Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report qtjRj8L3Rw

Overview

General Information

Sample Name:qtjRj8L3Rw (renamed file extension from none to exe)
Analysis ID:1708662
MD5:d90d0f4d6dad402b5d025987030cc87c
SHA1:fad66bdf5c5dc2c050cbc574832c6995dba086a0
SHA256:1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
Infos:

Most interesting Screenshot:

Detection

SysJoker
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected SysJoker
Antivirus / Scanner detection for submitted sample
Found detection on Joe Sandbox Cloud Basic
Antivirus detection for dropped file
Writes or reads registry keys via WMI
Encrypted powershell cmdline option found
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • qtjRj8L3Rw.exe (PID: 5732 cmdline: "C:\Users\user\Desktop\qtjRj8L3Rw.exe" MD5: D90D0F4D6DAD402B5D025987030CC87C)
    • powershell.exe (PID: 5848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • igfxCUIService.exe (PID: 4384 cmdline: "C:\ProgramData\SystemData\igfxCUIService.exe" MD5: D90D0F4D6DAD402B5D025987030CC87C)
      • powershell.exe (PID: 5312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • getmac.exe (PID: 3328 cmdline: C:\Windows\system32\getmac.exe MD5: 6AB605BD2223BFB2E55A466BE9816914)
        • WMIC.exe (PID: 3788 cmdline: "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • powershell.exe (PID: 4704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
qtjRj8L3Rw.exeJoeSecurity_SysJokerYara detected SysJokerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\SystemData\igfxCUIService.exeJoeSecurity_SysJokerYara detected SysJokerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.532048911.0000000000C1A000.00000002.00020000.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
        00000007.00000000.643724739.0000000000D5A000.00000002.00020000.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
          00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
            00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmpJoeSecurity_SysJokerYara detected SysJokerJoe Security
              Process Memory Space: qtjRj8L3Rw.exe PID: 5732JoeSecurity_SysJokerYara detected SysJokerJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                7.0.igfxCUIService.exe.d10000.0.unpackJoeSecurity_SysJokerYara detected SysJokerJoe Security
                  7.2.igfxCUIService.exe.d10000.0.unpackJoeSecurity_SysJokerYara detected SysJokerJoe Security
                    0.2.qtjRj8L3Rw.exe.bd0000.0.unpackJoeSecurity_SysJokerYara detected SysJokerJoe Security
                      0.0.qtjRj8L3Rw.exe.bd0000.0.unpackJoeSecurity_SysJokerYara detected SysJokerJoe Security

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus / Scanner detection for submitted sampleShow sources
                        Source: qtjRj8L3Rw.exeAvira: detected
                        Antivirus detection for dropped fileShow sources
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeAvira: detection malicious, Label: TR/Redcap.rjsiq
                        Source: qtjRj8L3Rw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: qtjRj8L3Rw.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D4B17F FindFirstFileExW,7_2_00D4B17F
                        Source: powershell.exe, 00000003.00000003.610253378.0000000002A0D000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: igfxCUIService.exe, 00000007.00000002.825495321.0000000000B8A000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
                        Source: igfxCUIService.exe, 00000007.00000002.825495321.0000000000B8A000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu2
                        Source: igfxCUIService.exe, 00000007.00000002.825495321.0000000000B8A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                        System Summary:

                        barindex
                        Found detection on Joe Sandbox Cloud BasicShow sources
                        Source: qtjRj8L3RwJoe Sandbox Cloud Basic: Detection: malicious Score: 92Perma Link
                        Writes or reads registry keys via WMIShow sources
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                        Powershell drops PE fileShow sources
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\SystemData\igfxCUIService.exeJump to dropped file
                        Source: qtjRj8L3Rw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD11F00_2_00BD11F0
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD68200_2_00BD6820
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C008200_2_00C00820
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BFE8520_2_00BFE852
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BFB99E0_2_00BFB99E
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C101920_2_00C10192
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD52300_2_00BD5230
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD66300_2_00BD6630
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C136600_2_00C13660
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C137800_2_00C13780
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BFB76C0_2_00BFB76C
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C11F1C0_2_00C11F1C
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D111F07_2_00D111F0
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D501927_2_00D50192
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D152307_2_00D15230
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D536607_2_00D53660
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D166307_2_00D16630
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D537807_2_00D53780
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D3B76C7_2_00D3B76C
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D508A97_2_00D508A9
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D3E8527_2_00D3E852
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D168207_2_00D16820
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D408207_2_00D40820
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D3B99E7_2_00D3B99E
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D379607_2_00D37960
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D4DDCF7_2_00D4DDCF
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D51F1C7_2_00D51F1C
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: String function: 00D351F0 appears 53 times
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: String function: 00BF51F0 appears 48 times
                        Source: qtjRj8L3Rw.exe, 00000000.00000002.644624889.0000000000C31000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIGFXCUISERVICE.EXE^ vs qtjRj8L3Rw.exe
                        Source: qtjRj8L3Rw.exeBinary or memory string: OriginalFilenameIGFXCUISERVICE.EXE^ vs qtjRj8L3Rw.exe
                        Source: Joe Sandbox ViewDropped File: C:\ProgramData\SystemData\igfxCUIService.exe 1FFD6559D21470C40DCF9236DA51E5823D7AD58C93502279871C3FE7718C901C
                        Source: qtjRj8L3Rw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\qtjRj8L3Rw.exe "C:\Users\user\Desktop\qtjRj8L3Rw.exe"
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe"
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exe
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe" Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exeJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumberJump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220112Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmv4hq3u.jjj.ps1Jump to behavior
                        Source: temps1.txt.8.drBinary string: 5C-22-C6-13-4E-F9 \Device\Tcpip_{B8652DFC-E1F5-449D-BAE4-BFF4128DE918}
                        Source: classification engineClassification label: mal88.troj.evad.winEXE@16/11@0/0
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BDEC90 CoInitialize,CoCreateInstance,0_2_00BDEC90
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_01
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD3FB0 LoadResource,LockResource,SizeofResource,0_2_00BD3FB0
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: qtjRj8L3Rw.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: qtjRj8L3Rw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: qtjRj8L3Rw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: qtjRj8L3Rw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: qtjRj8L3Rw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: qtjRj8L3Rw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: qtjRj8L3Rw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C15E0B push ecx; ret 0_2_00C15E1E
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D35234 push ecx; ret 7_2_00D35246
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D55E0B push ecx; ret 7_2_00D55E1E
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\SystemData\igfxCUIService.exeJump to dropped file
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\SystemData\igfxCUIService.exeJump to dropped file
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D360A8 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_00D360A8
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion:

                        barindex
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
                        Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exe TID: 5736Thread sleep time: -30987s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5352Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 4112Thread sleep time: -30792s >= -30000sJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 4112Thread sleep time: -30908s >= -30000sJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 4112Thread sleep time: -32018s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4520Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1065Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1857Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2595Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5118Jump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeAPI coverage: 8.8 %
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeAPI coverage: 8.5 %
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D4B17F FindFirstFileExW,7_2_00D4B17F
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeThread delayed: delay time: 30987Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 30792Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 30908Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 32018Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C01195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C01195
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BD40F0 GetProcessHeap,__Init_thread_footer,__Init_thread_footer,0_2_00BD40F0
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C02B5D mov eax, dword ptr fs:[00000030h]0_2_00C02B5D
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C0AF0E mov eax, dword ptr fs:[00000030h]0_2_00C0AF0E
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D42B5D mov eax, dword ptr fs:[00000030h]7_2_00D42B5D
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D4AF0E mov eax, dword ptr fs:[00000030h]7_2_00D4AF0E
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C01195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C01195
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BF4DD5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BF4DD5
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BF46CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BF46CB
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D34F68 SetUnhandledExceptionFilter,7_2_00D34F68
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D41195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00D41195
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D346CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00D346CB
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 7_2_00D34DD5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00D34DD5

                        HIPS / PFW / Operating System Protection Evasion:

                        barindex
                        Encrypted powershell cmdline option foundShow sources
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: Base64 decoded [B> j^6jm&Z"}+"qfyRzmb'rb}#6i,jzjlm
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: Base64 decoded [B> j^6jm&Z"}+"qfyRzmb'rb}#6i,jzjlmJump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'Jump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe" Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'Jump to behavior
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exeJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumberJump to behavior
                        Source: igfxCUIService.exe, 00000007.00000002.829078812.0000000001430000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                        Source: igfxCUIService.exe, 00000007.00000002.829078812.0000000001430000.00000002.00020000.sdmpBinary or memory string: Progman
                        Source: igfxCUIService.exe, 00000007.00000002.829078812.0000000001430000.00000002.00020000.sdmpBinary or memory string: .Program ManagerQEIA
                        Source: igfxCUIService.exe, 00000007.00000002.829078812.0000000001430000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: GetLocaleInfoW,0_2_00C098B8
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00C0EAAA
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: EnumSystemLocalesW,0_2_00C09396
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00C0E31E
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00C0EC7F
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: EnumSystemLocalesW,0_2_00C0E5C0
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: EnumSystemLocalesW,0_2_00C0E6A6
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: EnumSystemLocalesW,0_2_00C0E60B
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,7_2_00D49396
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,7_2_00D4E31E
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,7_2_00D4E5C0
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,7_2_00D4E6A6
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,7_2_00D4E60B
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_00D4E731
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,7_2_00D498B8
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,7_2_00D4E984
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_00D4EAAA
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,7_2_00D4EBB0
                        Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_00D4EC7F
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00BF5007 cpuid 0_2_00BF5007
                        Source: C:\Users\user\Desktop\qtjRj8L3Rw.exeCode function: 0_2_00C098F7 GetSystemTimeAsFileTime,0_2_00C098F7

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected SysJokerShow sources
                        Source: Yara matchFile source: qtjRj8L3Rw.exe, type: SAMPLE
                        Source: Yara matchFile source: 7.0.igfxCUIService.exe.d10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.igfxCUIService.exe.d10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.qtjRj8L3Rw.exe.bd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.qtjRj8L3Rw.exe.bd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.532048911.0000000000C1A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000000.643724739.0000000000D5A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: qtjRj8L3Rw.exe PID: 5732, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: igfxCUIService.exe PID: 4384, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\SystemData\igfxCUIService.exe, type: DROPPED

                        Remote Access Functionality:

                        barindex
                        Yara detected SysJokerShow sources
                        Source: Yara matchFile source: qtjRj8L3Rw.exe, type: SAMPLE
                        Source: Yara matchFile source: 7.0.igfxCUIService.exe.d10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.igfxCUIService.exe.d10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.qtjRj8L3Rw.exe.bd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.qtjRj8L3Rw.exe.bd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.532048911.0000000000C1A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000000.643724739.0000000000D5A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: qtjRj8L3Rw.exe PID: 5732, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: igfxCUIService.exe PID: 4384, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\SystemData\igfxCUIService.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation2Application Shimming1Process Injection12Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsCommand and Scripting Interpreter1Boot or Logon Initialization ScriptsApplication Shimming1Virtualization/Sandbox Evasion121LSASS MemorySecurity Software Discovery12Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsPowerShell2Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information11NTDSVirtualization/Sandbox Evasion121Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery32Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1708662 Sample: qtjRj8L3Rw Startdate: 12/01/2022 Architecture: WINDOWS Score: 88 35 Antivirus / Scanner detection for submitted sample 2->35 37 Yara detected SysJoker 2->37 39 Found detection on Joe Sandbox Cloud Basic 2->39 8 qtjRj8L3Rw.exe 5 2->8         started        process3 process4 10 igfxCUIService.exe 2 8->10         started        13 powershell.exe 13 8->13         started        file5 45 Antivirus detection for dropped file 10->45 47 Encrypted powershell cmdline option found 10->47 16 powershell.exe 16 10->16         started        18 powershell.exe 1 10->18         started        31 C:\ProgramData\...\igfxCUIService.exe, PE32 13->31 dropped 33 C:\...\igfxCUIService.exe:Zone.Identifier, ASCII 13->33 dropped 49 Powershell drops PE file 13->49 20 conhost.exe 13->20         started        signatures6 process7 process8 22 getmac.exe 1 16->22         started        25 WMIC.exe 1 16->25         started        27 conhost.exe 16->27         started        29 conhost.exe 18->29         started        signatures9 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->41 43 Writes or reads registry keys via WMI 22->43

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        qtjRj8L3Rw.exe100%AviraTR/Redcap.rjsiq

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\SystemData\igfxCUIService.exe100%AviraTR/Redcap.rjsiq

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        No Antivirus matches

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu2igfxCUIService.exe, 00000007.00000002.825495321.0000000000B8A000.00000004.00000020.sdmpfalse
                          		high
                          https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537euigfxCUIService.exe, 00000007.00000002.825495321.0000000000B8A000.00000004.00000020.sdmpfalse
                            		high

                            Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:1708662
                            Start date:12.01.2022
                            Start time:14:10:56
                            Joe Sandbox Product:Cloud
                            Overall analysis duration:0h 9m 39s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:qtjRj8L3Rw (renamed file extension from none to exe)
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10x64 version 1803 (IE 11.1, Chrome 67, Firefox 61, Adobe Reader DC 18, Java 8 Update 171)
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal88.troj.evad.winEXE@16/11@0/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 0.1% (good quality ratio 0.1%)
                            • Quality average: 53%
                            • Quality standard deviation: 0%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Adjust boot time
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, WMIADAP.exe, WmiPrvSE.exe
                            • Excluded domains from analysis (whitelisted): go.microsoft.com, fs.microsoft.com, login.live.com, clientconfig.passport.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Signature Similarity

                            Sample Distance (10 = nearest)
                            10 9 8 7 6 5 4 3 2 1
                            Samplename Analysis ID SHA256 Similarity

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            14:13:07API Interceptor7x Sleep call for process: qtjRj8L3Rw.exe modified
                            14:13:52API Interceptor49x Sleep call for process: powershell.exe modified
                            14:13:54API Interceptor9x Sleep call for process: igfxCUIService.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            C:\ProgramData\SystemData\igfxCUIService.exe#SysJoker_n2.exeGet hashmaliciousBrowse
                              IGFXCUISERVICE.EXEGet hashmaliciousBrowse

                                Created / dropped Files

                                C:\ProgramData\SystemData\igfxCUIService.exe
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):401920
                                Entropy (8bit):6.560987668019584
                                Encrypted:false
                                SSDEEP:12288:m00VdXicNHeft0d/BiqpD9JD9lusIhAzhM2RdM:mrzXiu+FZqp72iDc
                                MD5:D90D0F4D6DAD402B5D025987030CC87C
                                SHA1:FAD66BDF5C5DC2C050CBC574832C6995DBA086A0
                                SHA-256:1FFD6559D21470C40DCF9236DA51E5823D7AD58C93502279871C3FE7718C901C
                                SHA-512:C2FAEACFD588585633630AD710F443A72C7617C2D5E37DBFE43570E6AC5904E4B81EB682356A48A93BB794EF5E9D8AD0D673966D57798079B4DE62EA61241024
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: C:\ProgramData\SystemData\igfxCUIService.exe, Author: Joe Security
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                Joe Sandbox View:
                                • Filename: #SysJoker_n2.exe, Detection: malicious, Browse
                                • Filename: IGFXCUISERVICE.EXE, Detection: malicious, Browse
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@......................@...N.......N.....N.........................g.....g.R...g.....Rich............................PE..L...b*1a.............................M............@..........................`............@.....................................x............................ ...8.....................................@............................................text.............................. ..`.rdata...?.......@..................@..@.data....!..........................@....rsrc...............................@..@.reloc...8... ...:..................@..B................................................................................................................................................................................................................................................................................................
                                C:\ProgramData\SystemData\igfxCUIService.exe:Zone.Identifier
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview: [ZoneTransfer]....ZoneId=0
                                C:\ProgramData\SystemData\temps1.txt
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):242
                                Entropy (8bit):3.744262078789027
                                Encrypted:false
                                SSDEEP:3:mSGg0W/FLyzdAFFFFm8xY/5hAVML6tdRRdnp+thONq:Cg0G5ym/m8GAD6Gs
                                MD5:1F9136F65D689B583097B6F38788B536
                                SHA1:B35D5EA6C7CBC73037F90E3009F00F72883E1B96
                                SHA-256:41970814664E728B105B6AE07244D39DFE036D8F56D55BD7D6AB99EBAF6C276F
                                SHA-512:D1352021E2797C860FCAD87271F9FF5C9E706C077810B94FC323FF691ECE4AA50DC2CAFD7EAB94D242F01E18281E6E249C4C991B0B78E811BED2A832CE760679
                                Malicious:false
                                Preview: ..Physical Address Transport Name ..=================== ==========================================================..5C-22-C6-13-4E-F9 \Device\Tcpip_{B8652DFC-E1F5-449D-BAE4-BFF4128DE918} ..
                                C:\ProgramData\SystemData\temps2.txt
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):79
                                Entropy (8bit):3.433465716504146
                                Encrypted:false
                                SSDEEP:3:qXVFZycUbEcF75r:7cUg07F
                                MD5:836F27CBBDF1E1D7A6CFAD4B3B017854
                                SHA1:1D8FA7E3DF507FF69E27BCC7A1E9AF9B5EEC0917
                                SHA-256:3914DD947B9DDD2B833C6984A27BECAF10C4E0A025CB5D95A7F972285E920BC7
                                SHA-512:29B7481318CD869C00F6A9C16011436971B8B0B2BCF557A48FFB5F762386E470CE1547EF5C23C6C89477C36BAAB1ED307ABB6BE98ED4521B3F94F506E29DFC26
                                Malicious:false
                                Preview: SerialNumber ....VBc9b17e68-05a2fbcb .... ........
                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):20928
                                Entropy (8bit):5.736673923217396
                                Encrypted:false
                                SSDEEP:384:OEDMvl7kLYyB3r/KKnYCP9qm8u0NRsevi6qoRs7CBr4xRRy3r:DLbG109qlsI2F4r
                                MD5:62FBD2028BA46AB5C9929FEBE0DDDF1E
                                SHA1:6D8A34C9F7D20F88A141F607F9520A2C9B9118C3
                                SHA-256:C772F93662B1EDD867A4C12DE354E195B8FDBB3E07EDF809F5DFD1022D4E544F
                                SHA-512:F8816986B1DAE6B0C49E2F8EF74B8ECDC6427E8DB15BBB9E921442BE8965DD0B85D3A702730DDAD0EA1D35C4754E3C6972A81E0D45D9308D49F7DD172C5DCF14
                                Malicious:false
                                Preview: @...e...........X.......a...............|.?..........@..........0...............G-.o...A...4B..&.......System..H.................]....E..Jqp...)..... .Microsoft.PowerShell.ConsoleHostD................N..o.H...1.w.........System.Management.Automation4.................A:.(.D...............System.Core.4................Zg5..:O..g..q..u.......System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4.................5...KG..)....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cmkzftm.ckp.psm1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):80
                                Entropy (8bit):4.481774803623838
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFKOMHiQEon:SnqbKAKWGKMoo
                                MD5:527CB6C3BC5154A156D0EA016483A34C
                                SHA1:04D2802479D325F6E5D615A612769C916BE2DF23
                                SHA-256:8E7B2AA8B3DC0007DA4C75608D4199A6780C09982862661114F172E68DCE21B4
                                SHA-512:B3A4F81BD514C68E607BF1B65CFF3DC58A05C68ADFF8F5F6878B6012579E7EA1D122E1E0C6C1DB420B6BB7A749D9DCA27159E24E798549AFC6744A7159557AF9
                                Malicious:false
                                Preview: # PowerShell test file to determine AppLocker lockdown mode 1/12/2022 2:14:51 PM
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmv4hq3u.jjj.ps1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):80
                                Entropy (8bit):4.522338709846795
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFKOMHRTFi:SnqbKAKWGKMxTFi
                                MD5:C5634FF893F8A8DED82722075C1C3C2C
                                SHA1:3DF424425568D6CC0F3A88BBAB90CA721FC20C44
                                SHA-256:3D94B8F90F9750B62BB00F6648B1AD327C8CA96101C270EAE53AFB10EF4F14E5
                                SHA-512:980A3C99D53268A247A7E2D42B7BCDE8D83AA03253696E10BCCB21AB7BEA2E28184744A3174893B35BDFB6274BF5D96A973D5FBB6E8C9BB5B96F551B3B02B6C4
                                Malicious:false
                                Preview: # PowerShell test file to determine AppLocker lockdown mode 1/12/2022 2:13:46 PM
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltcvmphj.tyt.ps1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):80
                                Entropy (8bit):4.481774803623838
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFKOMHiQEon:SnqbKAKWGKMoo
                                MD5:527CB6C3BC5154A156D0EA016483A34C
                                SHA1:04D2802479D325F6E5D615A612769C916BE2DF23
                                SHA-256:8E7B2AA8B3DC0007DA4C75608D4199A6780C09982862661114F172E68DCE21B4
                                SHA-512:B3A4F81BD514C68E607BF1B65CFF3DC58A05C68ADFF8F5F6878B6012579E7EA1D122E1E0C6C1DB420B6BB7A749D9DCA27159E24E798549AFC6744A7159557AF9
                                Malicious:false
                                Preview: # PowerShell test file to determine AppLocker lockdown mode 1/12/2022 2:14:51 PM
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxtcgyim.deb.psm1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):80
                                Entropy (8bit):4.522338709846795
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFKOMHRTFi:SnqbKAKWGKMxTFi
                                MD5:C5634FF893F8A8DED82722075C1C3C2C
                                SHA1:3DF424425568D6CC0F3A88BBAB90CA721FC20C44
                                SHA-256:3D94B8F90F9750B62BB00F6648B1AD327C8CA96101C270EAE53AFB10EF4F14E5
                                SHA-512:980A3C99D53268A247A7E2D42B7BCDE8D83AA03253696E10BCCB21AB7BEA2E28184744A3174893B35BDFB6274BF5D96A973D5FBB6E8C9BB5B96F551B3B02B6C4
                                Malicious:false
                                Preview: # PowerShell test file to determine AppLocker lockdown mode 1/12/2022 2:13:46 PM
                                C:\Users\user\Documents\20220112\PowerShell_transcript.305090.U78yw9TH.20220112141320.txt
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1097
                                Entropy (8bit):5.231490561673135
                                Encrypted:false
                                SSDEEP:24:BxSAq3Tvi3x/nx2DOXUW8UEaW70jeuKK6X4CIym1ZJXzEKFnxSAZixC:BZiTvqxfoOnEd7CKYB1ZlEKZZZixC
                                MD5:8365D33CCC4CEA6DC81FBEF8074AB171
                                SHA1:C496EBFC5BE5A922E538C1C207DE9537FC81EDFE
                                SHA-256:8E8C6AF2C3F6FAE12DC730B90E24EB44DA5AD7A6C1A18C1BC3D5D207049A5FC5
                                SHA-512:31ED3800A7991A213F31B09A51DDF72CC8FA5E2B22572CF2E7125F817DA5416C172BC73C08BEFDE2E19A65E4D8DB8A3E36AE0A3437CA2FD2BF6E616CB2F8F6DA
                                Malicious:false
                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220112141348..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 305090 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'..Process ID: 5848..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220112141348..**********************..PS>copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'..**********************..Command start time: 20220112141450..**********************..PS>$global:?..True..************
                                C:\Users\user\Documents\20220112\PowerShell_transcript.305090.zOvb_cEe.20220112141411.txt
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1303
                                Entropy (8bit):5.259294238407679
                                Encrypted:false
                                SSDEEP:24:BxSA2G3Tvi3x/nx2DOXUWKYcdVWF0jeuKK6X4CIym1ZJXuyYcAmnxSAZNC:BZ2uTvqxfoOqYceFCKYB1ZsyYcAoZZNC
                                MD5:2BFD640543E531BDDD9BA1D7E839BE11
                                SHA1:00E520EC469EB47BAFD0F44CD2E73BEE529F2B79
                                SHA-256:F564AEE3F53BFCBE099DF22A14C20001FE353D0C73FE1E5B2916D2EDDE4454B7
                                SHA-512:1F92D6FDB177003A430D190232474458B932A24F890246604E7996B5982DBFBD4A7FF2DE0CBF420770F1FAB2F57938BDA6F48A34B14128F9486135CDF0B9D049
                                Malicious:false
                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220112141453..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 305090 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'..Process ID: 5312..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220112141453..**********************..PS>getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedi

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.560987668019584
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:qtjRj8L3Rw.exe
                                File size:401920
                                MD5:d90d0f4d6dad402b5d025987030cc87c
                                SHA1:fad66bdf5c5dc2c050cbc574832c6995dba086a0
                                SHA256:1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
                                SHA512:c2faeacfd588585633630ad710f443a72c7617c2d5e37dbfe43570e6ac5904e4b81eb682356a48a93bb794ef5e9d8ad0d673966d57798079b4de62ea61241024
                                SSDEEP:12288:m00VdXicNHeft0d/BiqpD9JD9lusIhAzhM2RdM:mrzXiu+FZqp72iDc
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@........................@...N.......N.......N...............................g.......g.R.....g.......Rich...................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x424dcb
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x61312A62 [Thu Sep 2 19:47:46 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:86f89939b4b0c19157649ce986ae170e

                                Entrypoint Preview

                                Instruction
                                call 00007FF3F0B3277Fh
                                jmp 00007FF3F0B320DFh
                                push ebp
                                mov ebp, esp
                                sub esp, 00000324h
                                push ebx
                                push 00000017h
                                call 00007FF3F0B53284h
                                test eax, eax
                                je 00007FF3F0B32267h
                                mov ecx, dword ptr [ebp+08h]
                                int 29h
                                push 00000003h
                                call 00007FF3F0B32439h
                                mov dword ptr [esp], 000002CCh
                                lea eax, dword ptr [ebp-00000324h]
                                push 00000000h
                                push eax
                                call 00007FF3F0B3461Ah
                                add esp, 0Ch
                                mov dword ptr [ebp-00000274h], eax
                                mov dword ptr [ebp-00000278h], ecx
                                mov dword ptr [ebp-0000027Ch], edx
                                mov dword ptr [ebp-00000280h], ebx
                                mov dword ptr [ebp-00000284h], esi
                                mov dword ptr [ebp-00000288h], edi
                                mov word ptr [ebp-0000025Ch], ss
                                mov word ptr [ebp-00000268h], cs
                                mov word ptr [ebp-0000028Ch], ds
                                mov word ptr [ebp-00000290h], es
                                mov word ptr [ebp-00000294h], fs
                                mov word ptr [ebp-00000298h], gs
                                pushfd
                                pop dword ptr [ebp-00000264h]
                                mov eax, dword ptr [ebp+04h]
                                mov dword ptr [ebp-0000026Ch], eax
                                lea eax, dword ptr [ebp+04h]
                                mov dword ptr [ebp-00000260h], eax
                                mov dword ptr [ebp-00000324h], 00010001h
                                mov eax, dword ptr [eax-04h]
                                push 00000050h
                                mov dword ptr [ebp-00000270h], eax
                                lea eax, dword ptr [ebp-58h]
                                push 00000000h
                                push eax
                                call 00007FF3F0B34590h

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5d4bc0x78.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x610000x3b8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000x38d4.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x585d00x1c.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x586c00x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x585f00x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x4a0000x1dc.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x48ddb0x48e00False0.509323408019data6.57262184076IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rdata0x4a0000x13f900x14000False0.460668945313data5.42470846624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x5e0000x21d00x1200False0.26953125data3.95317799649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0x610000x3b80x400False0.4111328125data3.18893503216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x620000x38d40x3a00False0.670999461207data6.52552513001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0x610600x354dataEnglishUnited States

                                Imports

                                DLLImport
                                KERNEL32.dllCreateDirectoryW, SizeofResource, HeapFree, GetModuleFileNameW, InitializeCriticalSectionEx, WaitForSingleObject, HeapSize, MultiByteToWideChar, Sleep, GetLastError, LockResource, DeleteFileW, GlobalFree, HeapReAlloc, RaiseException, FindResourceExW, LoadResource, FindResourceW, HeapAlloc, DecodePointer, HeapDestroy, DeleteCriticalSection, GetProcessHeap, WideCharToMultiByte, SleepEx, WriteConsoleW, CreateFileW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, ReadConsoleW, ReadFile, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, SetFilePointerEx, CloseHandle, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, EncodePointer, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, OutputDebugStringW, RtlUnwind, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetFileSizeEx, SetEndOfFile
                                SHELL32.dllShellExecuteW, ShellExecuteExW
                                ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
                                OLEAUT32.dllSysAllocStringLen
                                WINHTTP.dllWinHttpGetIEProxyConfigForCurrentUser, WinHttpGetProxyForUrl, WinHttpWriteData, WinHttpReadData, WinHttpSetTimeouts, WinHttpCloseHandle, WinHttpCrackUrl, WinHttpQueryDataAvailable, WinHttpQueryHeaders, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpSetOption, WinHttpConnect, WinHttpReceiveResponse, WinHttpOpenRequest, WinHttpSendRequest

                                Version Infos

                                DescriptionData
                                LegalCopyrightCopyright 2012-2015, Intel Corporation
                                InternalNameIGFXCUISERVICE
                                FileVersion6.15.10.5063
                                CompanyNameIntel Corporation
                                ProductNameIntel(R) Common User Interface
                                ProductVersion6.15.10.5063
                                FileDescriptionigfxCUIService Module
                                OriginalFilenameIGFXCUISERVICE.EXE
                                Translation0x0409 0x04b0

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                No network behavior found

                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: qtjRj8L3Rw.exe PID: 5732 Parent PID: 5072

                                General

                                Start time:14:13:06
                                Start date:12/01/2022
                                Path:C:\Users\user\Desktop\qtjRj8L3Rw.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\qtjRj8L3Rw.exe"
                                Imagebase:0xbd0000
                                File size:401920 bytes
                                MD5 hash:D90D0F4D6DAD402B5D025987030CC87C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: 00000000.00000000.532048911.0000000000C1A000.00000002.00020000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: 00000000.00000002.644558837.0000000000C1A000.00000002.00020000.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 5848 Parent PID: 5732

                                General

                                Start time:14:13:09
                                Start date:12/01/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\qtjRj8L3Rw.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
                                Imagebase:0xb0000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 5868 Parent PID: 5848

                                General

                                Start time:14:13:09
                                Start date:12/01/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff658540000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: igfxCUIService.exe PID: 4384 Parent PID: 5732

                                General

                                Start time:14:13:54
                                Start date:12/01/2022
                                Path:C:\ProgramData\SystemData\igfxCUIService.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\ProgramData\SystemData\igfxCUIService.exe"
                                Imagebase:0xd10000
                                File size:401920 bytes
                                MD5 hash:D90D0F4D6DAD402B5D025987030CC87C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: 00000007.00000000.643724739.0000000000D5A000.00000002.00020000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: 00000007.00000002.828629700.0000000000D5A000.00000002.00020000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_SysJoker, Description: Yara detected SysJoker, Source: C:\ProgramData\SystemData\igfxCUIService.exe, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                Reputation:low

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 5312 Parent PID: 4384

                                General

                                Start time:14:13:56
                                Start date:12/01/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
                                Imagebase:0xb0000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 4564 Parent PID: 5312

                                General

                                Start time:14:13:56
                                Start date:12/01/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff658540000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: getmac.exe PID: 3328 Parent PID: 5312

                                General

                                Start time:14:15:01
                                Start date:12/01/2022
                                Path:C:\Windows\SysWOW64\getmac.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\getmac.exe
                                Imagebase:0x50000
                                File size:65536 bytes
                                MD5 hash:6AB605BD2223BFB2E55A466BE9816914
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: WMIC.exe PID: 3788 Parent PID: 5312

                                General

                                Start time:14:15:05
                                Start date:12/01/2022
                                Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
                                Imagebase:0xd60000
                                File size:391680 bytes
                                MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 4704 Parent PID: 4384

                                General

                                Start time:14:15:09
                                Start date:12/01/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
                                Imagebase:0xb0000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 4736 Parent PID: 4704

                                General

                                Start time:14:15:09
                                Start date:12/01/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff658540000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >