Loading ...

Play interactive tourEdit tour

Analysis Report https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g

Overview

General Information

Sample URL:https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Yara detected AgentTesla
Yara detected AntiVM autoit script
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 5348 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 5308 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • unarchiver.exe (PID: 4200 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\LPO_121190871.7z' MD5: 8B435F8731563566F3F49203BA277865)
    • 7za.exe (PID: 4924 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk' 'C:\Users\user\Desktop\download\LPO_121190871.7z' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3636 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • LPO_121190871.exe (PID: 6140 cmdline: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe MD5: 8A737357469486EE6D28E3492C1D7530)
        • npivfvdsg.pif (PID: 4352 cmdline: 'C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif' jiffrt.iox MD5: 8939087523C8C4815680F11D1A29A2BF)
          • RegSvcs.exe (PID: 5420 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "wq9RiZZ", "URL: ": "http://zeIHe8mpB5avaBzd.org", "To: ": "murad@rababholdings.com", "ByHost: ": "smtpout.secureserver.net:5878", "Password: ": "mY8B7f1kJA", "From: ": "icohen@2800sunrise.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000003.856349427.0000000004151000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000003.857016890.0000000004021000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000003.858797187.0000000003FDC000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000003.859281899.0000000003F97000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000B.00000003.853656459.0000000003F97000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.RegSvcs.exe.f00000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: RegSvcs.exe.5420.14.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "wq9RiZZ", "URL: ": "http://zeIHe8mpB5avaBzd.org", "To: ": "murad@rababholdings.com", "ByHost: ": "smtpout.secureserver.net:5878", "Password: ": "mY8B7f1kJA", "From: ": "icohen@2800sunrise.net"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifVirustotal: Detection: 36%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifReversingLabs: Detection: 38%
              Source: 14.2.RegSvcs.exe.f00000.1.unpackAvira: Label: TR/Spy.Gen8

              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002D7D69 FindFirstFileExA,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E399B GetFileAttributesW,FindFirstFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_01402408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_01428877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0140CAE7 FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0140DE7C FindFirstFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local\Temp
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local\Temp\52939977\jiffrt.iox
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local\Temp\52939977
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData

              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 026A097Fh
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 026A097Eh

              Source: global trafficTCP traffic: 192.168.2.5:49735 -> 173.201.193.101:587
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F2361 InternetReadFile,
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/0
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/1402
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
              Source: wget.exeString found in binary or memory: http://crl.globalsign.net/root-r2.crl
              Source: wget.exe, 00000003.00000003.785400887.0000000002B45000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl-
              Source: wget.exe, 00000003.00000003.785400887.0000000002B45000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://crl.globalsign.net/root.crl0
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-126.crl0c
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
              Source: wget.exeString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: wget.exe, 00000003.00000003.785400887.0000000002B45000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crlg
              Source: wget.exeString found in binary or memory: http://ocsp.digicert.com
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: wget.exe, 00000003.00000003.785400887.0000000002B45000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comc
              Source: wget.exeString found in binary or memory: http://ocsp.msocsp.com
              Source: wget.exe, 00000003.00000003.785400887.0000000002B45000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com(
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/08
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0;
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0F
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: http://smtpout.secureserver.net
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://www.globalsign.net/repository/0
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://www.globalsign.net/repository/03
              Source: npivfvdsg.pif.10.drString found in binary or memory: http://www.globalsign.net/repository09
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1216389710.0000000003655000.00000004.00000001.sdmpString found in binary or memory: http://zeIHe8mpB5avaBzd.org
              Source: cmdline.out.3.drString found in binary or memory: https://8e0huw.bl.files.1drv.com/y4mTvF_0CtvQ_Rp8lfdqfRCI5csxAJu9TQTYqu8pvqH5Dt9M64UWlw24dEeNIBluJv9
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: https://8e0huw.bl.files.1drv.com/y4mdualyy7uliP92KXebvdfejomcKxPey8Ws8DcJ3y3eIE3C5d1og-g5mS63WUN8Sut
              Source: RegSvcs.exe, 0000000E.00000002.1215636187.0000000003420000.00000004.00000001.sdmpString found in binary or memory: https://certs.starfieldtech.com/repository/0
              Source: cmdline.out.3.drString found in binary or memory: https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77
              Source: wget.exe, wget.exe, 00000003.00000002.786387220.0000000000B68000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%
              Source: wget.exe, 00000003.00000002.785832507.0000000000180000.00000004.00000040.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmp, wget.exe, 00000003.00000003.785504685.0000000002BA1000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS#
              Source: wget.exe, 00000003.00000003.782320302.0000000002B89000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: wget.exe, 00000003.00000003.782393926.0000000002BA2000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS2
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS7
              Source: wget.exe, 00000003.00000002.788134339.0000000002B8A000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS77

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A2DC9C SetWindowsHookExW 0000000D,00000000,?,?
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0140A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0141D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,LdrInitializeThunk,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_01406308 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,
              Source: unarchiver.exe, 00000005.00000002.837074352.0000000000AD0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0142C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B7070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F6219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B51BFA
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B522D8
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B4920F
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B51BFA
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B522D8
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B4B42D
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B49217
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 5_2_026A02A8
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C5983
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B83EB
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BE097
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CE8EC
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C30E5
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002DE8D4
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B31F0
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BD222
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CF200
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BBA6A
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CFA6A
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C2B39
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002D2B68
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002DA350
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C63F1
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BDC32
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BECE9
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C5DB8
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C2DB4
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CEDE8
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CF635
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BD634
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002D9EA0
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B5E83
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B2759
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C4FB4
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002B3F95
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013B35F0
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013B98F0
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C2136
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013CA137
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FF3A6
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013D427D
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C2508
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F655F
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013B98F0
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013BF730
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C3721
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C1903
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013D088F
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C28F0
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013CC8CE
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013D3BA1
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0142EA2B
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FEAD5
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F2D2D
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C1D98
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013D0DE0
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013D1F2C
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F4EB7
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FCE8D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_016FFB30
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_016FFB1F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3E6C8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A38168
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A30040
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A37370
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3F2E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A31D1C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A32F20
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3EA10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A377CE
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3775A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A38159
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A30007
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A3C3D3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A37361
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A33C10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05A32ED0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694F6D8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06940EC8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06946E30
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069460C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694F050
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06946847
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06942E9F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694F6D5
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06942E10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06941E3D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06941FE7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694F74E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06941CDA
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06942418
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06942DB0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06940EC8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06941BBE
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694F040
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06942073
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069429B9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E3E08
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E9A60
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E7380
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E8FA9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E5C80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069ED8A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E0CC0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E5820
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EF9D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E4570
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA2B4
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EEAC1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EC61C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E7A0B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E9A56
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E0E43
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA301
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E6F34
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA330
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E7371
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EB0D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E94D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EB0C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA4EC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E5802
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA43A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EB847
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EF9C1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E3DFA
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E4DE8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E4922
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA958
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA178
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA172
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069EA968
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_069E4562
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A2AE08
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A269AF
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A2A340
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A208B8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_06A2BA80
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: String function: 002CCDF0 appears 37 times
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: String function: 002CCEC0 appears 53 times
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: String function: 002CD810 appears 31 times
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 069E0398 appears 35 times
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: String function: 013F59E6 appears 65 times
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: String function: 013C6B90 appears 39 times
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: String function: 013C14F7 appears 36 times
              Source: npivfvdsg.pif.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: npivfvdsg.pif.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: npivfvdsg.pif.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeSection loaded: dxgidebug.dll
              Source: classification engineClassification label: mal100.troj.spyw.evad.win@17/83@3/1
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_01414AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0140D766 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0142557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0141E0F6 CoInitialize,CoCreateInstance,CoUninitialize,
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002C8BCF FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01
              Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\yc0jpuy5.i1lJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCommand line argument: *x0
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCommand line argument: *a/
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCommand line argument: sfxname
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCommand line argument: sfxstime
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCommand line argument: STARTDLG
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeFile read: C:\Windows\win.iniJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g' > cmdline.out 2>&1
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g'
              Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\LPO_121190871.7z'
              Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk' 'C:\Users\user\Desktop\download\LPO_121190871.7z'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif 'C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif' jiffrt.iox
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://onedrive.live.com/download?cid=BCE0D307A6632A77&resid=BCE0D307A6632A77%21114&authkey=APAWjPF_jjXfX4g'
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk' 'C:\Users\user\Desktop\download\LPO_121190871.7z'
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exe
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeProcess created: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif 'C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif' jiffrt.iox
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeFile written: C:\Users\user\AppData\Local\Temp\52939977\feslpcm.iniJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: LPO_121190871.exe, 0000000A.00000002.832775259.00000000002E0000.00000002.00020000.sdmp, LPO_121190871.exe.6.dr
              Source: Binary string: RegSvcs.pdb, source: npivfvdsg.pif, 0000000B.00000003.869139128.0000000000D9C000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1213485416.0000000000B02000.00000002.00020000.sdmp, RegSvcs.exe.11.dr
              Source: Binary string: RegSvcs.pdb source: npivfvdsg.pif, 0000000B.00000003.869139128.0000000000D9C000.00000004.00000001.sdmp, RegSvcs.exe, RegSvcs.exe.11.dr

              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013BEE30 LoadLibraryA,GetProcAddress,
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeFile created: C:\Users\user\AppData\Local\Temp\52939977\__tmp_rar_sfx_access_check_5423265Jump to behavior
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B4D0E0 pushad ; retn 0078h
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B4D2E8 pushad ; retn 0078h
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02B4B411 push eax; ret
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00B6D4A0 pushad ; iretd
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00B6D003 pushad ; iretd
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00B6B7E8 push eax; ret
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B4D289 pushad ; retn 0078h
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B4D2E8 pushfd ; retn 0000h
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B4D1C1 pushad ; retn 0078h
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B56230 push FFFFFFBBh; retf
              Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_02B4B411 push eax; ret
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D098FA push 51000000h; ret
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0D8FA push esi; retf
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0CFE7 push eax; retf
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D099ED push 4D000000h; ret
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0B985 push 106DA769h; retf
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0DB8A push es; retf
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0CA70 pushad ; retf
              Source: C:\Windows\SysWOW64\7za.exeCode function: 6_2_02D0991A push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CD856 push ecx; ret
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CCDF0 push eax; ret
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013C6BD5 push ecx; ret
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE95 push es; iretd
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE91 push es; iretd
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE9D push es; iretd
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE99 push es; iretd
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE85 push es; iretd
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE81 push es; iretd
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE8D push es; iretd
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AE89 push es; iretd
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0694AEB5 push es; iretd

              Persistence and Installation Behavior:

              barindex
              Drops PE files with a suspicious file extensionShow sources
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeFile created: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifJump to dropped file
              Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeFile created: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifJump to dropped file

              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0142A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM autoit scriptShow sources
              Source: Yara matchFile source: Process Memory Space: npivfvdsg.pif PID: 4352, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 595
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifAPI coverage: 4.9 %
              Source: C:\Windows\SysWOW64\unarchiver.exe TID: 1664Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif TID: 560Thread sleep count: 65 > 30
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pif TID: 560Thread sleep count: 112 > 30
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002BA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002CA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeCode function: 10_2_002D7D69 FindFirstFileExA,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E399B GetFileAttributesW,FindFirstFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_01402408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013F280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_01428877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013E1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0140CAE7 FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_013FBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifCode function: 11_2_0140DE7C FindFirstFileW,FindClose,
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 5_2_00E6B042 GetSystemInfo,
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local\Temp
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local\Temp\52939977\jiffrt.iox
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData\Local\Temp\52939977
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user
              Source: C:\Users\user\AppData\Local\Temp\52939977\npivfvdsg.pifFile opened: C:\Users\user\AppData
              Source: RegSvcs.exe, 0000000E.00000002.1218471691.00000000065C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: npivfvdsg.pif, 0000000B.00000003.841927018.0000000000BF1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenc6e
              Source: jiffrt.iox.10.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
              Source: jiffrt.iox.10.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
              Source: npivfvdsg.pif, 0000000B.00000003.868684553.0000000000C06000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
              Source: wget.exeBinary or memory string: Hyper-V RAW
              Source: npivfvdsg.pif, 0000000B.00000003.868684553.0000000000C06000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then0q
              Source: RegSvcs.exe, 0000000E.00000002.1218471691.00000000065C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: jiffrt.iox.10.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
              Source: npivfvdsg.pif, 0000000B.00000003.867000656.0000000000C1C000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exeE97637D6F
              Source: npivfvdsg.pif, 0000000B.00000003.867000656.0000000000C1C000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe444D6
              Source: wget.exe, 00000003.00000002.786387220.0000000000B68000.00000004.00000020.sdmp, RegSvcs.exe, 0000000E.00000002.1219394051.0000000006B20000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: npivfvdsg.pif, 0000000B.00000003.868684553.0000000000C06000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenlvL
              Source: npivfvdsg.pif, 0000000B.00000003.867000656.0000000000C1C000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe
              Source: npivfvdsg.pif, 0000000B.00000003.868684553.0000000000C06000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareServic
              Source: jiffrt.iox.10.drBinary or memory string: If ProcessExists("VboxService.exe") Then
              Source: npivfvdsg.pif, 0000000B.00000003.867000656.0000000000C1C000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
              Source: RegSvcs.exe, 0000000E.00000002.1218471691.00000000065C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: npivfvdsg.pif, 0000000B.00000003.868684553.0000000000C06000.00000004.00000001.sdmpBinary or memory string: rocessExists("VBoxTray.exe") Then
              Source: npivfvdsg.pif, 0000000B.00000003.841927018.0000000000BF1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenlvLL^
              Source: npivfvdsg.pif, 0000000B.00000003.867000656.0000000000C1C000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
              Source: npivfvdsg.pif, 0000000B.00000003.841927018.0000000000BF1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
              Source: jiffrt.iox.10.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
              Source: RegSvcs.exe, 0000000E.00000002.1218471691.00000000065C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\AppData\Local\Temp\1k4znch2.ulk\LPO_121190871.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information queried: ProcessInformation