Loading ...

Play interactive tourEdit tour

Analysis Report PI .exe

Overview

General Information

Sample Name:PI .exe
Analysis ID:278421
MD5:a98da5ff380397ee6e94d7c3c3a60a69
SHA1:0ae28ae48c083190881b76d2073b960d21a09ab4
SHA256:66aff62cc726c9c58f515fa3624e3d1f9b181008c173d7659296dd875adb1a9e

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Startup

  • System is w10x64
  • PI .exe (PID: 6640 cmdline: 'C:\Users\user\Desktop\PI .exe' MD5: A98DA5FF380397EE6E94D7C3C3A60A69)
    • PI .exe (PID: 6920 cmdline: 'C:\Users\user\Desktop\PI .exe' MD5: A98DA5FF380397EE6E94D7C3C3A60A69)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.471828737.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: PI .exe PID: 6640JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: PI .exe PID: 6640JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: PI .exe PID: 6920JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Process Memory Space: PI .exe PID: 6920JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: PI .exeVirustotal: Detection: 39%Perma Link
            Source: PI .exeMetadefender: Detection: 18%Perma Link
            Source: PI .exeReversingLabs: Detection: 22%
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_005641E4 InternetReadFile,6_2_005641E4
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: PI .exe, 00000006.00000002.472758606.0000000000998000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: PI .exe, 00000006.00000002.473217148.00000000009DA000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: PI .exe, 00000006.00000002.472758606.0000000000998000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: PI .exe, 00000006.00000002.472758606.0000000000998000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: http://explore.live.com/windows-live-sign-in-single-use-code-faq
            Source: PI .exe, 00000006.00000002.473217148.00000000009DA000.00000004.00000020.sdmpString found in binary or memory: http://mscrl.&
            Source: PI .exe, 00000006.00000002.473217148.00000000009DA000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digi
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: PI .exe, 00000006.00000002.473217148.00000000009DA000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: PI .exe, 00000006.00000002.472758606.0000000000998000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0F
            Source: PI .exe, 00000006.00000002.473217148.00000000009DA000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://account.live.com/ResetPassword.aspx?wreply=https://login.live.com/login.srf%3fwa%3dwsignin1.
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://account.live.com/query.aspx?uaid=324cff32a1d449dbb847c71fb65cca6a&mkt=EN-US&lc=1033&id=25020
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.474169796.0000000002590000.00000004.00000001.sdmpString found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.474169796.0000000002590000.00000004.00000001.sdmpString found in binary or memory: https://lgincdnvzeuno.azureedge.net/
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.coL
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.net
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.net2
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.netL
            Source: PI .exe, 00000006.00000002.472758606.0000000000998000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/8
            Source: PI .exe, 00000006.00000002.472758606.0000000000998000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/L
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf%3Fwa%3Dwsignin1.0%26rpsnv%3D13%26ct%3D1598495614%26rver%3D7.3.6962.
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495513&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495516&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495519&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495520&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495521&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495522&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495523&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495524&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495525&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495526&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495527&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495528&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495529&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495530&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495531&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495532&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495533&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495534&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495535&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495536&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495537&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495538&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495539&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495540&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495541&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495542&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495543&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495544&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495545&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495546&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495547&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmp, PI .exe, 00000006.00000003.344515145.0000000000A44000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495548&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmp, PI .exe, 00000006.00000003.344515145.0000000000A44000.00000004.00000001.sdmp, PI .exe, 00000006.00000003.344524888.0000000000A4B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495549&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmp, PI .exe, 00000006.00000003.353832887.0000000000A4E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495550&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmp, PI .exe, 00000006.00000003.353832887.0000000000A4E000.00000004.00000001.sdmp, PI .exe, 00000006.00000003.344515145.0000000000A44000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495551&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmp, PI .exe, 00000006.00000003.344515145.0000000000A44000.00000004.00000001.sdmp, PI .exe, 00000006.00000003.353825753.0000000000A44000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495552&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.344524888.0000000000A4B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495553&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.344524888.0000000000A4B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495554&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.344524888.0000000000A4B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495555&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.353840598.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495556&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.353832887.0000000000A4E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495557&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.353840598.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495558&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.353840598.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495559&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.353840598.0000000000A53000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495560&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495561&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495562&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495563&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495564&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495565&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495566&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495567&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495568&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495569&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495570&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495571&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495572&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495573&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmp, PI .exe, 00000006.00000003.398324157.0000000000A50000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495574&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495575&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495576&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmp, PI .exe, 00000006.00000003.398324157.0000000000A50000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495577&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495578&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495579&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398288308.0000000000A2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495580&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000003.398255631.0000000000A62000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmp, PI .exe, 00000006.00000003.398324157.0000000000A50000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495581&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495582&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495583&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495584&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495585&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495586&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495587&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495588&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495589&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495590&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495591&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495592&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495593&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495594&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495595&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473604243.0000000000A2B000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495596&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495597&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495598&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495599&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495600&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495601&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495602&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495603&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495605&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495606&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495607&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495608&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495609&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473604243.0000000000A2B000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495610&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473604243.0000000000A2B000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495611&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473604243.0000000000A2B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495612&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473604243.0000000000A2B000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495613&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.474169796.0000000002590000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1598495614&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/ography
            Source: PI .exe, 00000006.00000003.398269834.0000000000A58000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.473753987.0000000000A51000.00000004.00000020.sdmp, PI .exe, 00000006.00000003.353816585.0000000000A5C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/pp1600/
            Source: PI .exe, 00000006.00000002.472758606.0000000000998000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/priseCertificates
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.474169796.0000000002590000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000.28725.5/
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.474169796.0000000002590000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_gZsc0QUeD7WFkvXXFirs
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.474169796.0000000002590000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_59b3zyeylR_EsYHwNPqj8w2.js
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.474169796.0000000002590000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/oldconvergedlogin_palt_3ukr-A0TRdOTfllFlLwIaQ2.js
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/F&resid=9FBA865C1FDCE17F%21106&authkey=AGIgCuv6U3jkF7I
            Source: PI .exe, 00000006.00000002.471709703.000000000019A000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=9FBA865C1FDCE17F&resid=9
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=9FBA865C1FDCE17F&resid=9FBA865C1FDCE17F%21106&authkey=AGIgCuv
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/ownload?cid=9FBA865C1FDCE17F&resid=9FBA865C1FDCE17F%21106&authkey=AGIgCuv6
            Source: PI .exe, 00000006.00000002.472758606.0000000000998000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/p
            Source: PI .exe, 00000006.00000002.473379997.00000000009F6000.00000004.00000020.sdmp, PI .exe, 00000006.00000002.474169796.0000000002590000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US
            Source: PI .exe, 00000006.00000002.473217148.00000000009DA000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: C:\Users\user\Desktop\PI .exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B0220 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_022B0220
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B32DA NtSetInformationThread,TerminateProcess,0_2_022B32DA
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B33AB NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,0_2_022B33AB
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B31EC NtSetInformationThread,TerminateProcess,0_2_022B31EC
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B41E4 NtResumeThread,0_2_022B41E4
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B3DB6 NtProtectVirtualMemory,0_2_022B3DB6
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B4226 NtResumeThread,0_2_022B4226
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B323B NtSetInformationThread,TerminateProcess,0_2_022B323B
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1A35 NtWriteVirtualMemory,0_2_022B1A35
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B0264 NtSetInformationThread,TerminateProcess,0_2_022B0264
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1ABF NtWriteVirtualMemory,0_2_022B1ABF
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B42F7 NtResumeThread,0_2_022B42F7
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1B40 NtWriteVirtualMemory,0_2_022B1B40
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1B90 NtWriteVirtualMemory,0_2_022B1B90
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B33F5 NtSetInformationThread,TerminateProcess,0_2_022B33F5
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B0829 NtWriteVirtualMemory,TerminateProcess,0_2_022B0829
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1827 NtWriteVirtualMemory,0_2_022B1827
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B200D NtSetInformationThread,TerminateProcess,0_2_022B200D
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1807 NtWriteVirtualMemory,0_2_022B1807
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1861 NtWriteVirtualMemory,0_2_022B1861
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1848 NtWriteVirtualMemory,0_2_022B1848
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B208B NtSetInformationThread,TerminateProcess,0_2_022B208B
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B4130 NtProtectVirtualMemory,0_2_022B4130
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1903 NtWriteVirtualMemory,0_2_022B1903
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B19AC NtWriteVirtualMemory,0_2_022B19AC
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B3194 NtSetInformationThread,TerminateProcess,0_2_022B3194
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1EAD NtSetInformationThread,TerminateProcess,0_2_022B1EAD
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1EEE NtSetInformationThread,TerminateProcess,0_2_022B1EEE
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1F6B NtSetInformationThread,TerminateProcess,0_2_022B1F6B
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1F43 NtSetInformationThread,TerminateProcess,0_2_022B1F43
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1F92 NtSetInformationThread,TerminateProcess,0_2_022B1F92
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B37C3 NtWriteVirtualMemory,0_2_022B37C3
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B3424 NtSetInformationThread,TerminateProcess,0_2_022B3424
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1C07 NtWriteVirtualMemory,0_2_022B1C07
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B14C6 NtSetInformationThread,TerminateProcess,0_2_022B14C6
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B0D47 NtWriteVirtualMemory,0_2_022B0D47
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00560220 EnumWindows,NtSetInformationThread,6_2_00560220
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_005632DA NtSetInformationThread,6_2_005632DA
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_005606E2 NtProtectVirtualMemory,6_2_005606E2
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_005631EC NtSetInformationThread,6_2_005631EC
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00563DB6 NtProtectVirtualMemory,6_2_00563DB6
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00560264 NtSetInformationThread,6_2_00560264
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_0056200D NtSetInformationThread,6_2_0056200D
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_0056323B NtSetInformationThread,6_2_0056323B
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00563424 NtSetInformationThread,6_2_00563424
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_005614C6 NtSetInformationThread,6_2_005614C6
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00561EEE NtSetInformationThread,6_2_00561EEE
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_0056208B NtSetInformationThread,6_2_0056208B
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00561EAD NtSetInformationThread,6_2_00561EAD
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00561F43 NtSetInformationThread,6_2_00561F43
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00561F6B NtSetInformationThread,6_2_00561F6B
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00564130 NtProtectVirtualMemory,6_2_00564130
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_005633F5 NtSetInformationThread,6_2_005633F5
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00563194 NtSetInformationThread,6_2_00563194
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00561F92 NtSetInformationThread,6_2_00561F92
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_005633AB NtSetInformationThread,LoadLibraryA,6_2_005633AB
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_00403F400_2_00403F40
            Source: PI .exe, 00000000.00000000.205539738.0000000000412000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCounterproposition4.exe vs PI .exe
            Source: PI .exe, 00000000.00000002.231738625.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PI .exe
            Source: PI .exe, 00000000.00000002.233249137.0000000002B20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCounterproposition4.exeFE2XTaust vs PI .exe
            Source: PI .exe, 00000006.00000002.480230079.000000001DED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs PI .exe
            Source: PI .exe, 00000006.00000000.229630613.0000000000412000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCounterproposition4.exe vs PI .exe
            Source: PI .exe, 00000006.00000002.480353485.000000001E020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs PI .exe
            Source: PI .exeBinary or memory string: OriginalFilenameCounterproposition4.exe vs PI .exe
            Source: classification engineClassification label: mal76.troj.evad.winEXE@3/0@3/1
            Source: C:\Users\user\Desktop\PI .exeFile created: C:\Users\user\AppData\Local\Temp\~DF0A197151A96667F1.TMPJump to behavior
            Source: PI .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PI .exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\PI .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\PI .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PI .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PI .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PI .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: PI .exeVirustotal: Detection: 39%
            Source: PI .exeMetadefender: Detection: 18%
            Source: PI .exeReversingLabs: Detection: 22%
            Source: unknownProcess created: C:\Users\user\Desktop\PI .exe 'C:\Users\user\Desktop\PI .exe'
            Source: unknownProcess created: C:\Users\user\Desktop\PI .exe 'C:\Users\user\Desktop\PI .exe'
            Source: C:\Users\user\Desktop\PI .exeProcess created: C:\Users\user\Desktop\PI .exe 'C:\Users\user\Desktop\PI .exe' Jump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000006.00000002.471828737.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PI .exe PID: 6640, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PI .exe PID: 6920, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: PI .exe PID: 6640, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PI .exe PID: 6920, type: MEMORY
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\PI .exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\PI .exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\PI .exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\PI .exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\PI .exeRDTSC instruction interceptor: First address: 00000000022B26DF second address: 00000000022B2712 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+3Ch], eax 0x00000006 push ss 0x00000007 pop ss 0x00000008 jmp 00007F0898AAEDC9h 0x0000000a test edi, 6F6DE6EDh 0x00000010 test ah, bh 0x00000012 cmp dl, al 0x00000014 cmp ch, dh 0x00000016 pushad 0x00000017 mov ebx, 00000047h 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\PI .exeRDTSC instruction interceptor: First address: 00000000005626DF second address: 0000000000562712 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+3Ch], eax 0x00000006 push ss 0x00000007 pop ss 0x00000008 jmp 00007F0898AE1469h 0x0000000a test edi, 6F6DE6EDh 0x00000010 test ah, bh 0x00000012 cmp dl, al 0x00000014 cmp ch, dh 0x00000016 pushad 0x00000017 mov ebx, 00000047h 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B33AB rdtsc 0_2_022B33AB
            Source: C:\Users\user\Desktop\PI .exe TID: 6924Thread sleep count: 171 > 30Jump to behavior
            Source: C:\Users\user\Desktop\PI .exe TID: 6924Thread sleep time: -1710000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PI .exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PI .exeLast function: Thread delayed
            Source: PI .exe, 00000000.00000002.247064163.0000000004D1A000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: PI .exe, 00000000.00000002.247064163.0000000004D1A000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: PI .exe, 00000006.00000002.472758606.0000000000998000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW@>
            Source: PI .exe, 00000000.00000002.247064163.0000000004D1A000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: PI .exe, 00000006.00000002.473217148.00000000009DA000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWen-USn3c
            Source: PI .exe, 00000000.00000002.247064163.0000000004D1A000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: PI .exe, 00000000.00000002.247064163.0000000004D1A000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: PI .exe, 00000006.00000002.473217148.00000000009DA000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: PI .exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: PI .exe, 00000000.00000002.247064163.0000000004D1A000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: PI .exe, 00000000.00000002.247064163.0000000004D1A000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: PI .exe, 00000000.00000002.247064163.0000000004D1A000.00000004.00000001.sdmp, PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: PI .exe, 00000006.00000002.474192098.00000000025CA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B0220 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,022B32CC,?,022B0283,022B212E,?0_2_022B0220
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\PI .exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\PI .exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\PI .exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B33AB rdtsc 0_2_022B33AB
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B3228 mov eax, dword ptr fs:[00000030h]0_2_022B3228
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B3A42 mov eax, dword ptr fs:[00000030h]0_2_022B3A42
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B12DE mov eax, dword ptr fs:[00000030h]0_2_022B12DE
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B0F32 mov eax, dword ptr fs:[00000030h]0_2_022B0F32
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B1F6B mov eax, dword ptr fs:[00000030h]0_2_022B1F6B
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B14C6 mov eax, dword ptr fs:[00000030h]0_2_022B14C6
            Source: C:\Users\user\Desktop\PI .exeCode function: 0_2_022B3536 mov eax, dword ptr fs:[00000030h]0_2_022B3536
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00563A42 mov eax, dword ptr fs:[00000030h]6_2_00563A42
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00563228 mov eax, dword ptr fs:[00000030h]6_2_00563228
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_005612DE mov eax, dword ptr fs:[00000030h]6_2_005612DE
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_005614C6 mov eax, dword ptr fs:[00000030h]6_2_005614C6
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00561F6B mov eax, dword ptr fs:[00000030h]6_2_00561F6B
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00563536 mov eax, dword ptr fs:[00000030h]6_2_00563536
            Source: C:\Users\user\Desktop\PI .exeCode function: 6_2_00560F32 mov eax, dword ptr fs:[00000030h]6_2_00560F32
            Source: C:\Users\user\Desktop\PI .exeProcess created: C:\Users\user\Desktop\PI .exe 'C:\Users\user\Desktop\PI .exe' Jump to behavior
            Source: PI .exe, 00000006.00000002.473950997.0000000001020000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: PI .exe, 00000006.00000002.473950997.0000000001020000.00000002.00000001.sdmpBinary or memory string: NProgram Manager
            Source: PI .exe, 00000006.00000002.473950997.0000000001020000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: PI .exe, 00000006.00000002.473950997.0000000001020000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion22OS Credential DumpingSecurity Software Discovery421Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.