Loading ...

Play interactive tourEdit tour

Analysis Report PI.exe

Overview

General Information

Sample Name:PI.exe
Analysis ID:321388
MD5:dbda32339a6965fefc794f220f944016
SHA1:3e53b09125eb1e031f5f0e777836ba738b84fc42
SHA256:c62b96f303f538748543747d1dacb97119dd9826b53ef6c8350b5b24d69f0006
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PI.exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\PI.exe' MD5: DBDA32339A6965FEFC794F220F944016)
    • notepad.exe (PID: 1476 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
    • PI.exe (PID: 5152 cmdline: 'C:\Users\user\Desktop\PI.exe' MD5: DBDA32339A6965FEFC794F220F944016)
    • PI.exe (PID: 4600 cmdline: 'C:\Users\user\Desktop\PI.exe' 2 5152 5197828 MD5: DBDA32339A6965FEFC794F220F944016)
  • wscript.exe (PID: 6776 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • PI.exe (PID: 6744 cmdline: 'C:\Users\user\Desktop\PI.exe' MD5: DBDA32339A6965FEFC794F220F944016)
      • notepad.exe (PID: 6636 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • PI.exe (PID: 6728 cmdline: 'C:\Users\user\Desktop\PI.exe' MD5: DBDA32339A6965FEFC794F220F944016)
      • PI.exe (PID: 6788 cmdline: 'C:\Users\user\Desktop\PI.exe' 2 6728 5209890 MD5: DBDA32339A6965FEFC794F220F944016)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "l6qpC", "URL: ": "https://xmFob4yUwp.org", "To: ": "info@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "PWiE8a9WlECjO", "From: ": "info@hybridgroupco.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.941812642.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.941872630.0000000000475000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.942359260.0000000002180000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.942468067.0000000002252000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.708227438.00000000027D5000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.PI.exe.2180000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.PI.exe.bb0000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.PI.exe.2180000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  7.2.PI.exe.790000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    2.2.PI.exe.2250000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 8 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Drops script at startup locationShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\notepad.exe, ProcessId: 1476, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: PI.exe.5152.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "l6qpC", "URL: ": "https://xmFob4yUwp.org", "To: ": "info@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "PWiE8a9WlECjO", "From: ": "info@hybridgroupco.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PI.exeReversingLabs: Detection: 52%
                      Machine Learning detection for sampleShow sources
                      Source: PI.exeJoe Sandbox ML: detected
                      Source: 7.2.PI.exe.bb0000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.PI.exe.2250000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.2.PI.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.PI.exe.2760000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00408994 FindFirstFileA,GetLastError,0_2_00408994
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AE8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_00408994 FindFirstFileA,GetLastError,3_2_00408994
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,3_2_00405AE8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_00408994 FindFirstFileA,GetLastError,5_2_00408994
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,5_2_00405AE8
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: global trafficTCP traffic: 192.168.2.4:49745 -> 66.70.204.222:587
                      Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: global trafficTCP traffic: 192.168.2.4:49745 -> 66.70.204.222:587
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_0233A186 recv,2_2_0233A186
                      Source: unknownDNS traffic detected: queries for: mail.hybridgroupco.com
                      Source: PI.exe, PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:
                      Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                      Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust
                      Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                      Source: PI.exe, 00000002.00000002.944519197.0000000005A20000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                      Source: PI.exe, PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                      Source: PI.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/
                      Source: PI.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: PI.exe, 00000000.00000002.681442399.00000000027E5000.00000040.00000001.sdmp, PI.exe, 00000002.00000002.941812642.0000000000402000.00000040.00000001.sdmp, PI.exe, 00000005.00000002.708227438.00000000027D5000.00000040.00000001.sdmp, PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U
                      Source: PI.exe, 00000002.00000002.943432491.0000000002C69000.00000004.00000001.sdmp, PI.exe, 00000002.00000002.943600197.0000000002D98000.00000004.00000001.sdmpString found in binary or memory: https://xmFob4yUwp.org
                      Source: PI.exe, 00000002.00000002.943293284.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: https://xmFob4yUwp.org$
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004070C2 OpenClipboard,0_2_004070C2
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00423388 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00423388
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_004239CC GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,3_2_004239CC
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004586FC GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,0_2_004586FC

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004547D0 NtdllDefWindowProc_A,0_2_004547D0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0042E46C NtdllDefWindowProc_A,0_2_0042E46C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00454F4C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00454FFC
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004493A0 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_004493A0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00439CA4 NtdllDefWindowProc_A,GetCapture,0_2_00439CA4
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_0046E159 NtCreateSection,2_2_0046E159
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_0233B362 NtQuerySystemInformation,2_2_0233B362
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_0233B331 NtQuerySystemInformation,2_2_0233B331
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_004547D0 NtdllDefWindowProc_A,3_2_004547D0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_0042E46C NtdllDefWindowProc_A,3_2_0042E46C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,3_2_00454F4C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,3_2_00454FFC
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_004493A0 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,3_2_004493A0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_00439CA4 NtdllDefWindowProc_A,GetCapture,3_2_00439CA4
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_004547D0 NtdllDefWindowProc_A,5_2_004547D0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_0042E46C NtdllDefWindowProc_A,5_2_0042E46C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,5_2_00454F4C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,5_2_00454FFC
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_004493A0 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,5_2_004493A0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_00439CA4 NtdllDefWindowProc_A,GetCapture,5_2_00439CA4
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0044EEA40_2_0044EEA4
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004493A00_2_004493A0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00471BA80_2_00471BA8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0046BD440_2_0046BD44
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_004679762_2_00467976
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_0046D13D2_2_0046D13D
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_023324782_2_02332478
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E334682_2_04E33468
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E200072_2_04E20007
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E390102_2_04E39010
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E331F82_2_04E331F8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E379902_2_04E37990
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E315682_2_04E31568
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E31D202_2_04E31D20
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3810F2_2_04E3810F
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3B6E82_2_04E3B6E8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3DBB82_2_04E3DBB8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E393882_2_04E39388
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3CB342_2_04E3CB34
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3C8EB2_2_04E3C8EB
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E39CFE2_2_04E39CFE
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E384B12_2_04E384B1
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E328B82_2_04E328B8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3C8B82_2_04E3C8B8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E348BE2_2_04E348BE
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3C8892_2_04E3C889
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E320992_2_04E32099
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3C8772_2_04E3C877
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E36C352_2_04E36C35
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E390002_2_04E39000
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3D5C32_2_04E3D5C3
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E355D32_2_04E355D3
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E389982_2_04E38998
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E315592_2_04E31559
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E321362_2_04E32136
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3553A2_2_04E3553A
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E39D032_2_04E39D03
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E39D082_2_04E39D08
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E31D102_2_04E31D10
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E37A982_2_04E37A98
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3566C2_2_04E3566C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E36A722_2_04E36A72
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E37E782_2_04E37E78
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E334682_2_04E33468
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3A3A22_2_04E3A3A2
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E3DBA92_2_04E3DBA9
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E357AD2_2_04E357AD
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_04E393782_2_04E39378
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A59C82_2_059A59C8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A07F02_2_059A07F0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A0D102_2_059A0D10
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A77102_2_059A7710
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A3F222_2_059A3F22
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A37402_2_059A3740
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A53702_2_059A5370
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A1EB02_2_059A1EB0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A1CC02_2_059A1CC0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A56F32_2_059A56F3
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A7E082_2_059A7E08
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A86482_2_059A8648
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A07882_2_059A0788
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A0DBB2_2_059A0DBB
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A07D32_2_059A07D3
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A63CC2_2_059A63CC
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A0DCD2_2_059A0DCD
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A3FC72_2_059A3FC7
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A7DF82_2_059A7DF8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A11152_2_059A1115
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A77032_2_059A7703
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A37312_2_059A3731
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A3F7C2_2_059A3F7C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A0E932_2_059A0E93
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A7E872_2_059A7E87
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A72BC2_2_059A72BC
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A1CB02_2_059A1CB0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A1EA32_2_059A1EA3
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A08D62_2_059A08D6
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A0CF22_2_059A0CF2
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A24142_2_059A2414
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A0A2A2_2_059A0A2A
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_059A0E6A2_2_059A0E6A
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_0044EEA43_2_0044EEA4
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_004493A03_2_004493A0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_00471BA83_2_00471BA8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_0046BD443_2_0046BD44
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_0044EEA45_2_0044EEA4
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_004493A05_2_004493A0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_00471BA85_2_00471BA8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_0046BD445_2_0046BD44
                      Source: C:\Users\user\Desktop\PI.exeCode function: 7_2_004679767_2_00467976
                      Source: C:\Users\user\Desktop\PI.exeCode function: 7_2_0046D13D7_2_0046D13D
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 004035DC appears 109 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 00467F3C appears 33 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 00403E24 appears 54 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 00402774 appears 44 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 0040436C appears 54 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 004066E0 appears 48 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 004148B4 appears 36 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 00404348 appears 233 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 0040C2CC appears 54 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 004039A8 appears 118 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 00403DD0 appears 40 times
                      Source: C:\Users\user\Desktop\PI.exeCode function: String function: 0040695C appears 42 times
                      Source: PI.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: PI.exe, 00000000.00000002.681442399.00000000027E5000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs PI.exe
                      Source: PI.exe, 00000000.00000002.681052578.0000000002370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PI.exe
                      Source: PI.exeBinary or memory string: OriginalFilename vs PI.exe
                      Source: PI.exe, 00000002.00000002.941812642.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs PI.exe
                      Source: PI.exe, 00000002.00000002.944407117.00000000058A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs PI.exe
                      Source: PI.exe, 00000002.00000002.944104826.0000000005210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PI.exe
                      Source: PI.exe, 00000003.00000002.707407270.0000000002330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PI.exe
                      Source: PI.exe, 00000005.00000002.708291240.0000000002836000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs PI.exe
                      Source: PI.exe, 00000005.00000002.708009088.0000000002470000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PI.exe
                      Source: PI.exeBinary or memory string: OriginalFilename vs PI.exe
                      Source: PI.exe, 00000007.00000002.706572619.0000000000B42000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs PI.exe
                      Source: 0.2.PI.exe.2770000.3.unpack, gtu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PI.exe.2770000.3.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 0.2.PI.exe.2770000.3.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.PI.exe.2770000.3.unpack, DPAPI.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.PI.exe.2770000.3.unpack, DPAPI.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.PI.exe.21e0000.2.unpack, gtu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 2.2.PI.exe.21e0000.2.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 2.2.PI.exe.21e0000.2.unpack, gtu.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/2@1/2
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00420A54 GetLastError,FormatMessageA,0_2_00420A54
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_0233B1E6 AdjustTokenPrivileges,2_2_0233B1E6
                      Source: C:\Users\user\Desktop\PI.exeCode function: 2_2_0233B1AF AdjustTokenPrivileges,2_2_0233B1AF
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00408B5E GetDiskFreeSpaceA,0_2_00408B5E
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004171B0 FindResourceA,LoadResource,SizeofResource,LockResource,0_2_004171B0
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbsJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs'
                      Source: C:\Users\user\Desktop\PI.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PI.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: PI.exeReversingLabs: Detection: 52%
                      Source: unknownProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' 2 5152 5197828
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs'
                      Source: unknownProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' 2 6728 5209890
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exeJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' 2 5152 5197828Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exeJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe' 2 6728 5209890Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\PI.exeUnpacked PE file: 2.2.PI.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\PI.exeUnpacked PE file: 2.2.PI.exe.2250000.3.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\PI.exeUnpacked PE file: 2.2.PI.exe.400000.0.unpack
                      .NET source code contains potential unpackerShow sources
                      Source: 0.2.PI.exe.2770000.3.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.PI.exe.21e0000.2.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.PI.exe.2250000.3.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.PI.exe.400000.0.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.PI.exe.bb0000.3.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.PI.exe.b40000.2.unpack, gtu.cs.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00440918 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00440918
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00440F64 push 00440FF1h; ret 0_2_00440FE9
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0040C076 push 0040C0E7h; ret 0_2_0040C0DF
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0040C078 push 0040C0E7h; ret 0_2_0040C0DF
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0040C156 push 0040C184h; ret 0_2_0040C17C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0040C158 push 0040C184h; ret 0_2_0040C17C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004421E4 push ecx; mov dword ptr [esp], edx0_2_004421E8
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004101F0 push 004103F1h; ret 0_2_004103E9
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0041018C push 004101EDh; ret 0_2_004101E5
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004642CC push 004642F8h; ret 0_2_004642F0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004103F4 push 00410538h; ret 0_2_00410530
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004264A8 push 00426578h; ret 0_2_00426570
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0041050C push 00410538h; ret 0_2_00410530
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0044251C push 00442548h; ret 0_2_00442540
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0040659E push 004065F1h; ret 0_2_004065E9
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004065A0 push 004065F1h; ret 0_2_004065E9
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00460674 push 004606A0h; ret 0_2_00460698
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004306D0 push 0043073Ah; ret 0_2_00430732
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0041C680 push ecx; mov dword ptr [esp], edx0_2_0041C685
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00426688 push 004266B4h; ret 0_2_004266AC
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00406770 push 0040679Ch; ret 0_2_00406794
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0043073C push 004307A6h; ret 0_2_0043079E
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0040682C push 00406858h; ret 0_2_00406850
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00426940 push 0042696Ch; ret 0_2_00426964
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0041A914 push ecx; mov dword ptr [esp], edx0_2_0041A916
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0045691C push 00456976h; ret 0_2_0045696E
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_004289CC push 004289F8h; ret 0_2_004289F0
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00428980 push 004289C1h; ret 0_2_004289B9
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00428A04 push 00428A3Ch; ret 0_2_00428A34
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00456B34 push ecx; mov dword ptr [esp], edx0_2_00456B39
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00412BE4 push ecx; mov dword ptr [esp], eax0_2_00412BE5
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0042EBF4 push 0042EC20h; ret 0_2_0042EC18

                      Boot Survival:

                      barindex
                      Drops VBS files to the startup folderShow sources
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbs
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbsJump to dropped file
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbsJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbsJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STRATUP.vbsJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00454858 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00454858
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0043C504 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043C504
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00454F4C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00454FFC
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0043B378 IsIconic,GetCapture,0_2_0043B378
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00427394 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00427394
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0045194C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_0045194C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0043BC20 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043BC20
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_00454858 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,3_2_00454858
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_0043C504 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,3_2_0043C504
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,3_2_00454F4C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,3_2_00454FFC
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_0043B378 IsIconic,GetCapture,3_2_0043B378
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_00427394 IsIconic,GetWindowPlacement,GetWindowRect,3_2_00427394
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_0045194C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,3_2_0045194C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_0043BC20 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,3_2_0043BC20
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_00454858 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,5_2_00454858
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_0043C504 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,5_2_0043C504
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_00454F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,5_2_00454F4C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_00454FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,5_2_00454FFC
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_0043B378 IsIconic,GetCapture,5_2_0043B378
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_00427394 IsIconic,GetWindowPlacement,GetWindowRect,5_2_00427394
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_0045194C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,5_2_0045194C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_0043BC20 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,5_2_0043BC20
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_00440918 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00440918
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\Desktop\PI.exeCode function: 0_2_0043061C0_2_0043061C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 3_2_0043061C3_2_0043061C
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_0043061C5_2_0043061C
                      Delayed program exit foundShow sources
                      Source: C:\Windows\SysWOW64\notepad.exeCode function: 1_2_032305C0 Sleep,ExitProcess,1_2_032305C0
                      Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_00CB05C0 Sleep,ExitProcess,6_2_00CB05C0
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_00453E2C
                      Source: C:\Users\user\Desktop\PI.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,3_2_00453E2C
                      Source: C:\Users\user\Desktop\PI.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,5_2_00453E2C
                      Source: C:\Users\user\Desktop\PI.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeCode function: 5_2_0043061C5_2_0043061C
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -120000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -118624s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -88641s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -88359s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -117440s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -87330s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -115624s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -115188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -56906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -113440s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -113000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -83718s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -111188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.exe TID: 6912Thread sleep time: -110812s >= -30000s