Loading ...

Play interactive tourEdit tour

Analysis Report https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g

Overview

General Information

Sample URL:https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Yara detected AgentTesla
Yara detected AntiVM autoit script
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 5348 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 5308 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • unarchiver.exe (PID: 4200 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\LPO_121190871.7z' MD5: 8B435F8731563566F3F49203BA277865)
    • 7za.exe (PID: 4924 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk' 'C:\Users\user\Desktop\download\LPO_121190871.7z' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3636 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • LPO_121190871.exe (PID: 6140 cmdline: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe MD5: 8A737357469486EE6D28E3492C1D7530)
        • npivfvdsg.pif (PID: 4352 cmdline: 'C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif' jiffrt.iox MD5: 8939087523C8C4815680F11D1A29A2BF)
          • RegSvcs.exe (PID: 5420 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "wq9RiZZ", "URL: ": "http://zeIHe8mpB5avaBzd.org", "To: ": "murad@rababholdings.com", "ByHost: ": "smtpout.secureserver.net:5878", "Password: ": "mY8B7f1kJA", "From: ": "icohen@2800sunrise.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000003.856349427.0000000004151000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000003.857016890.0000000004021000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000003.858797187.0000000003FDC000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000003.859281899.0000000003F97000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000B.00000003.853656459.0000000003F97000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.RegSvcs.exe.f00000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: RegSvcs.exe.5420.14.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "wq9RiZZ", "URL: ": "http://zeIHe8mpB5avaBzd.org", "To: ": "murad@rababholdings.com", "ByHost: ": "smtpout.secureserver.net:5878", "Password: ": "mY8B7f1kJA", "From: ": "icohen@2800sunrise.net"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifVirustotal: Detection: 36%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifReversingLabs: Detection: 38%
              Source: 14.2.RegSvcs.exe.f00000.1.unpackAvira: Label: TR/Spy.Gen8

              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,10_2_002BA2C3
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,10_2_002CA536
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002D7D69 FindFirstFileExA,10_2_002D7D69
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E399B GetFileAttributesW,FindFirstFileW,FindClose,11_2_013E399B
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,11_2_013FBCB3
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_01402408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,11_2_01402408
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_013F280D
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_01428877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_01428877
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_013E1A73
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0140CAE7 FindFirstFileW,FindNextFileW,FindClose,11_2_0140CAE7
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_013FBF17
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0140DE7C FindFirstFileW,FindClose,11_2_0140DE7C
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local\TempJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local\Temp\52939977\jiffrt.ioxJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local\Temp\52939977Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppDataJump to behavior

              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 026A097Fh5_2_026A02A8
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 026A097Eh5_2_026A02A8

              Source: global trafficTCP traffic: 192.168.2.5:49735 -> 173.201.193.101:587
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F2361 InternetReadFile,11_2_013F2361
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/0
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/1402
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
              Source: wget.exeString found in binary or memory: http://crl.globalsign.net/root-r2.crl
              Source: wget.exe, 00000003.00000003.785400887.0000000002B45000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl-
              Source: wget.exe, 00000003.00000003.785400887.0000000002B45000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://crl.globalsign.net/root.crl0
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-126.crl0c
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
              Source: wget.exeString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: wget.exe, 00000003.00000003.785400887.0000000002B45000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crlg
              Source: wget.exeString found in binary or memory: http://ocsp.digicert.com
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: wget.exe, 00000003.00000003.785400887.0000000002B45000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comc
              Source: wget.exeString found in binary or memory: http://ocsp.msocsp.com
              Source: wget.exe, 00000003.00000003.785400887.0000000002B45000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com(
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/08
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0;
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0F
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://smtpout.secureserver.net
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://www.globalsign.net/repository/0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://www.globalsign.net/repository/03
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://www.globalsign.net/repository09
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1216389710.0000000003655000.00000004.00000001.sdmpString found in binary or memory: http://zeIHe8mpB5avaBzd.org
              Source: cmdline.out.3.drString found in binary or memory: https://8e0huw.bl.files.1drv.com/y4mTvF_0CtvQ_Rp8lfdqfRCI5csxAJu9TQTYqu8pvqH5Dt9M64UWlw24dEeNIBluJv9
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: https://8e0huw.bl.files.1drv.com/y4mdualyy7uliP92KXebvdfejomcKxPey8Ws8DcJ3y3eIE3C5d1og-g5mS63WUN8Sut
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: https://certs.starfieldtech.com/repository/0
              Source: cmdline.out.3.drString found in binary or memory: https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77
              Source: wget.exe, wget.exe, 00000003.00000002.786387220.0000000000B68000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%
              Source: wget.exe, 00000003.00000002.785832507.0000000000180000.00000004.00000040.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmp, wget.exe, 00000003.00000003.785504685.0000000002BA1000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS#
              Source: wget.exe, 00000003.00000003.782320302.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: wget.exe, 00000003.00000003.782393926.0000000002BA2000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS2
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS7
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS77

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A2DC9C SetWindowsHookExW 0000000D,00000000,?,?14_2_06A2DC9C
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0140A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_0140A0FC
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0141D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,LdrInitializeThunk,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_0141D8E9
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_01406308 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,11_2_01406308
              Source: unarchiver.exe, 00000005.00000002.837074352.0000000000AD0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0142C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_0142C7D6

              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B7070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,10_2_002B7070
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F6219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_013F6219
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,11_2_013E33A3
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B51BFA3_3_02B51BFA
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B522D83_3_02B522D8
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B4920F3_3_02B4920F
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B51BFA3_2_02B51BFA
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B522D83_2_02B522D8
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B4B42D3_2_02B4B42D
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B492173_2_02B49217
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 5_2_026A02A85_2_026A02A8
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C598310_2_002C5983
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B83EB10_2_002B83EB
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BE09710_2_002BE097
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CE8EC10_2_002CE8EC
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C30E510_2_002C30E5
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002DE8D410_2_002DE8D4
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B31F010_2_002B31F0
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BD22210_2_002BD222
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CF20010_2_002CF200
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BBA6A10_2_002BBA6A
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CFA6A10_2_002CFA6A
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C2B3910_2_002C2B39
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002D2B6810_2_002D2B68
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002DA35010_2_002DA350
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C63F110_2_002C63F1
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BDC3210_2_002BDC32
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BECE910_2_002BECE9
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C5DB810_2_002C5DB8
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C2DB410_2_002C2DB4
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CEDE810_2_002CEDE8
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CF63510_2_002CF635
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BD63410_2_002BD634
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002D9EA010_2_002D9EA0
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B5E8310_2_002B5E83
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B275910_2_002B2759
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C4FB410_2_002C4FB4
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B3F9510_2_002B3F95
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013B35F011_2_013B35F0
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013B98F011_2_013B98F0
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C213611_2_013C2136
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013CA13711_2_013CA137
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FF3A611_2_013FF3A6
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013D427D11_2_013D427D
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C250811_2_013C2508
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F655F11_2_013F655F
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013B98F011_2_013B98F0
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013BF73011_2_013BF730
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C372111_2_013C3721
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C190311_2_013C1903
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013D088F11_2_013D088F
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C28F011_2_013C28F0
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013CC8CE11_2_013CC8CE
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013D3BA111_2_013D3BA1
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0142EA2B11_2_0142EA2B
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FEAD511_2_013FEAD5
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F2D2D11_2_013F2D2D
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C1D9811_2_013C1D98
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013D0DE011_2_013D0DE0
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013D1F2C11_2_013D1F2C
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F4EB711_2_013F4EB7
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FCE8D11_2_013FCE8D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_016FFB3014_2_016FFB30
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_016FFB1F14_2_016FFB1F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3E6C814_2_05A3E6C8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3816814_2_05A38168
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3004014_2_05A30040
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3737014_2_05A37370
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3F2E014_2_05A3F2E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A31D1C14_2_05A31D1C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A32F2014_2_05A32F20
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3EA1014_2_05A3EA10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A377CE14_2_05A377CE
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3775A14_2_05A3775A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3815914_2_05A38159
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3000714_2_05A30007
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3C3D314_2_05A3C3D3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3736114_2_05A37361
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A33C1014_2_05A33C10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A32ED014_2_05A32ED0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694F6D814_2_0694F6D8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06940EC814_2_06940EC8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06946E3014_2_06946E30
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069460C014_2_069460C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694F05014_2_0694F050
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694684714_2_06946847
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06942E9F14_2_06942E9F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694F6D514_2_0694F6D5
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06942E1014_2_06942E10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06941E3D14_2_06941E3D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06941FE714_2_06941FE7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694F74E14_2_0694F74E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06941CDA14_2_06941CDA
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694241814_2_06942418
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06942DB014_2_06942DB0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06940EC814_2_06940EC8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06941BBE14_2_06941BBE
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694F04014_2_0694F040
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694207314_2_06942073
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069429B914_2_069429B9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E3E0814_2_069E3E08
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E9A6014_2_069E9A60
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E738014_2_069E7380
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E8FA914_2_069E8FA9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E5C8014_2_069E5C80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069ED8A014_2_069ED8A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E0CC014_2_069E0CC0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E582014_2_069E5820
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EF9D014_2_069EF9D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E457014_2_069E4570
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA2B414_2_069EA2B4
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EEAC114_2_069EEAC1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EC61C14_2_069EC61C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E7A0B14_2_069E7A0B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E9A5614_2_069E9A56
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E0E4314_2_069E0E43
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA30114_2_069EA301
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E6F3414_2_069E6F34
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA33014_2_069EA330
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E737114_2_069E7371
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EB0D014_2_069EB0D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E94D014_2_069E94D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EB0C014_2_069EB0C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA4EC14_2_069EA4EC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E580214_2_069E5802
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA43A14_2_069EA43A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EB84714_2_069EB847
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EF9C114_2_069EF9C1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E3DFA14_2_069E3DFA
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E4DE814_2_069E4DE8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E492214_2_069E4922
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA95814_2_069EA958
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA17814_2_069EA178
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA17214_2_069EA172
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA96814_2_069EA968
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E456214_2_069E4562
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A2AE0814_2_06A2AE08
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A269AF14_2_06A269AF
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A2A34014_2_06A2A340
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A208B814_2_06A208B8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A2BA8014_2_06A2BA80
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: String function: 002CCDF0 appears 37 times
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: String function: 002CCEC0 appears 53 times
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: String function: 002CD810 appears 31 times
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 069E0398 appears 35 times
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: String function: 013F59E6 appears 65 times
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: String function: 013C6B90 appears 39 times
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: String function: 013C14F7 appears 36 times
              Source: npivfvdsg.pif.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: npivfvdsg.pif.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: npivfvdsg.pif.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: dxgidebug.dllJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.win@17/83@3/1
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,11_2_013E33A3
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_01414AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,11_2_01414AEB
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0140D766 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,11_2_0140D766
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0142557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,11_2_0142557E
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0141E0F6 CoInitialize,CoCreateInstance,CoUninitialize,11_2_0141E0F6
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C8BCF FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,10_2_002C8BCF
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01
              Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\yc0jpuy5.i1lJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCommand line argument: *x010_2_002CC130
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCommand line argument: *a/10_2_002CC130
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCommand line argument: sfxname10_2_002CC130
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCommand line argument: sfxstime10_2_002CC130
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCommand line argument: STARTDLG10_2_002CC130
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeFile read: C:\Windows\win.iniJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g' > cmdline.out 2>&1
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g'
              Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\LPO_121190871.7z'
              Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk' 'C:\Users\user\Desktop\download\LPO_121190871.7z'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif 'C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif' jiffrt.iox
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g' Jump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk' 'C:\Users\user\Desktop\download\LPO_121190871.7z'Jump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeProcess created: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif 'C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif' jiffrt.ioxJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeFile written: C:\Users\user\AppData\Local\Temp\52939977\feslpcm.iniJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: LPO_121190871.exe, 0000000A.00000002.832775259.00000000002E0000.00000002.00020000.sdmp, LPO_121190871.exe.6.dr
              Source: Binary string: RegSvcs.pdb, source: npivfvdsg.pif, 0000000B.00000003.869139128.0000000000D9C000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1213485416.0000000000B02000.00000002.00020000.sdmp, RegSvcs.exe.11.dr
              Source: Binary string: RegSvcs.pdb source: npivfvdsg.pif, 0000000B.00000003.869139128.0000000000D9C000.00000004.00000001.sdmp, RegSvcs.exe, RegSvcs.exe.11.dr

              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013BEE30 LoadLibraryA,GetProcAddress,11_2_013BEE30
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeFile created: C:\Users\user\AppData\Local\Temp\52939977\__tmp_rar_sfx_access_check_5423265Jump to behavior
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B4D0E0 pushad ; retn 0078h3_3_02B4D2E5
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B4D2E8 pushad ; retn 0078h3_3_02B4D2E5
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B4B411 push eax; ret 3_3_02B4B429
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00B6D4A0 pushad ; iretd 3_2_00B6D4A1
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00B6D003 pushad ; iretd 3_2_00B6D015
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00B6B7E8 push eax; ret 3_2_00B6B7E9
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B4D289 pushad ; retn 0078h3_2_02B4D2E5
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B4D2E8 pushfd ; retn 0000h3_2_02B4D313
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B4D1C1 pushad ; retn 0078h3_2_02B4D1C5
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B56230 push FFFFFFBBh; retf 3_2_02B56232
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B4B411 push eax; ret 3_2_02B4B429
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D098FA push 51000000h; ret 6_2_02D09919
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0D8FA push esi; retf 6_2_02D0D921
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0CFE7 push eax; retf 6_2_02D0D005
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D099ED push 4D000000h; ret 6_2_02D099F9
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0B985 push 106DA769h; retf 6_2_02D0B995
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0DB8A push es; retf 6_2_02D0DBA1
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0CA70 pushad ; retf 6_2_02D0CA71
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0991A push edi; ret 6_2_02D09929
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CD856 push ecx; ret 10_2_002CD869
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CCDF0 push eax; ret 10_2_002CCE0E
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C6BD5 push ecx; ret 11_2_013C6BE8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE95 push es; iretd 14_2_0694AE98
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE91 push es; iretd 14_2_0694AE94
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE9D push es; iretd 14_2_0694AEA0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE99 push es; iretd 14_2_0694AE9C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE85 push es; iretd 14_2_0694AE88
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE81 push es; iretd 14_2_0694AE84
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE8D push es; iretd 14_2_0694AE90
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE89 push es; iretd 14_2_0694AE8C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AEB5 push es; iretd 14_2_0694AEB8

              Persistence and Installation Behavior:

              barindex
              Drops PE files with a suspicious file extensionShow sources
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeFile created: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifJump to dropped file
              Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeFile created: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifJump to dropped file

              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_013E43FF
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0142A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_0142A2EA
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess info