Loading ...

Play interactive tourEdit tour

Analysis Report RFQ0723272983.exe

Overview

General Information

Sample Name:RFQ0723272983.exe
MD5:558f002df267284bbc8141146e3d5f26
SHA1:9d136fca00d3451077bceaf8c5039f4d33465340
SHA256:c3da3a9487da78db1490c1aee12eb806925363678188034dabc1983c27d6eac4

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM autoit script
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • RFQ0723272983.exe (PID: 2436 cmdline: 'C:\Users\user\Desktop\RFQ0723272983.exe' MD5: 558F002DF267284BBC8141146E3D5F26)
    • jjgdxemns.pif (PID: 2916 cmdline: 'C:\99353652\jjgdxemns.pif' tblndvbb.vek MD5: 8939087523C8C4815680F11D1A29A2BF)
      • RegSvcs.exe (PID: 3196 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • jjgdxemns.pif (PID: 4912 cmdline: 'C:\99353652\JJGDXE~1.PIF' c:\99353652\tblndvbb.vek MD5: 8939087523C8C4815680F11D1A29A2BF)
    • RegSvcs.exe (PID: 4612 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • jjgdxemns.pif (PID: 5184 cmdline: 'C:\99353652\JJGDXE~1.PIF' c:\99353652\tblndvbb.vek MD5: 8939087523C8C4815680F11D1A29A2BF)
    • RegSvcs.exe (PID: 6128 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • jjgdxemns.pif (PID: 6060 cmdline: 'C:\99353652\JJGDXE~1.PIF' c:\99353652\tblndvbb.vek MD5: 8939087523C8C4815680F11D1A29A2BF)
    • RegSvcs.exe (PID: 3488 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "avLbEGbIygj", "URL: ": "https://gPqeS3FV3r6l.com", "To: ": "murad@rababholdings.com", "ByHost: ": "smtpout.secureserver.net:5878", "Password: ": "F6pSb4Ylny4B", "From: ": "icohen@2800sunrise.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.865818878.0000000004B1C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000003.809290675.0000000004F91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000D.00000003.944959034.000000000441C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000003.814130971.00000000050C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000D.00000003.947285968.0000000004307000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 76 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.RegSvcs.exe.a30000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              10.2.RegSvcs.exe.990000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                14.2.RegSvcs.exe.710000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  12.2.RegSvcs.exe.d00000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: RegSvcs.exe.3488.14.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "avLbEGbIygj", "URL: ": "https://gPqeS3FV3r6l.com", "To: ": "murad@rababholdings.com", "ByHost: ": "smtpout.secureserver.net:5878", "Password: ": "F6pSb4Ylny4B", "From: ": "icohen@2800sunrise.net"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\99353652\jjgdxemns.pifVirustotal: Detection: 56%Perma Link
                    Source: C:\99353652\jjgdxemns.pifMetadefender: Detection: 21%Perma Link
                    Source: C:\99353652\jjgdxemns.pifReversingLabs: Detection: 56%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: RFQ0723272983.exeVirustotal: Detection: 43%Perma Link
                    Source: RFQ0723272983.exeReversingLabs: Detection: 50%
                    Source: 3.2.RegSvcs.exe.a30000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 10.2.RegSvcs.exe.990000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 14.2.RegSvcs.exe.710000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.2.RegSvcs.exe.d00000.1.unpackAvira: Label: TR/Spy.Gen8

                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00CFA2C3
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D17D69 FindFirstFileExA,0_2_00D17D69
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00D0A536
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0084399B GetFileAttributesW,FindFirstFileW,FindClose,2_2_0084399B
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,2_2_0085BCB3
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00862408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,2_2_00862408
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0085280D
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00888877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00888877
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0086CAE7 FindFirstFileW,FindNextFileW,FindClose,2_2_0086CAE7
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00841A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00841A73
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0086DE7C FindFirstFileW,FindClose,2_2_0086DE7C
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0085BF17

                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 173.201.192.101:587
                    Source: global trafficTCP traffic: 192.168.2.5:49738 -> 173.201.192.229:587
                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 173.201.192.101:587
                    Source: global trafficTCP traffic: 192.168.2.5:49738 -> 173.201.192.229:587
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00852285 InternetQueryDataAvailable,InternetReadFile,2_2_00852285
                    Source: unknownDNS traffic detected: queries for: smtpout.secureserver.net
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/0
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/1402
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-126.crl0c
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/08
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0;
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0F
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
                    Source: RegSvcs.exe, 00000003.00000002.1188345784.0000000002EB0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1187161464.0000000002CE0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1188434131.00000000031E0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1189354552.0000000002D00000.00000004.00000001.sdmpString found in binary or memory: http://smtpout.secureserver.net
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/0
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/03
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://www.globalsign.net/repository09
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: https://certs.starfieldtech.com/repository/0
                    Source: RegSvcs.exe, 00000003.00000002.1188345784.0000000002EB0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1187161464.0000000002CE0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1188434131.00000000031E0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1189354552.0000000002D00000.00000004.00000001.sdmpString found in binary or memory: https://gPqeS3FV3r6l.c
                    Source: RegSvcs.exe, 0000000E.00000002.1189354552.0000000002D00000.00000004.00000001.sdmpString found in binary or memory: https://gPqeS3FV3r6l.com

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Contains functionality to register a low level keyboard hookShow sources
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0664DC9C SetWindowsHookExW 0000000D,00000000,?,?3_2_0664DC9C
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0086A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0086A0FC
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0087D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,2_2_0087D8E9
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008542E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,2_2_008542E1
                    Source: jjgdxemns.pif, 00000002.00000002.826897268.00000000018CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0088C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0088C7D6

                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF7070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00CF7070
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00856219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00856219
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008433A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,2_2_008433A3
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D059830_2_00D05983
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF83EB0_2_00CF83EB
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D1E8D40_2_00D1E8D4
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D030E50_2_00D030E5
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0E8EC0_2_00D0E8EC
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFE0970_2_00CFE097
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF31F00_2_00CF31F0
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFBA6A0_2_00CFBA6A
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0FA6A0_2_00D0FA6A
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0F2000_2_00D0F200
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFD2220_2_00CFD222
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D063F10_2_00D063F1
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D1A3500_2_00D1A350
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D12B680_2_00D12B68
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D02B390_2_00D02B39
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFECE90_2_00CFECE9
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFDC320_2_00CFDC32
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0EDE80_2_00D0EDE8
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D02DB40_2_00D02DB4
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D05DB80_2_00D05DB8
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF5E830_2_00CF5E83
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D19EA00_2_00D19EA0
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0F6350_2_00D0F635
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFD6340_2_00CFD634
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF3F950_2_00CF3F95
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D04FB40_2_00D04FB4
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF27590_2_00CF2759
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008135F02_2_008135F0
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008198F02_2_008198F0
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008221362_2_00822136
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0082A1372_2_0082A137
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0083427D2_2_0083427D
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085F3A62_2_0085F3A6
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008198F02_2_008198F0
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008225082_2_00822508
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085655F2_2_0085655F
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008237212_2_00823721
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0081F7302_2_0081F730
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0083088F2_2_0083088F
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0082C8CE2_2_0082C8CE
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008228F02_2_008228F0
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008219032_2_00821903
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085EAD52_2_0085EAD5
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0088EA2B2_2_0088EA2B
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00833BA12_2_00833BA1
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00821D982_2_00821D98
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00830DE02_2_00830DE0
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00852D2D2_2_00852D2D
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085CE8D2_2_0085CE8D
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00854EB72_2_00854EB7
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00831F2C2_2_00831F2C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0154FB303_2_0154FB30
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0154FB1F3_2_0154FB1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B81683_2_015B8168
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B00403_2_015B0040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B73703_2_015B7370
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B23F63_2_015B23F6
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015BF2E03_2_015BF2E0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015BE6C83_2_015BE6C8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015BEA103_2_015BEA10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B1D1C3_2_015B1D1C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B2F203_2_015B2F20
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B81593_2_015B8159
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B00063_2_015B0006
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B73613_2_015B7361
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B775A3_2_015B775A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B77CE3_2_015B77CE
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B3C103_2_015B3C10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F6D83_2_0656F6D8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06560EC83_2_06560EC8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_065666F83_2_065666F8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F4B83_2_0656F4B8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F0503_2_0656F050
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_065660C03_2_065660C0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06562E103_2_06562E10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06561E3D3_2_06561E3D
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F6C83_2_0656F6C8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06562E9F3_2_06562E9F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F74E3_2_0656F74E
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06561FE73_2_06561FE7
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_065624183_2_06562418
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06561CDA3_2_06561CDA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06562DB03_2_06562DB0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06560EC83_2_06560EC8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06561BBE3_2_06561BBE
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F0403_2_0656F040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_065620733_2_06562073
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_065629B93_2_065629B9
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06609A603_2_06609A60
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06603E083_2_06603E08
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066073803_2_06607380
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066058203_2_06605820
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06600CC03_2_06600CC0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660D8A03_2_0660D8A0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06605C803_2_06605C80
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066045703_2_06604570
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660F9D03_2_0660F9D0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06608D983_2_06608D98
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06600E433_2_06600E43
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06609A573_2_06609A57
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06607A0B3_2_06607A0B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660C61C3_2_0660C61C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A2B43_2_0660A2B4
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06608F693_2_06608F69
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066073713_2_06607371
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A3303_2_0660A330
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06606F343_2_06606F34
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A3013_2_0660A301
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066057D83_2_066057D8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660B8473_2_0660B847
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A43A3_2_0660A43A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A4EC3_2_0660A4EC
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660B0C03_2_0660B0C0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066094D03_2_066094D0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660B0D03_2_0660B0D0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066045633_2_06604563
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A9683_2_0660A968
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A1783_2_0660A178
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A9583_2_0660A958
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066049223_2_06604922
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06604DE83_2_06604DE8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06603DFB3_2_06603DFB
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660F9C13_2_0660F9C1
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0664AE083_2_0664AE08
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0664A3403_2_0664A340
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066469AF3_2_066469AF
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066408B83_2_066408B8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0664BA803_2_0664BA80
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0694B5183_2_0694B518
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06946A903_2_06946A90
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_013CFB3010_2_013CFB30
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_013CFB1F10_2_013CFB1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546F61810_2_0546F618
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546004010_2_05460040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546737010_2_05467370
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546C3A010_2_0546C3A0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546ED4810_2_0546ED48
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05461D1C10_2_05461D1C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05462F2010_2_05462F20
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546888810_2_05468888
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546FB1810_2_0546FB18
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546EA0010_2_0546EA00
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546775A10_2_0546775A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_054677CE10_2_054677CE
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546003110_2_05460031
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546736110_2_05467361
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05461D1010_2_05461D10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05463C1010_2_05463C10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05462E9110_2_05462E91
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546887A10_2_0546887A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546FB0810_2_0546FB08
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599F40810_2_0599F408
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599F88010_2_0599F880
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599FA9010_2_0599FA90
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599358C10_2_0599358C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_059975F810_2_059975F8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_059935EA10_2_059935EA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_059924FA10_2_059924FA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05992C0C10_2_05992C0C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_059927F510_2_059927F5
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599265510_2_05992655
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599367710_2_05993677
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599E9E810_2_0599E9E8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599689810_2_05996898
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599287F10_2_0599287F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599F87010_2_0599F870
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599F3F910_2_0599F3F9
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_059923E410_2_059923E4
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05993B0510_2_05993B05
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599FB0610_2_0599FB06
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599237E10_2_0599237E
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599FA8110_2_0599FA81
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C9F3810_2_063C9F38
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C45FA10_2_063C45FA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C4A4810_2_063C4A48
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C52C010_2_063C52C0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C785810_2_063C7858
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C604810_2_063C6048
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C58F810_2_063C58F8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C40D810_2_063C40D8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CD97010_2_063CD970
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C99A810_2_063C99A8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CAE3A10_2_063CAE3A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA65010_2_063CA650
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CAE4010_2_063CAE40
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA64010_2_063CA640
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CC6EC10_2_063CC6EC
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C9F2A10_2_063C9F2A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C0F0B10_2_063C0F0B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C7F0110_2_063C7F01
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA78C10_2_063CA78C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA7D910_2_063CA7D9
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C740C10_2_063C740C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CBD1F10_2_063CBD1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CB5A810_2_063CB5A8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CB59810_2_063CB598
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C0D8810_2_063C0D88
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C4DFA10_2_063C4DFA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C4A3810_2_063C4A38
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C52B210_2_063C52B2
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C42E010_2_063C42E0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C42CF10_2_063C42CF
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA80810_2_063CA808
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C784A10_2_063C784A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CC0F010_2_063CC0F0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C58E810_2_063C58E8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA91210_2_063CA912
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA9C410_2_063CA9C4
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0642BAC010_2_0642BAC0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0642AFF810_2_0642AFF8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0642004010_2_06420040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0642709010_2_06427090
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0642C33010_2_0642C330
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_06420F8810_2_06420F88
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0642000610_2_06420006
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_064BB89810_2_064BB898
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_064B6E1010_2_064B6E10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0178FB3012_2_0178FB30
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0178FB1F12_2_0178FB1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593F61812_2_0593F618
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593004012_2_05930040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593737012_2_05937370
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05931D1C12_2_05931D1C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593ED4812_2_0593ED48
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05932F2012_2_05932F20
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593888812_2_05938888
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593FB1812_2_0593FB18
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593EA0012_2_0593EA00
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_059377CE12_2_059377CE
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593775A12_2_0593775A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593002712_2_05930027
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593C39012_2_0593C390
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593736112_2_05937361
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05933C1012_2_05933C10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05932F1012_2_05932F10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593887A12_2_0593887A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593FB0812_2_0593FB08
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6F88012_2_05F6F880
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6F3F912_2_05F6F3F9
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F635EA12_2_05F635EA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6358C12_2_05F6358C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F624FA12_2_05F624FA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F62C0C12_2_05F62C0C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F627F512_2_05F627F5
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F66EC012_2_05F66EC0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6367712_2_05F63677
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6265512_2_05F62655
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6E9E812_2_05F6E9E8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6688B12_2_05F6688B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6287F12_2_05F6287F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F623E412_2_05F623E4
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6237E12_2_05F6237E
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6FB0612_2_05F6FB06
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F63B0512_2_05F63B05
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6FA8112_2_05F6FA81
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068952C012_2_068952C0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06894A4812_2_06894A48
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06899F3812_2_06899F38
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068994A712_2_068994A7
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068940D812_2_068940D8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068958F812_2_068958F8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689785812_2_06897858
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068919A812_2_068919A8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068945FB12_2_068945FB
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689615812_2_06896158
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689D97012_2_0689D970
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06897EAB12_2_06897EAB
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068952B312_2_068952B3
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068942CF12_2_068942CF
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689C6EC12_2_0689C6EC
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068942E012_2_068942E0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06894A3812_2_06894A38
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689AE3B12_2_0689AE3B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689AE4012_2_0689AE40
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A64012_2_0689A640
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A65012_2_0689A650
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A78C12_2_0689A78C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689EB9012_2_0689EB90
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A7D912_2_0689A7D9
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06897F0112_2_06897F01
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06890F1F12_2_06890F1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06899F2B12_2_06899F2B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068958E812_2_068958E8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689C0F012_2_0689C0F0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A80812_2_0689A808
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689300212_2_06893002
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689784B12_2_0689784B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06890D8812_2_06890D88
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689B59812_2_0689B598
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689B5A812_2_0689B5A8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068999A812_2_068999A8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A9C412_2_0689A9C4
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06894DFA12_2_06894DFA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689BD1F12_2_0689BD1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A91212_2_0689A912
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689312E12_2_0689312E
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068FAA1012_2_068FAA10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068F709012_2_068F7090
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068F004012_2_068F0040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068F0F8812_2_068F0F88
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068F000712_2_068F0007
                    Source: Joe Sandbox ViewDropped File: C:\99353652\jjgdxemns.pif 11D85BDBAE72F2D143952126F2A7D682D9AF166349DE1B024CCA5FCDE7B8B551
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: String function: 00D0CDF0 appears 37 times
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: String function: 00D0CEC0 appears 53 times
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: String function: 00D0D810 appears 31 times
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 06600398 appears 33 times
                    Source: C:\99353652\jjgdxemns.pifCode function: String function: 00826B90 appears 39 times
                    Source: C:\99353652\jjgdxemns.pifCode function: String function: 008559E6 appears 65 times
                    Source: C:\99353652\jjgdxemns.pifCode function: String function: 008214F7 appears 36 times
                    Source: jjgdxemns.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: jjgdxemns.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: jjgdxemns.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: RFQ0723272983.exe, 00000000.00000002.792411041.00000000038F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000002.792411041.00000000038F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000002.790729849.0000000001730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000002.792549218.00000000057E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000002.792441230.0000000003910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000002.792101276.00000000037F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCALC.EXElJ vs RFQ0723272983.exe
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: dxgidebug.dllJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/69@4/2
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085AEE3 GetLastError,FormatMessageW,2_2_0085AEE3
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008433A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,2_2_008433A3
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00874AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,2_2_00874AEB
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0086D606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,2_2_0086D606
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0088557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,2_2_0088557E
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0087E0F6 CoInitialize,CoCreateInstance,CoUninitialize,2_2_0087E0F6
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D08BCF FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00D08BCF
                    Source: C:\99353652\jjgdxemns.pifFile created: C:\Users\user\temp\lvgstr.cplJump to behavior
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCommand line argument: sfxname0_2_00D0C130
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCommand line argument: sfxstime0_2_00D0C130
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCommand line argument: STARTDLG0_2_00D0C130
                    Source: RFQ0723272983.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: