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@409/7@0/0
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_004042DD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004042DD
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
          Source: C:\Users\user\Desktop\Revised PI_2024.exeFile created: C:\Users\user\AppData\Local\haandsbredderneJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeFile created: C:\Users\user\AppData\Local\Temp\nsfCD1B.tmpJump to behavior
          Source: Revised PI_2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Revised PI_2024.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Revised PI_2024.exeReversingLabs: Detection: 28%
          Source: C:\Users\user\Desktop\Revised PI_2024.exeFile read: C:\Users\user\Desktop\Revised PI_2024.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Revised PI_2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000000.00000002.4531863647.0000000004195000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4531250790.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4531250790.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Revised PI_2024.exe PID: 1664, type: MEMORYSTR
          Obfuscated command line found
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00405ECF GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405ECF
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_10002D30 push eax; ret 0_2_10002D5E
          Source: C:\Users\user\Desktop\Revised PI_2024.exeFile created: C:\Users\user\AppData\Local\Temp\nspCDA8.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\Revised PI_2024.exeFile created: C:\Users\user\AppData\Local\Temp\nspCDA8.tmp\nsDialogs.dllJump to dropped file
          Source: C:\Users\user\Desktop\Revised PI_2024.exeFile created: C:\Users\user\AppData\Local\Temp\nspCDA8.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\Revised PI_2024.exeFile created: C:\Users\user\AppData\Local\Temp\nspCDA8.tmp\BgImage.dllJump to dropped file
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Mass process execution to delay analysis
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\Revised PI_2024.exeRDTSC instruction interceptor: First address: 47CA3BA second address: 47CA3BA instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F0AF4D1447Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\Revised PI_2024.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspCDA8.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\Revised PI_2024.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspCDA8.tmp\nsDialogs.dllJump to dropped file
          Source: C:\Users\user\Desktop\Revised PI_2024.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspCDA8.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\Revised PI_2024.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspCDA8.tmp\BgImage.dllJump to dropped file
          Source: C:\Users\user\Desktop\Revised PI_2024.exe TID: 5348Thread sleep time: -30200s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00405464 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405464
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00405EA8 FindFirstFileA,FindClose,0_2_00405EA8
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
          Source: C:\Users\user\Desktop\Revised PI_2024.exeAPI call chain: ExitProcess graph end nodegraph_0-3695
          Source: C:\Users\user\Desktop\Revised PI_2024.exeAPI call chain: ExitProcess graph end nodegraph_0-3852
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00405ECF GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405ECF
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\Revised PI_2024.exeCode function: 0_2_00405BC6 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405BC6

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Windows Management Instrumentation          		1
          DLL Side-Loading          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping11
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter          		Boot or Logon Initialization Scripts1
          DLL Side-Loading          		2
          Virtualization/Sandbox Evasion          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Clipboard Data          		Junk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API          		Logon Script (Windows)Logon Script (Windows)11
          Process Injection          		Security Account Manager1
          Time Based Evasion          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information          		NTDS2
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Time Based Evasion          		LSA Secrets123
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Obfuscated Files or Information          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1476760 Sample: Revised PI_2024.exe Startdate: 19/07/2024 Architecture: WINDOWS Score: 80 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected GuLoader 2->43 45 Obfuscated command line found 2->45 47 3 other signatures 2->47 7 Revised PI_2024.exe 31 2->7         started        process3 file4 33 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\System.dll, PE32 7->37 dropped 39 C:\Users\user\AppData\Local\...\BgImage.dll, PE32 7->39 dropped 49 Obfuscated command line found 7->49 11 cmd.exe 7->11         started        13 cmd.exe 7->13         started        15 cmd.exe 7->15         started        17 61 other processes 7->17 signatures5 process6 process7 19 Conhost.exe 11->19         started        21 Conhost.exe 13->21         started        23 Conhost.exe 15->23         started        25 Conhost.exe 17->25         started        27 Conhost.exe 17->27         started        29 Conhost.exe 17->29         started        31 58 other processes 17->31

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.