Windows Analysis Report
imfsbSvc.exe

Overview

General Information

Sample name:	imfsbSvc.exe
Analysis ID:	1564524
MD5:	ca73da8345de507ac023d52b4b5c1814
SHA1:	ef32667de23715ef2903b185c08ed9b5dc7cfeed
SHA256:	5b88f7d36fe435cd6944bda05f1758f64c7d5136a5f529a58522ac3b0dc9743a
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	63
Range:	0 - 100

Signatures

Multi AV Scanner detection for dropped file

Allocates memory in foreign processes

Changes security center settings (notifications, updates, antivirus, firewall)

Connects to many ports of the same IP (likely port scanning)

Deletes itself after installation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Outbound Network Connection To Public IP Via Winlogon

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\IObit\DgApi.dll	ReversingLabs: Detection: 36%
Source: C:\ProgramData\IObit\imfsbDll.dll	ReversingLabs: Detection: 39%

Compliance

Source: imfsbSvc.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 160.16.200.77:443 -> 192.168.11.20:49707 version: TLS 1.2

Source: imfsbSvc.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbDll.pdb source: imfsbSvc.exe, 00000000.00000003.931799901.000001BB26396000.00000004.00000020.00020000.00000000.sdmp, imfsbSvc.exe, 00000000.00000002.937298009.0000000055ACE000.00000002.00000001.01000000.00000004.sdmp, imfsbSvc.exe, 00000004.00000002.1237019264.0000000055A2E000.00000002.00000001.01000000.00000007.sdmp, imfsbDll.dll.0.dr
Source:	Binary string: C:\IMF9\sandboxie-master\core\low\obj\amd64\LowLevel.pdb source: imfsbSvc.exe, imfsbSvc.exe.0.dr
Source:	Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbSvc.pdb source: imfsbSvc.exe, imfsbSvc.exe.0.dr
Source:	Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbDll.pdb7 source: imfsbSvc.exe, 00000000.00000003.931799901.000001BB26396000.00000004.00000020.00020000.00000000.sdmp, imfsbSvc.exe, 00000000.00000002.937298009.0000000055ACE000.00000002.00000001.01000000.00000004.sdmp, imfsbSvc.exe, 00000004.00000002.1237019264.0000000055A2E000.00000002.00000001.01000000.00000007.sdmp, imfsbDll.dll.0.dr

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 160.16.200.77 ports 8443,3,443,4,8,80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49706 -> 160.16.200.77:8443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SAKURA-BSAKURAInternetIncJP SAKURA-BSAKURAInternetIncJP

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /000000000039F130000000000039F130 HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, /Content-Length: 98User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /00000000003BB6CD00000000003BB6CD HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, /Content-Length: 147User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /00000000003C68D800000000003C68D8 HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, /Content-Length: 151User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /000000000039F835000000000039F835 HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, /Content-Length: 94User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cacheData Raw: 0e d5 78 81 24 a5 62 c4 c7 d6 5b 41 a9 43 0a 6e 3e 87 79 6e df 6b 34 25 bd 18 c6 71 58 e5 bd 0e e3 cb b3 d8 5b 64 f4 7c ad 94 b9 e7 c6 43 09 0e 71 2b 51 4e 0c ae b2 63 5c 63 24 ba 9d 21 4e a1 97 28 25 cf c3 45 43 d5 a4 fb 33 19 db c8 e0 44 8a 71 49 4f b0 25 c6 e3 d4 6f ad 21 8c e2 Data Ascii: x$b[ACn>ynk4%qX[d\|Cq+QNc\c$!N(%EC3DqIO%o!
Source: global traffic	HTTP traffic detected: POST /00000000003BBBAF00000000003BBBAF HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, /Content-Length: 102User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cacheData Raw: 63 5e ec 29 63 dd 0f f5 77 3c 20 d3 47 b2 7e 99 f8 5b e1 58 ec 98 d0 77 ad 02 d6 a3 c5 53 28 f2 b0 8f a7 3e b1 66 88 50 80 df 46 e9 51 b4 07 73 7c dd c7 c9 df d4 d1 69 d9 50 dd 16 74 09 1b 32 e0 40 cb c4 89 67 a9 f2 89 4b a3 e7 b5 20 d1 27 77 86 1e 91 b1 d7 be 7b d1 48 20 d1 0f ab 7c 92 90 5b 99 6c 14 b0 Data Ascii: c^)cw< G~[XwS(>fPFQs\|iPt2@gK 'w{H \|[l
Source: global traffic	HTTP traffic detected: POST /00000000003C6DE800000000003C6DE8 HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, /Content-Length: 84User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cacheData Raw: f7 c8 c6 cc e5 6f e9 6a 06 39 89 de 9f 8f cd fb 5d ec b1 a4 6b c5 42 93 0c 40 90 4c 05 d2 bf 18 57 be a0 47 0b e0 f1 5d 82 87 69 84 9d c2 88 2f 01 64 cd 03 71 71 f7 12 47 a9 df d9 ed 82 4a ec 8f a5 83 70 d3 27 19 05 f2 a2 76 01 34 3d 51 41 d6 ae 21 b7 Data Ascii: oj9]kB@LWG]i/dqqGJp'v4=QA!

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: esh.hoovernamosong.com

Source: unknown

HTTP traffic detected: POST /000000000039F130000000000039F130 HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*Content-Length: 98User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:31:41 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:33:37 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:34:23 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:31:42 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:33:38 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:34:23 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HTTP://esh.hoovernamosong.com:80
Source: winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HTTP://esh.hoovernamosong.com:80%
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HTTP://esh.hoovernamosong.com:806
Source: winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HTTP://esh.hoovernamosong.com:80B
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2591550979.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175B07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2591550979.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175B07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000009.00000002.2515546830.0000019175A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/update2/actxsdodvxbjblyjfcbcbc7srcwa_1.3.36.242/GoogleUpda
Source: winlogon.exe, 00000005.00000003.2099146701.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/000000000039F835000000000039F835
Source: winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/000000000039F835000000000039F835(
Source: winlogon.exe, 00000005.00000003.2099146701.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/000000000039F835000000000039F835M
Source: winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785733553.00000289D1520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF
Source: winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF(
Source: winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF1
Source: winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAFa
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8#
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE83.0.30729;
Source: winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8G
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8Y
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8t
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: qmgr.db.9.dr	String found in binary or memory: http://r4---sn-5hnekn7k.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93
Source: qmgr.db.9.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93.0.457
Source: qmgr.db.9.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/aciwgjnovhktokhzyboslawih45a_2700/jflook
Source: qmgr.db.9.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/acze3h5f67uhtnjsyv6pabzn277q_298/lmelgle
Source: qmgr.db.9.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/dp66roauucji6olf7ycwe24lea_6869/hfnkpiml
Source: qmgr.db.9.dr	String found in binary or memory: http://storage.googleapis.com/update-delta/ggkkehgbnfjpeggfpleeakpidbkibbmn/2021.9.13.1142/2021.9.7.
Source: qmgr.db.9.dr	String found in binary or memory: http://storage.googleapis.com/update-delta/jamhcnnkihinmdlkakkaopbjbbcngflc/96.0.4648.2/96.0.4642.0/
Source: qmgr.db.9.dr	String found in binary or memory: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/45/43/19f2dc8e4c5c5d0383
Source: svchost.exe, 0000000A.00000002.1413674689.000001EB6AA13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2591550979.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175ADF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175B07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000A.00000003.1412346107.000001EB6AA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412882691.000001EB6AA66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412147713.000001EB6AA5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000003.1411946565.000001EB6AA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414009932.000001EB6AA69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.1411617066.000001EB6AA87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414104509.000001EB6AA89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000003.1411617066.000001EB6AA87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414104509.000001EB6AA89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.1412346107.000001EB6AA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412882691.000001EB6AA66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000A.00000003.1411946565.000001EB6AA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414009932.000001EB6AA69000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413753825.000001EB6AA27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.1412882691.000001EB6AA66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.1412704562.000001EB6AA4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.1412522832.000001EB6AA42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.1411946565.000001EB6AA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414009932.000001EB6AA69000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413753825.000001EB6AA27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.992864168.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/
Source: winlogon.exe, 00000005.00000003.992664689.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.992864168.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/000000000039F130000000000039F130
Source: winlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/000000000039F130000000000039F130c
Source: winlogon.exe, 00000005.00000003.2148470099.00000289D0A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD
Source: winlogon.exe, 00000005.00000003.2148346052.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148470099.00000289D0A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD#
Source: winlogon.exe, 00000005.00000003.2148346052.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148470099.00000289D0A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD(
Source: winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CDIDInfo
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8(
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/00000000003C68D800000000003C68D81
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8M
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8g(P#
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/ernamosong.com/00000000003BB6CD00000000003BB6CD#
Source: winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://esh.hoovernamosong.com/r
Source: qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: qmgr.db.9.dr	String found in binary or memory: https://msftspeechmodelsprod.azureedge.net/SR/SV10-EV100/en-us-n/MV101/naspmodelsmetadata.xmlPC:
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2591550979.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175ADF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175B07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: svchost.exe, 0000000A.00000002.1413793845.000001EB6AA34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtu
Source: svchost.exe, 0000000A.00000003.1412522832.000001EB6AA42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1413793845.000001EB6AA34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=
Source: svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413753825.000001EB6AA27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown

HTTPS traffic detected: 160.16.200.77:443 -> 192.168.11.20:49707 version: TLS 1.2

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: imfsbSvc.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: imfsbSvc.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: imfsbSvc.exe, 00000000.00000003.931799901.000001BB26369000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameimfsbDll.dll vs imfsbSvc.exe
Source: imfsbSvc.exe, 00000000.00000002.937404523.0000000055AEE000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameimfsbDll.dll vs imfsbSvc.exe
Source: imfsbSvc.exe, 00000004.00000002.1237149499.0000000055A4E000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameimfsbDll.dll vs imfsbSvc.exe

Source: imfsbDll.dll.0.dr	Binary string: sppc.dllSPPCTransportEndpoint-00001B18FBAB6-56F8-4702-84E0-41053293A869_vsnwprintfntdll_vsnprintf\Device\SandboxieDriverApi%S%SNotifyServiceStatusChangeANotifyServiceStatusChangeANotifyServiceStatusChangeWNotifyServiceStatusChangeWChangeServiceConfigAChangeServiceConfigAChangeServiceConfigWChangeServiceConfigWChangeServiceConfig2AChangeServiceConfig2AChangeServiceConfig2WChangeServiceConfig2WCloseServiceHandleCloseServiceHandleControlServiceControlServiceCreateServiceACreateServiceACreateServiceWCreateServiceWDeleteServiceDeleteServiceOpenSCManagerAOpenSCManagerAOpenSCManagerWOpenSCManagerWOpenServiceAOpenServiceAOpenServiceWOpenServiceWQueryServiceConfigAQueryServiceConfigAQueryServiceConfigWQueryServiceConfigWQueryServiceConfig2AQueryServiceConfig2AQueryServiceConfig2WQueryServiceConfig2WQueryServiceObjectSecurityQueryServiceObjectSecurityQueryServiceStatusQueryServiceStatusQueryServiceStatusExQueryServiceStatusExRegisterServiceCtrlHandlerARegisterServiceCtrlHandlerARegisterServiceCtrlHandlerWRegisterServiceCtrlHandlerWRegisterServiceCtrlHandlerExARegisterServiceCtrlHandlerExARegisterServiceCtrlHandlerExWRegisterServiceCtrlHandlerExWSetServiceObjectSecuritySetServiceObjectSecuritySetServiceStatusSetServiceStatusStartServiceAStartServiceAStartServiceWStartServiceWStartServiceCtrlDispatcherAStartServiceCtrlDispatcherAStartServiceCtrlDispatcherWStartServiceCtrlDispatcherWcryptsvc
Source: imfsbSvc.exe.0.dr	Binary string: DropAdminRightsNtAlpcConnectPortNtAlpcSendWaitReceivePortlsarpcsrvsvcwkssvcsamrnetlogon\device\mup\\PIPE\\device\namedpipe\ntsvcsplugplay\RPC Control\%s_NetProxy:Use=%c:Use=NtReplyWaitReceivePort beforeNtReplyWaitReceivePort afterGetProcessIdOfThreadProcessServer::Handler/msg->msgid: %dProcessServer::RunSandboxedHandlerProcessServer::RunSandboxedHandler/ cmd: %sdir: %senv: %sProcessServer::RunSandboxedHandler/CallerPid: %dProcessServer::RunSandboxedHandler/OpenProcess trueCallerInSandbox = trueCallerInSandbox = falsePrimaryTokenHandleCallerPid: %dRunSandboxedStartProcess sucRunSandboxedDupAndCloseHandles sucRunSandboxedDupAndCloseHandles failRunSandboxedStartProcess fail err: %d!PrimaryTokenHandleOpenProcess fail, err: %dSYSTEMTHREADProcessServer::RunSandboxedStartProcesscrflags2 != (crflags)COMSRVcmd is COMSRV*CallerProcessId: %dRunSandboxedComServer fail, !cmdCreateProcessAsUser cmd: %sCreateProcessAsUser LastError: %dSetThreadTokenSetThreadToken !ok LastError: %dok && StartProgramInSandboxSbieApi_CallTwo rc != 0 LastError: %d! ok TerminateProcess 1020!StartProgramInSandbox 1021!ok 1022\imfsbSvc.exe" Sandboxie_ComProxy_ComServer:pstorec.dllPStoreCreateInstanceGlobalSettingsUserSettings_UserSettings_PortableUserSettings_%08XMicrosoft Base Cryptographic Provider v1.0[%d / %08X]EditAdminOnlyEditPassword]
Source: imfsbSvc.exe.0.dr	Binary string: F.urlURLInternetShortcut ""00000000_SBIE_COMSRV_EXE00000000_SBIE_COMSRV_CMDiexplore.exewmplayer.exewinamp.exekmplayer.exe/Enqueue%S [HR=%08X/%d]"%s" "%s"O:SYG:SYD:(A;;GA;;;SY)%s-internal-%dDriverAssist::MsgWorkerThreadMsgWorkerThread msgid: %d[11 / %d]???[33 / %08X]\Software\Microsoft\Windows\CurrentVersion\ExplorerLogon User Name%S [%d / %d][%08X]\Registry\Machine\System\CurrentControlSet\Services\imfsbDrvSeLoadDriverPrivilege5.40%SLOWLEVEL.textzzzzLdrInitializeThunk\imfsbDll.dllLdrLoadDllLdrGetProcedureAddressNtRaiseHardErrorRtlFindActivationContextSectionStringkernel32.dll\32ERROR_NOT_READYInjectLow_OpenProcess failNtDeviceIoControlFileInjectLow_SendHandle failInjectLow_BuildTramp failInjectLow_CopySyscalls failInjectLow_CopyData failInjectLow_WriteJump fail!msg->bHostInjectGuiServer::GetInstance()->InitProcess failSbieApi_CallOne API_INJECT_COMPLETE sucerrlvl err: %d%S [%02X / %d]hProcesserrlvlInjectLow_OpenProcessOpenProcess suctime.dwLowDateTime == msg->create_time\Device\SandboxieDriverApi%S [%02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X]kernel32.dllntdll.dllLogFile%04d-%02d-%02d %02d:%02d:%02d %sMultiLog

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6616:304:WilStaging_02
Source: C:\ProgramData\IObit\imfsbSvc.exe	Mutant created: \BaseNamedObjects\Global\YUDQZWQCDE
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8852:304:WilStaging_02
Source: C:\Windows\System32\winlogon.exe	Mutant created: \BaseNamedObjects\Global\HUnsdg6TYGD8JKSDUjayda09hasd
Source: C:\Users\user\Desktop\imfsbSvc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\DMJAESUETR
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6616:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\imfsbSvc.exe "C:\Users\user\Desktop\imfsbSvc.exe"
Source: C:\Users\user\Desktop\imfsbSvc.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignore
Source: unknown	Process created: C:\ProgramData\IObit\imfsbSvc.exe C:\ProgramData\IObit\imfsbSvc.exe
Source: C:\ProgramData\IObit\imfsbSvc.exe	Process created: C:\Windows\System32\winlogon.exe C:\Windows\system32\winlogon.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\imfsbSvc.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignore	Jump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exe	Process created: C:\Windows\System32\winlogon.exe C:\Windows\system32\winlogon.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: imfsbSvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: imfsbSvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: imfsbSvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: imfsbSvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: imfsbSvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: imfsbSvc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: imfsbSvc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: imfsbSvc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: imfsbSvc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: imfsbSvc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: imfsbSvc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\imfsbSvc.exe	File created: C:\ProgramData\IObit\DgApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\imfsbSvc.exe	File created: C:\ProgramData\IObit\imfsbSvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\imfsbSvc.exe	File created: C:\ProgramData\IObit\imfsbDll.dll	Jump to dropped file

Source: C:\Windows\System32\winlogon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\ProgramData\IObit\imfsbSvc.exe TID: 8920	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 9004	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 9004	Thread sleep time: -110000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 9004	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 9004	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3012	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3012	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\IObit\imfsbSvc.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\ProgramData\IObit\imfsbSvc.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Thread delayed: delay time: 110000	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Thread delayed: delay time: 140000	Jump to behavior

Source: imfsbSvc.exe, 00000004.00000002.1237595354.0000029F009E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&/
Source: winlogon.exe, 00000005.00000003.2604696671.00000289D0969000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.992864168.00000289D09BF000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D0941000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555058406.00000289D0969000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785424916.00000289D09B1000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099469685.00000289D09B0000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D0966000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D096E000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D0969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515681394.0000019175A8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.2783609777.000001E6CF202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: imfsbSvc.exe, 00000000.00000002.937668906.000001BB26356000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\imfsbSvc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\ProgramData\IObit\imfsbSvc.exe	Memory written: C:\Windows\System32\winlogon.exe base: 289D08A0000			Jump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exe	Memory written: C:\Windows\System32\winlogon.exe base: 7FF6C19AD9A0			Jump to behavior

Source: imfsbSvc.exe, imfsbSvc.exe.0.dr	Binary or memory string: CicMarshalWndClassProgmanMSTaskSwWClassexcel.exepowerpnt.exe
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr	Binary or memory string: *GUIPROXY_%08X\imfsbSvc.exe" Sandboxie%s_GuiProxy_%08X,%dWinSta0\Default[%02X / %08X]_GuiProxy_Console,IsHungAppWindowuser32.dllNtUserQueryWindowwin32u.dll_GuiProxy%s_%s_Session_%d_Job_%08XS:(ML;;NW;;;LW)%s_WinSta_%d\%s_Desktop_%dSandboxie_ConsoleReadyEvent_%08XSandboxie_GuiProxy_Console,CloseClipboard %08XShell_TrayWndASIndicator/ignoreuipi$:

Source: C:\Users\user\Desktop\imfsbSvc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: svchost.exe, 0000000E.00000002.2785016923.00000219A6902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.2785016923.00000219A6902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Windows Analysis Report imfsbSvc.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
imfsbSvc.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Source: C:\Windows\System32\winlogon.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js			Jump to behavior
Source: C:\Windows\System32\winlogon.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Name	Malicious	Antivirus Detection	Reputation
http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8	true	Avira URL Cloud: safe	unknown
http://esh.hoovernamosong.com/000000000039F835000000000039F835	true	Avira URL Cloud: safe	unknown
https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD	true	Avira URL Cloud: safe	unknown
http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF	true	Avira URL Cloud: safe	unknown
https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8	true	Avira URL Cloud: safe	unknown
https://esh.hoovernamosong.com/000000000039F130000000000039F130	true	Avira URL Cloud: safe	unknown

ID:	1564524
Product:	CloudBasic
Start time:	13:26:41
Start date:	28.11.2024
Sample:	imfsbSvc.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	ca73da8345de507ac023d52b4b5c1814
SHA1:	ef32667de23715ef2903b185c08ed9b5dc7cfeed
SHA256:	5b88f7d36fe435cd6944bda05f1758f64c7d5136a5f529a58522ac3b0dc9743a
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\IObit\DgApi.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	43F3F328248DA7BDA95407968604FF0B	7D9EA7C8934D293429103FD0F8F58B370BD1249B	B2B617E62353A672626C13CC7AD81B27F23F91282AAD7A3A0DB471D84852A9AC
C:\ProgramData\IObit\dbindex.dat	data	B706F4806DC88611873CADEB3AD1FF97	DFE752F103E8E0CDB6EE419A5E753A451488420C	1A38303FB392CCC5A88D236B4F97ED404A89C1617F34B96ED826E7BB7257E296
C:\ProgramData\IObit\imfsbDll.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	45D7997340065904AE092AC427C54F41	6CD5114BEDF9C867B32558EE961FBF052A2A125D	05840DE7FA648C41C60844C4E5D53DBB3BC2A5250DCB158A95B77BC0F68FA870
C:\ProgramData\IObit\imfsbSvc.exe	PE32+ executable (GUI) x86-64, for MS Windows	CA73DA8345DE507AC023D52B4B5C1814	EF32667DE23715EF2903B185C08ED9B5DC7CFEED	5B88F7D36FE435CD6944BDA05F1758F64C7D5136A5F529A58522AC3B0DC9743A
C:\ProgramData\IObit\imfsbSvc.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	6392E749087750C619B28C674473B996	DE33774F94EC8C968A49D8188FCBCD09BC63ECED	9E4E6E5AAE2BCFB52099CF307BBF20E844A3059CD31D6A5FFE2560AE2E2601B6
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	0E39E31023DBAFABCAC3124A07EE4A17	D6777B3F0A79218673037DDF4F1B0050208B25C4	E21B3FBD4954C61909B67FF5E23EEAEB06C092B530BC7CB9F9DDFEB1201E4CCD
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x0bb51b49, page size 16384, Windows version 10.0	DC4D27B72770FC7FB056D46362360AFD	DA89FDD6EC21060247BC0396CD7A8EBF44FAF6A4	F939434CB69DA913A051CA03A5EC529EAA2C2B5409AC10A31DD8BA9308480A53
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	DB024FD7E4FB67F58501B9E4737B663A	2B8E86CFE898A058ED8F3693492425D0FF409A0A	DFAA7A33B558E3AF7094BE8FBF9BD62F0DD7E89BDC3E359B4A956484EFCE7078
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	19E95CC8D6A7D1042A7ED18E3783A7C6	FAA129F1CC25579B2BA47D514DC843B604EB7458	9E5FF30923322A350AD9F543A1CF7021F1BF84F9E3DF05F4E150C11859AEE825