Loading ...

Play interactive tourEdit tour

Analysis Report RFQ0723272983.exe

Overview

General Information

Sample Name:RFQ0723272983.exe
MD5:558f002df267284bbc8141146e3d5f26
SHA1:9d136fca00d3451077bceaf8c5039f4d33465340
SHA256:c3da3a9487da78db1490c1aee12eb806925363678188034dabc1983c27d6eac4

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM autoit script
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • RFQ0723272983.exe (PID: 2436 cmdline: 'C:\Users\user\Desktop\RFQ0723272983.exe' MD5: 558F002DF267284BBC8141146E3D5F26)
    • jjgdxemns.pif (PID: 2916 cmdline: 'C:\99353652\jjgdxemns.pif' tblndvbb.vek MD5: 8939087523C8C4815680F11D1A29A2BF)
      • RegSvcs.exe (PID: 3196 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • jjgdxemns.pif (PID: 4912 cmdline: 'C:\99353652\JJGDXE~1.PIF' c:\99353652\tblndvbb.vek MD5: 8939087523C8C4815680F11D1A29A2BF)
    • RegSvcs.exe (PID: 4612 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • jjgdxemns.pif (PID: 5184 cmdline: 'C:\99353652\JJGDXE~1.PIF' c:\99353652\tblndvbb.vek MD5: 8939087523C8C4815680F11D1A29A2BF)
    • RegSvcs.exe (PID: 6128 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • jjgdxemns.pif (PID: 6060 cmdline: 'C:\99353652\JJGDXE~1.PIF' c:\99353652\tblndvbb.vek MD5: 8939087523C8C4815680F11D1A29A2BF)
    • RegSvcs.exe (PID: 3488 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "avLbEGbIygj", "URL: ": "https://gPqeS3FV3r6l.com", "To: ": "murad@rababholdings.com", "ByHost: ": "smtpout.secureserver.net:5878", "Password: ": "F6pSb4Ylny4B", "From: ": "icohen@2800sunrise.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.865818878.0000000004B1C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000003.809290675.0000000004F91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000D.00000003.944959034.000000000441C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000003.814130971.00000000050C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000D.00000003.947285968.0000000004307000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 76 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.RegSvcs.exe.a30000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              10.2.RegSvcs.exe.990000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                14.2.RegSvcs.exe.710000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  12.2.RegSvcs.exe.d00000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: RegSvcs.exe.3488.14.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "avLbEGbIygj", "URL: ": "https://gPqeS3FV3r6l.com", "To: ": "murad@rababholdings.com", "ByHost: ": "smtpout.secureserver.net:5878", "Password: ": "F6pSb4Ylny4B", "From: ": "icohen@2800sunrise.net"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\99353652\jjgdxemns.pifVirustotal: Detection: 56%Perma Link
                    Source: C:\99353652\jjgdxemns.pifMetadefender: Detection: 21%Perma Link
                    Source: C:\99353652\jjgdxemns.pifReversingLabs: Detection: 56%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: RFQ0723272983.exeVirustotal: Detection: 43%Perma Link
                    Source: RFQ0723272983.exeReversingLabs: Detection: 50%
                    Source: 3.2.RegSvcs.exe.a30000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 10.2.RegSvcs.exe.990000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 14.2.RegSvcs.exe.710000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.2.RegSvcs.exe.d00000.1.unpackAvira: Label: TR/Spy.Gen8

                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D17D69 FindFirstFileExA,
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0084399B GetFileAttributesW,FindFirstFileW,FindClose,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00862408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00888877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0086CAE7 FindFirstFileW,FindNextFileW,FindClose,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00841A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0086DE7C FindFirstFileW,FindClose,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,

                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 173.201.192.101:587
                    Source: global trafficTCP traffic: 192.168.2.5:49738 -> 173.201.192.229:587
                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 173.201.192.101:587
                    Source: global trafficTCP traffic: 192.168.2.5:49738 -> 173.201.192.229:587
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00852285 InternetQueryDataAvailable,InternetReadFile,
                    Source: unknownDNS traffic detected: queries for: smtpout.secureserver.net
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/0
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/1402
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-126.crl0c
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot.crl0L
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/08
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0;
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0F
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
                    Source: RegSvcs.exe, 00000003.00000002.1188345784.0000000002EB0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1187161464.0000000002CE0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1188434131.00000000031E0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1189354552.0000000002D00000.00000004.00000001.sdmpString found in binary or memory: http://smtpout.secureserver.net
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/0
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/03
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmp, jjgdxemns.pif.0.drString found in binary or memory: http://www.globalsign.net/repository09
                    Source: RegSvcs.exe, 00000003.00000002.1200734636.0000000006740000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1203954839.00000000067A0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1199406776.0000000006930000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1202190124.0000000006470000.00000004.00000001.sdmpString found in binary or memory: https://certs.starfieldtech.com/repository/0
                    Source: RegSvcs.exe, 00000003.00000002.1188345784.0000000002EB0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.1187161464.0000000002CE0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.1188434131.00000000031E0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.1189354552.0000000002D00000.00000004.00000001.sdmpString found in binary or memory: https://gPqeS3FV3r6l.c
                    Source: RegSvcs.exe, 0000000E.00000002.1189354552.0000000002D00000.00000004.00000001.sdmpString found in binary or memory: https://gPqeS3FV3r6l.com

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Contains functionality to register a low level keyboard hookShow sources
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0664DC9C SetWindowsHookExW 0000000D,00000000,?,?
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0086A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0087D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008542E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,
                    Source: jjgdxemns.pif, 00000002.00000002.826897268.00000000018CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0088C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF7070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00856219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008433A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D05983
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF83EB
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D1E8D4
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D030E5
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0E8EC
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFE097
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF31F0
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFBA6A
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0FA6A
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0F200
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFD222
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D063F1
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D1A350
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D12B68
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D02B39
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFECE9
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFDC32
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0EDE8
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D02DB4
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D05DB8
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF5E83
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D19EA0
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0F635
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CFD634
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF3F95
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D04FB4
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00CF2759
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008135F0
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008198F0
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00822136
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0082A137
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0083427D
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085F3A6
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008198F0
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00822508
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085655F
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00823721
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0081F730
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0083088F
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0082C8CE
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008228F0
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00821903
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085EAD5
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0088EA2B
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00833BA1
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00821D98
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00830DE0
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00852D2D
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085CE8D
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00854EB7
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00831F2C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0154FB30
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0154FB1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B8168
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B0040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B7370
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B23F6
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015BF2E0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015BE6C8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015BEA10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B1D1C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B2F20
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B8159
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B0006
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B7361
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B775A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B77CE
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015B3C10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F6D8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06560EC8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_065666F8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F4B8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F050
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_065660C0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06562E10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06561E3D
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F6C8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06562E9F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F74E
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06561FE7
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06562418
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06561CDA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06562DB0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06560EC8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06561BBE
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656F040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06562073
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_065629B9
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06609A60
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06603E08
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06607380
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06605820
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06600CC0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660D8A0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06605C80
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06604570
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660F9D0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06608D98
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06600E43
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06609A57
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06607A0B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660C61C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A2B4
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06608F69
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06607371
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A330
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06606F34
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A301
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066057D8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660B847
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A43A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A4EC
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660B0C0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066094D0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660B0D0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06604563
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A968
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A178
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660A958
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06604922
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06604DE8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06603DFB
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0660F9C1
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0664AE08
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0664A340
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066469AF
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_066408B8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0664BA80
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0694B518
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_06946A90
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_013CFB30
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_013CFB1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546F618
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05460040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05467370
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546C3A0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546ED48
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05461D1C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05462F20
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05468888
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546FB18
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546EA00
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546775A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_054677CE
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05460031
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05467361
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05461D10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05463C10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05462E91
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546887A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0546FB08
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599F408
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599F880
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599FA90
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599358C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_059975F8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_059935EA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_059924FA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05992C0C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_059927F5
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05992655
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05993677
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599E9E8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05996898
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599287F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599F870
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599F3F9
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_059923E4
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_05993B05
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599FB06
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599237E
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0599FA81
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C9F38
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C45FA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C4A48
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C52C0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C7858
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C6048
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C58F8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C40D8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CD970
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C99A8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CAE3A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA650
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CAE40
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA640
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CC6EC
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C9F2A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C0F0B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C7F01
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA78C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA7D9
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C740C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CBD1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CB5A8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CB598
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C0D88
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C4DFA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C4A38
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C52B2
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C42E0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C42CF
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA808
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C784A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CC0F0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063C58E8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA912
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_063CA9C4
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0642BAC0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0642AFF8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_06420040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_06427090
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_0642C330
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_06420F88
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_06420006
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_064BB898
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 10_2_064B6E10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0178FB30
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0178FB1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593F618
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05930040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05937370
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05931D1C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593ED48
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05932F20
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05938888
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593FB18
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593EA00
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_059377CE
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593775A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05930027
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593C390
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05937361
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05933C10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05932F10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593887A
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0593FB08
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6F880
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6F3F9
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F635EA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6358C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F624FA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F62C0C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F627F5
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F66EC0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F63677
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F62655
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6E9E8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6688B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6287F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F623E4
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6237E
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6FB06
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F63B05
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_05F6FA81
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068952C0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06894A48
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06899F38
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068994A7
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068940D8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068958F8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06897858
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068919A8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068945FB
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06896158
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689D970
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06897EAB
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068952B3
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068942CF
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689C6EC
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068942E0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06894A38
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689AE3B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689AE40
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A640
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A650
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A78C
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689EB90
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A7D9
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06897F01
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06890F1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06899F2B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068958E8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689C0F0
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A808
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06893002
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689784B
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06890D88
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689B598
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689B5A8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068999A8
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A9C4
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_06894DFA
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689BD1F
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689A912
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_0689312E
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068FAA10
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068F7090
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068F0040
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068F0F88
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 12_2_068F0007
                    Source: Joe Sandbox ViewDropped File: C:\99353652\jjgdxemns.pif 11D85BDBAE72F2D143952126F2A7D682D9AF166349DE1B024CCA5FCDE7B8B551
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: String function: 00D0CDF0 appears 37 times
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: String function: 00D0CEC0 appears 53 times
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: String function: 00D0D810 appears 31 times
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 06600398 appears 33 times
                    Source: C:\99353652\jjgdxemns.pifCode function: String function: 00826B90 appears 39 times
                    Source: C:\99353652\jjgdxemns.pifCode function: String function: 008559E6 appears 65 times
                    Source: C:\99353652\jjgdxemns.pifCode function: String function: 008214F7 appears 36 times
                    Source: jjgdxemns.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: jjgdxemns.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: jjgdxemns.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: RFQ0723272983.exe, 00000000.00000002.792411041.00000000038F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000002.792411041.00000000038F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000002.790729849.0000000001730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000002.792549218.00000000057E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000002.792441230.0000000003910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000002.792101276.00000000037F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs RFQ0723272983.exe
                    Source: RFQ0723272983.exe, 00000000.00000003.774584061.0000000005675000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCALC.EXElJ vs RFQ0723272983.exe
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeSection loaded: dxgidebug.dll
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/69@4/2
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0085AEE3 GetLastError,FormatMessageW,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_008433A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00874AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0086D606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0088557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0087E0F6 CoInitialize,CoCreateInstance,CoUninitialize,
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D08BCF FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
                    Source: C:\99353652\jjgdxemns.pifFile created: C:\Users\user\temp\lvgstr.cplJump to behavior
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCommand line argument: sfxname
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCommand line argument: sfxstime
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCommand line argument: STARTDLG
                    Source: RFQ0723272983.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: RFQ0723272983.exeVirustotal: Detection: 43%
                    Source: RFQ0723272983.exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeFile read: C:\Users\user\Desktop\RFQ0723272983.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\RFQ0723272983.exe 'C:\Users\user\Desktop\RFQ0723272983.exe'
                    Source: unknownProcess created: C:\99353652\jjgdxemns.pif 'C:\99353652\jjgdxemns.pif' tblndvbb.vek
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                    Source: unknownProcess created: C:\99353652\jjgdxemns.pif 'C:\99353652\JJGDXE~1.PIF' c:\99353652\tblndvbb.vek
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                    Source: unknownProcess created: C:\99353652\jjgdxemns.pif 'C:\99353652\JJGDXE~1.PIF' c:\99353652\tblndvbb.vek
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                    Source: unknownProcess created: C:\99353652\jjgdxemns.pif 'C:\99353652\JJGDXE~1.PIF' c:\99353652\tblndvbb.vek
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeProcess created: C:\99353652\jjgdxemns.pif 'C:\99353652\jjgdxemns.pif' tblndvbb.vek
                    Source: C:\99353652\jjgdxemns.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                    Source: C:\99353652\jjgdxemns.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                    Source: C:\99353652\jjgdxemns.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                    Source: C:\99353652\jjgdxemns.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeFile written: C:\99353652\enxlqri.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: RFQ0723272983.exeStatic file information: File size 1207608 > 1048576
                    Source: RFQ0723272983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: RFQ0723272983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: RFQ0723272983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: RFQ0723272983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: RFQ0723272983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: RFQ0723272983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: RFQ0723272983.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: RFQ0723272983.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: RFQ0723272983.exe
                    Source: Binary string: RegSvcs.pdb, source: jjgdxemns.pif, 00000002.00000003.825392635.00000000018FE000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000000.813870941.0000000000662000.00000002.00020000.sdmp, RegSvcs.exe, 0000000A.00000000.871396741.00000000005C2000.00000002.00020000.sdmp, RegSvcs.exe, 0000000C.00000000.910303553.0000000000932000.00000002.00020000.sdmp, RegSvcs.exe, 0000000E.00000002.1179755010.0000000000342000.00000002.00020000.sdmp, RegSvcs.exe.2.dr
                    Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.1179755010.0000000000342000.00000002.00020000.sdmp, RegSvcs.exe.2.dr
                    Source: RFQ0723272983.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: RFQ0723272983.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: RFQ0723272983.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: RFQ0723272983.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: RFQ0723272983.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0081EE30 LoadLibraryA,GetProcAddress,
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeFile created: C:\99353652\__tmp_rar_sfx_access_check_6485953Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0D856 push ecx; ret
                    Source: C:\Users\user\Desktop\RFQ0723272983.exeCode function: 0_2_00D0CDF0 push eax; ret
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_0083D53C push 740083CFh; iretd
                    Source: C:\99353652\jjgdxemns.pifCode function: 2_2_00826BD5 push ecx; ret
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015BC31E push ss; ret
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_015BFF1E push ss; ret
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE55 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE51 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE5D push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE59 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE45 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE4D push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE49 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE75 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE71 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE7D push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE79 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE65 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE61 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE6D push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE69 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE05 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE35 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AE39 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656CE24 push 0000001Ah; ret
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AED5 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AED1 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AEDD push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AEC5 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AEC1 push es; iretd
                    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 3_2_0656AECD push es; iretd

                    Persistence and Installation Behavior:

                    barindex