Edit tour

Windows Analysis Report
Revised PI_2024.exe

Overview

General Information

Sample name:	Revised PI_2024.exe
Analysis ID:	1476760
MD5:	3a78393aeba62548f630b8db173b21fc
SHA1:	ef48bee35127d470f759f7e4c0c23852ef4d360c
SHA256:	e95df2cc1ac0d157ac28cec5b9ec404298d65bff11c6da736072a394dd541f79
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to register a low level keyboard hook

Installs a global keyboard hook

Mass process execution to delay analysis

Obfuscated command line found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Too many similar processes found

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

Revised PI_2024.exe (PID: 3500 cmdline: "C:\Users\user\Desktop\Revised PI_2024.exe" MD5: 3A78393AEBA62548F630B8DB173B21FC)

cmd.exe (PID: 6828 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3568 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4828 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5552 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4884 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6708 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5560 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6900 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 8032 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6204 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7048 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7636 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7652 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7612 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1836 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5792 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6084 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7076 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5556 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5036 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1100 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6744 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4360 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6388 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5552 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6708 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 964 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1484 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3960 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3284 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5204 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4800 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5332 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1596 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2304 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4704 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7612 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1492 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6772 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7560 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6540 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6708 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5348 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2784 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2304 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3064 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7312 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6544 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7828 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1956 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6456 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6624 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6744 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6388 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5560 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4120 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1756 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1596 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4244 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2304 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3064 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1740 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6604 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1484 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Revised PI_2024.exe (PID: 7700 cmdline: "C:\Users\user\Desktop\Revised PI_2024.exe" MD5: 3A78393AEBA62548F630B8DB173B21FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.25860616069.00000000005D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000000.00000002.25860616069.0000000000604000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000083.00000002.30448881456.0000000036601000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.25861827661.00000000047F5000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Revised PI_2024.exe PID: 3500	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: Revised PI_2024.exe PID: 7700	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Revised PI_2024.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0011EC68 CryptUnprotectData,		131_2_0011EC68
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0011F648 CryptUnprotectData,		131_2_0011F648

Source: Revised PI_2024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.217.110:443 -> 192.168.11.20:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.69.193:443 -> 192.168.11.20:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.11.20:49773 version: TLS 1.2

Source: Revised PI_2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00405464 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405464
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00405EA8 FindFirstFileA,FindClose,	0_2_00405EA8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00402645 FindFirstFileA,	131_2_00402645
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00405464 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	131_2_00405464
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00405EA8 FindFirstFileA,FindClose,	131_2_00405EA8

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1n-88UxRI8_HJBdcZ-vuH76hO3XJtjO5P HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1n-88UxRI8_HJBdcZ-vuH76hO3XJtjO5P&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1n-88UxRI8_HJBdcZ-vuH76hO3XJtjO5P HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1n-88UxRI8_HJBdcZ-vuH76hO3XJtjO5P&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: Revised PI_2024.exe, 00000083.00000003.25858741072.0000000005D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Revised PI_2024.exe, 00000083.00000003.25858741072.0000000005D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root
Source: Revised PI_2024.exe, 00000083.00000003.25858741072.0000000005D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Revised PI_2024.exe, Revised PI_2024.exe, 00000083.00000000.25750416365.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Revised PI_2024.exe, 00000000.00000000.25343490775.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Revised PI_2024.exe, 00000000.00000002.25860296580.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Revised PI_2024.exe, 00000083.00000000.25750416365.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Revised PI_2024.exe, 00000083.00000002.30448881456.00000000365B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Revised PI_2024.exe, 00000083.00000003.25858741072.0000000005D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: Revised PI_2024.exe, 00000083.00000002.30448881456.00000000365B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Revised PI_2024.exe, 00000083.00000002.30448881456.00000000365B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Revised PI_2024.exe, 00000083.00000002.30448881456.00000000365B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Revised PI_2024.exe, 00000083.00000003.25821117001.0000000005D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Revised PI_2024.exe, 00000083.00000002.30438628723.0000000005D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Revised PI_2024.exe, 00000083.00000002.30439489314.0000000007B10000.00000004.00001000.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.30438628723.0000000005D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1n-88UxRI8_HJBdcZ-vuH76hO3XJtjO5P
Source: Revised PI_2024.exe, 00000083.00000003.25858741072.0000000005D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Revised PI_2024.exe, 00000083.00000003.25858741072.0000000005D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com//
Source: Revised PI_2024.exe, 00000083.00000003.25858741072.0000000005D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1n-88UxRI8_HJBdcZ-vuH76hO3XJtjO5P&export=download
Source: Revised PI_2024.exe, 00000083.00000003.25858741072.0000000005D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1n-88UxRI8_HJBdcZ-vuH76hO3XJtjO5P&export=download0
Source: Revised PI_2024.exe, 00000083.00000003.25858741072.0000000005D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1n-88UxRI8_HJBdcZ-vuH76hO3XJtjO5P&export=downloadt
Source: Revised PI_2024.exe, 00000083.00000003.25858741072.0000000005D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: Revised PI_2024.exe, 00000083.00000003.25821117001.0000000005D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Revised PI_2024.exe, 00000083.00000003.25821117001.0000000005D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Revised PI_2024.exe, 00000083.00000003.25821117001.0000000005D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Revised PI_2024.exe, 00000083.00000003.25821117001.0000000005D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Revised PI_2024.exe, 00000083.00000003.25821117001.0000000005D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	HTTPS traffic detected: 142.250.217.110:443 -> 192.168.11.20:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.69.193:443 -> 192.168.11.20:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.11.20:49773 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 131_2_3879DAA0 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,3879E480,00000000,00000000

131_2_3879DAA0

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Revised PI_2024.exe

Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_00404FCD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FCD

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: Conhost.exe

Process created: 89

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_004030E2 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_004030E2
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_004030E2 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,LdrInitializeThunk,GetTempPathA,GetWindowsDirectoryA,lstrcatA,LdrInitializeThunk,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,		131_2_004030E2

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_0040480C	0_2_0040480C
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_004062CF	0_2_004062CF
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00406AA6	0_2_00406AA6
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0040480C	131_2_0040480C
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_004062CF	131_2_004062CF
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00406AA6	131_2_00406AA6
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00113908	131_2_00113908
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00118C08	131_2_00118C08
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00114520	131_2_00114520
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0011C2FF	131_2_0011C2FF
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00113C50	131_2_00113C50
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_38793D47	131_2_38793D47
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_38791B88	131_2_38791B88

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: String function: 004029FD appears 48 times

Source: Revised PI_2024.exe, 00000000.00000000.25343564453.0000000000440000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameopsplitningen.exeH vs Revised PI_2024.exe
Source: Revised PI_2024.exe, 00000083.00000002.30438628723.0000000005D84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Revised PI_2024.exe
Source: Revised PI_2024.exe, 00000083.00000002.30425828431.0000000000440000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameopsplitningen.exeH vs Revised PI_2024.exe

Source: Revised PI_2024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@393/7@3/3

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_004042DD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004042DD

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\Revised PI_2024.exe

File created: C:\Users\user\AppData\Local\haandsbredderne

Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Revised PI_2024.exe

File created: C:\Users\user\AppData\Local\Temp\nst40D.tmp

Jump to behavior

Source: Revised PI_2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Revised PI_2024.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Revised PI_2024.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Revised PI_2024.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Revised PI_2024.exe

File read: C:\Users\user\Desktop\Revised PI_2024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Revised PI_2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.25861827661.00000000047F5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.25860616069.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.25860616069.0000000000604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised PI_2024.exe PID: 3500, type: MEMORYSTR

Obfuscated command line found

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_00405ECF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405ECF

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_10002D30 push eax; ret	0_2_10002D5E
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00110C45 push ebx; retf	131_2_00110C52
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00110C6D push edi; retf	131_2_00110C7A
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00110CCB push edi; retf	131_2_00110C7A

Source: C:\Users\user\Desktop\Revised PI_2024.exe	File created: C:\Users\user\AppData\Local\Temp\nse49B.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File created: C:\Users\user\AppData\Local\Temp\nse49B.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File created: C:\Users\user\AppData\Local\Temp\nse49B.tmp\BgImage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File created: C:\Users\user\AppData\Local\Temp\nse49B.tmp\nsDialogs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Mass process execution to delay analysis

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Revised PI_2024.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Revised PI_2024.exe

API/Special instruction interceptor: Address: 1E8B623

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Memory allocated: 365B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Memory allocated: 385B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Thread delayed: delay time: 1200000			Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse49B.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse49B.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse49B.tmp\BgImage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse49B.tmp\nsDialogs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Revised PI_2024.exe

API coverage: 1.8 %

Source: C:\Users\user\Desktop\Revised PI_2024.exe TID: 5072	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe TID: 5072	Thread sleep time: -1200000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Revised PI_2024.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00405464 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405464
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00405EA8 FindFirstFileA,FindClose,	0_2_00405EA8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00402645 FindFirstFileA,	131_2_00402645
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00405464 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	131_2_00405464
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00405EA8 FindFirstFileA,FindClose,	131_2_00405EA8

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Thread delayed: delay time: 1200000			Jump to behavior

Source: Revised PI_2024.exe, 00000083.00000002.30438628723.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.30438628723.0000000005D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Revised PI_2024.exe, 00000083.00000002.30438628723.0000000005D77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_uE[

Source: C:\Users\user\Desktop\Revised PI_2024.exe	API call chain: ExitProcess graph end node			graph_0-3695
Source: C:\Users\user\Desktop\Revised PI_2024.exe	API call chain: ExitProcess graph end node			graph_0-3852

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 131_2_00405F41 LdrInitializeThunk,

131_2_00405F41

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_00405ECF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405ECF

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Queries volume information: C:\Users\user\Desktop\Revised PI_2024.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_00405BC6 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405BC6

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Revised PI_2024.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Revised PI_2024.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Revised PI_2024.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000083.00000002.30448881456.0000000036601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised PI_2024.exe PID: 7700, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	11 Deobfuscate/Decode Files or Information	21 Input Capture	126 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Time Based Evasion	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Time Based Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Revised PI_2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Revised PI_2024.exe