Windows Analysis Report IGFXCUISERVICE

Overview

General Information

Sample Name: IGFXCUISERVICE (renamed file extension from none to exe)
Analysis ID: 550959
MD5: d90d0f4d6dad402b5d025987030cc87c
SHA1: fad66bdf5c5dc2c050cbc574832c6995dba086a0
SHA256: 1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
Infos:

Most interesting Screenshot:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Writes or reads registry keys via WMI
Encrypted powershell cmdline option found
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Sigma detected: Direct Autorun Keys Modification
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Sigma detected: Reg Add RUN Key
Uses reg.exe to modify the Windows registry
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Suspicious Execution of Powershell with Base64
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: IGFXCUISERVICE.exe Virustotal: Detection: 51% Perma Link
Source: IGFXCUISERVICE.exe Metadefender: Detection: 20% Perma Link
Source: IGFXCUISERVICE.exe ReversingLabs: Detection: 41%
Antivirus / Scanner detection for submitted sample
Source: IGFXCUISERVICE.exe Avira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\SystemData\igfxCUIService.exe Avira: detection malicious, Label: TR/Redcap.rjsiq
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\SystemData\igfxCUIService.exe Metadefender: Detection: 20% Perma Link
Source: C:\ProgramData\SystemData\igfxCUIService.exe ReversingLabs: Detection: 41%

Compliance:

barindex
Uses 32bit PE files
Source: IGFXCUISERVICE.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: IGFXCUISERVICE.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002CB17F FindFirstFileExW, 5_2_002CB17F

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.878407019.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.818065175.000000000119C000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000007.00000003.793364315.0000000007F16000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.793470514.0000000007F17000.00000004.00000001.sdmp String found in binary or memory: http://crl.micr
Source: powershell.exe, 00000003.00000002.728563333.0000000000650000.00000004.00000040.sdmp String found in binary or memory: http://crl.microsoft.co
Source: powershell.exe, 00000003.00000002.730907422.0000000005766000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.729637199.0000000004701000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.819681378.0000000004D91000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: igfxCUIService.exe, 00000005.00000003.878407019.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Onlysame-origin;
Source: igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/Persistent-AuthWWW-AuthenticateSec-Fetch-Dest
Source: igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocg5Eh
Source: igfxCUIService.exe, 00000005.00000003.878407019.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909608039.00000000014A2000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-2o-docs.googleusercontent.com/
Source: igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp String found in binary or memory: https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8
Source: igfxCUIService.exe, 00000020.00000002.956121777.0000000001438000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: igfxCUIService.exe, 00000005.00000003.878407019.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909608039.00000000014A2000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956103538.0000000001430000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000002.956196667.000000000146D000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
Source: igfxCUIService.exe, 00000020.00000002.956103538.0000000001430000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eumgr32.dll
Source: powershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.820903134.0000000005611000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://google.com/
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: https://google.com/a
Source: igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com
Source: igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/
Source: igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/5
Source: igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/C
Source: igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/P
Source: igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/Q
Source: igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/X
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.936517922.00000000010F8000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/attach
Source: igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/attach/
Source: igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/attachM&dQ%
Source: igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/attachent.com
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/attachn5
Source: igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/attacht.com
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/attachtent.com
Source: igfxCUIService.exe, 00000020.00000003.932634820.00000000014A2000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956443217.00000000014B8000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.916793791.000000000150B000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929400111.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.936517922.00000000010F8000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/req
Source: igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919317267.00000000014A2000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/req2
Source: igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/req7
Source: igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/req8
Source: igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp String found in binary or memory: https://graphic-updater.com/api/reqC
Source: igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqM
Source: igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqO
Source: igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqT
Source: igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqV
Source: igfxCUIService.exe, 00000024.00000003.936517922.00000000010F8000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqW
Source: igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqX
Source: igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqb
Source: igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqch
Source: igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqd
Source: igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqdll
Source: igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqdlli
Source: igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqj
Source: igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqm
Source: igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqm64W%
Source: igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqmj
Source: igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqmv1
Source: igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp String found in binary or memory: https://graphic-updater.com/api/reqmx
Source: igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp String found in binary or memory: https://graphic-updater.com/api/reqo
Source: igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/reqs%qPG
Source: igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/requ
Source: igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/requrlencoded
Source: igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/requrlencodedW%
Source: igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/api/requrlencodedz%hPF
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/comD
Source: igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/e6
Source: igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/ll
Source: igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/m6
Source: igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/om
Source: igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/om6
Source: igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/omX
Source: igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com/u
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.comB
Source: igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.com_
Source: igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.comcom5
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.comcomV
Source: igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp String found in binary or memory: https://graphic-updater.comomH
Source: igfxCUIService.exe, 00000020.00000003.909608039.00000000014A2000.00000004.00000001.sdmp String found in binary or memory: https://grc-0k-2o-docs.googleusercontent.com/%%doc-0k-2o-docs.googleusercontent.com
Source: powershell.exe, 00000003.00000002.730907422.0000000005766000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown HTTP traffic detected: POST /api/attach HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 136Host: graphic-updater.com
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: drive.google.com
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: doc-0k-2o-docs.googleusercontent.com
Source: global traffic HTTP traffic detected: GET /uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: drive.google.com
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: doc-0k-2o-docs.googleusercontent.com
Source: global traffic HTTP traffic detected: GET /uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: drive.google.com
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: doc-0k-2o-docs.googleusercontent.com
Source: unknown HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49864 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: IGFXCUISERVICE.exe, 00000001.00000002.737000999.00000000014EA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\SystemData\igfxCUIService.exe Jump to dropped file
Uses 32bit PE files
Source: IGFXCUISERVICE.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012C3970 1_2_012C3970
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012CB99E 1_2_012CB99E
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012E0192 1_2_012E0192
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012D0820 1_2_012D0820
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012CE852 1_2_012CE852
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012E1F1C 1_2_012E1F1C
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012CB76C 1_2_012CB76C
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012E3780 1_2_012E3780
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012A5230 1_2_012A5230
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012E3660 1_2_012E3660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_074F9498 3_2_074F9498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_074F9498 3_2_074F9498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07A9ECA8 3_2_07A9ECA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07A9DCA0 3_2_07A9DCA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07A94AB0 3_2_07A94AB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07A94A48 3_2_07A94A48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_074FC570 3_2_074FC570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_074FC580 3_2_074FC580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_074F0040 3_2_074F0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_074F001E 3_2_074F001E
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002911F0 5_2_002911F0
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_00295230 5_2_00295230
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002D0192 5_2_002D0192
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_00296630 5_2_00296630
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002D3660 5_2_002D3660
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002BB76C 5_2_002BB76C
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002D3780 5_2_002D3780
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_00296820 5_2_00296820
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002C0820 5_2_002C0820
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002BE852 5_2_002BE852
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002D08A9 5_2_002D08A9
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002B7960 5_2_002B7960
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002BB99E 5_2_002BB99E
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002CDDCF 5_2_002CDDCF
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002D1F1C 5_2_002D1F1C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_080999E8 7_2_080999E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_080951E0 7_2_080951E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_080999D7 7_2_080999D7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_0809AC6F 7_2_0809AC6F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_0809AC98 7_2_0809AC98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_080951D0 7_2_080951D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_08159DB0 7_2_08159DB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_08159DB0 7_2_08159DB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_085B0DD8 7_2_085B0DD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_085B7040 7_2_085B7040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_08150006 7_2_08150006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_08150040 7_2_08150040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_08158330 7_2_08158330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_08158321 7_2_08158321
Found potential string decryption / allocating functions
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: String function: 002B51F0 appears 53 times
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: IGFXCUISERVICE.exe Virustotal: Detection: 51%
Source: IGFXCUISERVICE.exe Metadefender: Detection: 20%
Source: IGFXCUISERVICE.exe ReversingLabs: Detection: 41%
Source: IGFXCUISERVICE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\IGFXCUISERVICE.exe "C:\Users\user\Desktop\IGFXCUISERVICE.exe"
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Process created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe"
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic OS get Caption, CSDVersion, OSArchitecture, Version / value
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic nicconfig where 'IPEnabled = True' get ipaddress > "C:\ProgramData\SystemData\tempi1.txt" && type "C:\ProgramData\SystemData\tempi1.txt" > "C:\ProgramData\SystemData\tempi2.txt
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic nicconfig where 'IPEnabled = True' get ipaddress
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: unknown Process created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe"
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: unknown Process created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe"
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe' Jump to behavior
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Process created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe" Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt' Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt' Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic nicconfig where 'IPEnabled = True' get ipaddress > "C:\ProgramData\SystemData\tempi1.txt" && type "C:\ProgramData\SystemData\tempi1.txt" > "C:\ProgramData\SystemData\tempi2.txt Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic OS get Caption, CSDVersion, OSArchitecture, Version / value
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic nicconfig where 'IPEnabled = True' get ipaddress
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220111 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btj2vhwe.osx.ps1 Jump to behavior
Source: temps1.txt.7.dr Binary string: EC-F4-BB-EA-15-88 \Device\Tcpip_{BB556C50-98D0-4585-A1ED-B2838757AE1B}
Source: classification engine Classification label: mal92.evad.winEXE@43/21@55/4
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_0029EC90 CoInitialize,CoCreateInstance, 5_2_0029EC90
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4240:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:120:WilError_01
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012A3FB0 LoadResource,LockResource,SizeofResource, 1_2_012A3FB0
Source: C:\ProgramData\SystemData\igfxCUIService.exe Command line argument: n`- 5_2_002D5FC0
Source: C:\ProgramData\SystemData\igfxCUIService.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\SystemData\igfxCUIService.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\SystemData\igfxCUIService.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\SystemData\igfxCUIService.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: IGFXCUISERVICE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: IGFXCUISERVICE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: IGFXCUISERVICE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: IGFXCUISERVICE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IGFXCUISERVICE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: IGFXCUISERVICE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: IGFXCUISERVICE.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: IGFXCUISERVICE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IGFXCUISERVICE.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: IGFXCUISERVICE.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: IGFXCUISERVICE.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: IGFXCUISERVICE.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: IGFXCUISERVICE.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012E5E0B push ecx; ret 1_2_012E5E1E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07A9C277 push cs; retf 3_2_07A9C27A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07A9E149 push ss; retf 3_2_07A9E14E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07A9BAE9 push cs; retf 3_2_07A9BAEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07A9EAE0 push ds; retf 3_2_07A9EAE2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07A9EAE3 push ds; retf 3_2_07A9EAEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07A9B988 push es; retf 3_2_07A9B98A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_07AFFD28 push eax; mov dword ptr [esp], edx 3_2_07AFFF04
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002B5234 push ecx; ret 5_2_002B5246
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002D5E0B push ecx; ret 5_2_002D5E1E

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\conhost.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\SystemData\igfxCUIService.exe Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\ProgramData\SystemData\igfxCUIService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run igfxCUIService
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run igfxCUIService

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002B60A8 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_002B60A8
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\SysWOW64\getmac.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5788 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6120 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -34365s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -32272s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -33137s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -34610s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -33984s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -31561s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -34548s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 1440 Thread sleep time: -510000s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -34573s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -30562s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -32258s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -34400s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -34267s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -32795s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -33723s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -30077s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -31852s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -30644s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -31359s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580 Thread sleep time: -31944s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6244 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5044 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2944 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5196 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 2740 Thread sleep time: -32623s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 6676 Thread sleep time: -210000s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 2740 Thread sleep time: -32226s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 2740 Thread sleep time: -33946s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 7040 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\ProgramData\SystemData\igfxCUIService.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\SystemData\igfxCUIService.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\SystemData\igfxCUIService.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1710 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4020 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1882 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1704 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2792 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1495 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe API coverage: 8.1 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe API coverage: 1.7 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002CB17F FindFirstFileExW, 5_2_002CB17F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 34365 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 32272 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 33137 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 34610 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 33984 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 31561 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 34548 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 34573 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 30562 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 32258 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 34400 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 34267 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 32795 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 33723 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 30077 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 31852 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 30644 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 31359 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 31944 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 32623
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 32226
Source: C:\ProgramData\SystemData\igfxCUIService.exe Thread delayed: delay time: 33946
Source: igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.934965580.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936888635.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926697052.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932777879.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914951380.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919370011.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.924907185.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913311525.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956443217.00000000014B8000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.929400111.00000000014B8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWg|&
Source: powershell.exe, 00000003.00000003.717158709.0000000004E4F000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.820363609.0000000005221000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: getmac.exe, 00000009.00000002.803585343.0000000000A6D000.00000004.00000001.sdmp, getmac.exe, 00000009.00000003.802570744.0000000000A6A000.00000004.00000001.sdmp, getmac.exe, 00000009.00000003.802525219.0000000000A64000.00000004.00000001.sdmp Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: igfxCUIService.exe, 00000005.00000003.878492496.0000000001203000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.934965580.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936888635.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926697052.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932777879.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914951380.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919370011.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.924907185.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913311525.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956443217.00000000014B8000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.929400111.00000000014B8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: getmac.exe, 00000009.00000002.803585343.0000000000A6D000.00000004.00000001.sdmp, getmac.exe, 00000009.00000003.802570744.0000000000A6A000.00000004.00000001.sdmp, getmac.exe, 00000009.00000003.802525219.0000000000A64000.00000004.00000001.sdmp Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: igfxCUIService.exe, 00000020.00000002.956196667.000000000146D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW`
Source: powershell.exe, 00000003.00000002.729878512.0000000004843000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.717158709.0000000004E4F000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.820363609.0000000005221000.00000004.00000001.sdmp Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012D1195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_012D1195
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012A40F0 GetProcessHeap,__Init_thread_footer,__Init_thread_footer, 1_2_012A40F0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012DAF0E mov eax, dword ptr fs:[00000030h] 1_2_012DAF0E
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012D2B5D mov eax, dword ptr fs:[00000030h] 1_2_012D2B5D
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002C2B5D mov eax, dword ptr fs:[00000030h] 5_2_002C2B5D
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002CAF0E mov eax, dword ptr fs:[00000030h] 5_2_002CAF0E
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012D1195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_012D1195
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012C46CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_012C46CB
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002B4F68 SetUnhandledExceptionFilter, 5_2_002B4F68
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002C1195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_002C1195
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002B46CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_002B46CB
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: 5_2_002B4DD5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_002B4DD5

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option found
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: Base64 decoded [B> j^6jm&Z"}+"qfyRzmb'rb}#6i,jzjlm
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: Base64 decoded [B> j^6jm&Z"}+"qfyRzmb'rb}#6i,jzjlm Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt' Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe' Jump to behavior
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Process created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe" Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt' Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt' Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic nicconfig where 'IPEnabled = True' get ipaddress > "C:\ProgramData\SystemData\tempi1.txt" && type "C:\ProgramData\SystemData\tempi1.txt" > "C:\ProgramData\SystemData\tempi2.txt Jump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic OS get Caption, CSDVersion, OSArchitecture, Version / value
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic nicconfig where 'IPEnabled = True' get ipaddress
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\ProgramData\SystemData\igfxCUIService.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: igfxCUIService.exe, 00000005.00000002.956989647.00000000018B0000.00000002.00020000.sdmp, igfxCUIService.exe, 00000020.00000002.956990102.0000000001A50000.00000002.00020000.sdmp, igfxCUIService.exe, 00000024.00000002.956939502.00000000019A0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: igfxCUIService.exe, 00000005.00000002.956989647.00000000018B0000.00000002.00020000.sdmp, igfxCUIService.exe, 00000020.00000002.956990102.0000000001A50000.00000002.00020000.sdmp, igfxCUIService.exe, 00000024.00000002.956939502.00000000019A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: igfxCUIService.exe, 00000005.00000002.956989647.00000000018B0000.00000002.00020000.sdmp, igfxCUIService.exe, 00000020.00000002.956990102.0000000001A50000.00000002.00020000.sdmp, igfxCUIService.exe, 00000024.00000002.956939502.00000000019A0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: igfxCUIService.exe, 00000005.00000002.956989647.00000000018B0000.00000002.00020000.sdmp, igfxCUIService.exe, 00000020.00000002.956990102.0000000001A50000.00000002.00020000.sdmp, igfxCUIService.exe, 00000024.00000002.956939502.00000000019A0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: EnumSystemLocalesW, 1_2_012DE5C0
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_012DEC7F
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: GetLocaleInfoW, 1_2_012D98B8
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_012DE31E
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: EnumSystemLocalesW, 1_2_012D9396
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: EnumSystemLocalesW, 1_2_012DE60B
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_012DEAAA
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: EnumSystemLocalesW, 1_2_012DE6A6
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 5_2_002CE31E
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: EnumSystemLocalesW, 5_2_002C9396
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: EnumSystemLocalesW, 5_2_002CE5C0
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: EnumSystemLocalesW, 5_2_002CE60B
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: EnumSystemLocalesW, 5_2_002CE6A6
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_002CE731
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: GetLocaleInfoW, 5_2_002C98B8
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: GetLocaleInfoW, 5_2_002CE984
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_002CEAAA
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: GetLocaleInfoW, 5_2_002CEBB0
Source: C:\ProgramData\SystemData\igfxCUIService.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_002CEC7F
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012C48C6 cpuid 1_2_012C48C6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_080942C4 CreateNamedPipeW, 7_2_080942C4
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exe Code function: 1_2_012C529D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_012C529D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 550959 Sample: IGFXCUISERVICE Startdate: 11/01/2022 Architecture: WINDOWS Score: 92 100 Antivirus / Scanner detection for submitted sample 2->100 102 Multi AV Scanner detection for submitted file 2->102 9 IGFXCUISERVICE.exe 5 2->9         started        11 igfxCUIService.exe 2->11         started        14 igfxCUIService.exe 2->14         started        process3 dnsIp4 16 igfxCUIService.exe 3 9->16         started        20 powershell.exe 15 9->20         started        78 192.168.2.1 unknown unknown 11->78 80 graphic-updater.com 11->80 86 3 other IPs or domains 11->86 23 cmd.exe 11->23         started        82 graphic-updater.com 14->82 84 googlehosted.l.googleusercontent.com 14->84 88 2 other IPs or domains 14->88 25 cmd.exe 14->25         started        process5 dnsIp6 72 graphic-updater.com 23.254.131.176, 443, 49795, 49796 HOSTWINDSUS United States 16->72 74 drive.google.com 142.250.181.238, 443, 49792, 49811 GOOGLEUS United States 16->74 76 2 other IPs or domains 16->76 90 Antivirus detection for dropped file 16->90 92 Multi AV Scanner detection for dropped file 16->92 94 Encrypted powershell cmdline option found 16->94 27 powershell.exe 19 16->27         started        29 cmd.exe 16->29         started        32 cmd.exe 16->32         started        40 2 other processes 16->40 66 C:\ProgramData\...\igfxCUIService.exe, PE32 20->66 dropped 68 C:\...\igfxCUIService.exe:Zone.Identifier, ASCII 20->68 dropped 96 Powershell drops PE file 20->96 34 conhost.exe 20->34         started        98 Uses cmd line tools excessively to alter registry or file data 23->98 36 conhost.exe 23->36         started        38 reg.exe 23->38         started        file7 signatures8 process9 file10 43 getmac.exe 1 27->43         started        46 WMIC.exe 1 27->46         started        48 conhost.exe 27->48         started        108 Uses cmd line tools excessively to alter registry or file data 29->108 50 conhost.exe 29->50         started        52 WMIC.exe 29->52         started        60 2 other processes 32->60 70 C:\ProgramData\SystemData\tempu.txt, ASCII 40->70 dropped 54 conhost.exe 40->54         started        56 conhost.exe 40->56         started        58 WMIC.exe 40->58         started        signatures11 process12 signatures13 104 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->104 106 Writes or reads registry keys via WMI 43->106 62 conhost.exe 48->62         started        64 reg.exe 48->64         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.181.238
 drive.google.com United States
15169 GOOGLEUS false
142.250.185.129
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
23.254.131.176
 graphic-updater.com United States
54290 HOSTWINDSUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
graphic-updater.com 23.254.131.176 true
drive.google.com 142.250.181.238 true
googlehosted.l.googleusercontent.com 142.250.185.129 true
doc-0k-2o-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://graphic-updater.com/api/attach false
  • Avira URL Cloud: safe
 unknown
https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu false
    		high
    https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu false
      		high
      https://graphic-updater.com/api/req false
      • Avira URL Cloud: safe
      		 unknown