Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
imfsbSvc.exe

Overview

General Information

Sample name:imfsbSvc.exe
Analysis ID:1564524
MD5:ca73da8345de507ac023d52b4b5c1814
SHA1:ef32667de23715ef2903b185c08ed9b5dc7cfeed
SHA256:5b88f7d36fe435cd6944bda05f1758f64c7d5136a5f529a58522ac3b0dc9743a
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:63
Range:0 - 100

Signatures

Multi AV Scanner detection for dropped file
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Deletes itself after installation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Outbound Network Connection To Public IP Via Winlogon
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64native
  • imfsbSvc.exe (PID: 8820 cmdline: "C:\Users\user\Desktop\imfsbSvc.exe" MD5: CA73DA8345DE507AC023D52B4B5C1814)
    • cmd.exe (PID: 8844 cmdline: C:\Windows\system32\cmd.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • sc.exe (PID: 8900 cmdline: sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignore MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
  • imfsbSvc.exe (PID: 8916 cmdline: C:\ProgramData\IObit\imfsbSvc.exe MD5: CA73DA8345DE507AC023D52B4B5C1814)
    • winlogon.exe (PID: 8940 cmdline: C:\Windows\system32\winlogon.exe MD5: A987B43E6A8E8F894B98A3DF022DB518)
  • svchost.exe (PID: 3240 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: F586835082F632DC8D9404D83BC16316)
  • svchost.exe (PID: 2044 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: F586835082F632DC8D9404D83BC16316)
  • SgrmBroker.exe (PID: 7800 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • sppsvc.exe (PID: 7604 cmdline: C:\Windows\system32\sppsvc.exe MD5: 30C7EF47B57367CC546173BB4BB2BB04)
  • svchost.exe (PID: 8408 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: F586835082F632DC8D9404D83BC16316)
  • svchost.exe (PID: 8840 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: F586835082F632DC8D9404D83BC16316)
    • MpCmdRun.exe (PID: 4248 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • svchost.exe (PID: 9148 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Outbound Network Connection To Public IP Via Winlogon
Source: Network ConnectionAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: DestinationIp: 160.16.200.77, DestinationIsIpv6: false, DestinationPort: 8443, EventID: 3, Image: C:\Windows\System32\winlogon.exe, Initiated: true, ProcessId: 8940, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49706
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignore, CommandLine: sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignore, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8844, ParentProcessName: cmd.exe, ProcessCommandLine: sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignore, ProcessId: 8900, ProcessName: sc.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\winlogon.exe, CommandLine: C:\Windows\system32\winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: C:\ProgramData\IObit\imfsbSvc.exe, ParentImage: C:\ProgramData\IObit\imfsbSvc.exe, ParentProcessId: 8916, ParentProcessName: imfsbSvc.exe, ProcessCommandLine: C:\Windows\system32\winlogon.exe, ProcessId: 8940, ProcessName: winlogon.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\IObit\DgApi.dllReversingLabs: Detection: 36%
Source: C:\ProgramData\IObit\imfsbDll.dllReversingLabs: Detection: 39%

Compliance

barindex
PE / OLE file has a valid certificate
Source: imfsbSvc.exeStatic PE information: certificate valid
Uses secure TLS version for HTTPS connections
Source: unknownHTTPS traffic detected: 160.16.200.77:443 -> 192.168.11.20:49707 version: TLS 1.2
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: imfsbSvc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbDll.pdb source: imfsbSvc.exe, 00000000.00000003.931799901.000001BB26396000.00000004.00000020.00020000.00000000.sdmp, imfsbSvc.exe, 00000000.00000002.937298009.0000000055ACE000.00000002.00000001.01000000.00000004.sdmp, imfsbSvc.exe, 00000004.00000002.1237019264.0000000055A2E000.00000002.00000001.01000000.00000007.sdmp, imfsbDll.dll.0.dr
Source: Binary string: C:\IMF9\sandboxie-master\core\low\obj\amd64\LowLevel.pdb source: imfsbSvc.exe, imfsbSvc.exe.0.dr
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbSvc.pdb source: imfsbSvc.exe, imfsbSvc.exe.0.dr
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbDll.pdb7 source: imfsbSvc.exe, 00000000.00000003.931799901.000001BB26396000.00000004.00000020.00020000.00000000.sdmp, imfsbSvc.exe, 00000000.00000002.937298009.0000000055ACE000.00000002.00000001.01000000.00000004.sdmp, imfsbSvc.exe, 00000004.00000002.1237019264.0000000055A2E000.00000002.00000001.01000000.00000007.sdmp, imfsbDll.dll.0.dr

Networking

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 160.16.200.77 ports 8443,3,443,4,8,80
Source: global trafficTCP traffic: 192.168.11.20:49706 -> 160.16.200.77:8443
Source: Joe Sandbox ViewASN Name: SAKURA-BSAKURAInternetIncJP SAKURA-BSAKURAInternetIncJP
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: POST /000000000039F130000000000039F130 HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*Content-Length: 98User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /00000000003BB6CD00000000003BB6CD HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*Content-Length: 147User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /00000000003C68D800000000003C68D8 HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*Content-Length: 151User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /000000000039F835000000000039F835 HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*Content-Length: 94User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cacheData Raw: 0e d5 78 81 24 a5 62 c4 c7 d6 5b 41 a9 43 0a 6e 3e 87 79 6e df 6b 34 25 bd 18 c6 71 58 e5 bd 0e e3 cb b3 d8 5b 64 f4 7c ad 94 b9 e7 c6 43 09 0e 71 2b 51 4e 0c ae b2 63 5c 63 24 ba 9d 21 4e a1 97 28 25 cf c3 45 43 d5 a4 fb 33 19 db c8 e0 44 8a 71 49 4f b0 25 c6 e3 d4 6f ad 21 8c e2 Data Ascii: x$b[ACn>ynk4%qX[d|Cq+QNc\c$!N(%EC3DqIO%o!
Source: global trafficHTTP traffic detected: POST /00000000003BBBAF00000000003BBBAF HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*Content-Length: 102User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cacheData Raw: 63 5e ec 29 63 dd 0f f5 77 3c 20 d3 47 b2 7e 99 f8 5b e1 58 ec 98 d0 77 ad 02 d6 a3 c5 53 28 f2 b0 8f a7 3e b1 66 88 50 80 df 46 e9 51 b4 07 73 7c dd c7 c9 df d4 d1 69 d9 50 dd 16 74 09 1b 32 e0 40 cb c4 89 67 a9 f2 89 4b a3 e7 b5 20 d1 27 77 86 1e 91 b1 d7 be 7b d1 48 20 d1 0f ab 7c 92 90 5b 99 6c 14 b0 Data Ascii: c^)cw< G~[XwS(>fPFQs|iPt2@gK 'w{H |[l
Source: global trafficHTTP traffic detected: POST /00000000003C6DE800000000003C6DE8 HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*Content-Length: 84User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cacheData Raw: f7 c8 c6 cc e5 6f e9 6a 06 39 89 de 9f 8f cd fb 5d ec b1 a4 6b c5 42 93 0c 40 90 4c 05 d2 bf 18 57 be a0 47 0b e0 f1 5d 82 87 69 84 9d c2 88 2f 01 64 cd 03 71 71 f7 12 47 a9 df d9 ed 82 4a ec 8f a5 83 70 d3 27 19 05 f2 a2 76 01 34 3d 51 41 d6 ae 21 b7 Data Ascii: oj9]kB@LWG]i/dqqGJp'v4=QA!
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: esh.hoovernamosong.com
Source: unknownHTTP traffic detected: POST /000000000039F130000000000039F130 HTTP/1.1Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*Content-Length: 98User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: esh.hoovernamosong.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:31:41 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:33:37 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:34:23 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:31:42 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:33:38 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 12:34:23 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTP://esh.hoovernamosong.com:80
Source: winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTP://esh.hoovernamosong.com:80%
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTP://esh.hoovernamosong.com:806
Source: winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTP://esh.hoovernamosong.com:80B
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2591550979.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2591550979.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000009.00000002.2515546830.0000019175A54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: edb.log.9.dr, qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/update2/actxsdodvxbjblyjfcbcbc7srcwa_1.3.36.242/GoogleUpda
Source: winlogon.exe, 00000005.00000003.2099146701.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/000000000039F835000000000039F835
Source: winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/000000000039F835000000000039F835(
Source: winlogon.exe, 00000005.00000003.2099146701.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/000000000039F835000000000039F835M
Source: winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785733553.00000289D1520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF
Source: winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF(
Source: winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF1
Source: winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAFa
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8#
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE83.0.30729;
Source: winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8G
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8Y
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8t
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://ocsp.digicert.com0H
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://ocsp.digicert.com0I
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: qmgr.db.9.drString found in binary or memory: http://r4---sn-5hnekn7k.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93
Source: qmgr.db.9.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93.0.457
Source: qmgr.db.9.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/aciwgjnovhktokhzyboslawih45a_2700/jflook
Source: qmgr.db.9.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/acze3h5f67uhtnjsyv6pabzn277q_298/lmelgle
Source: qmgr.db.9.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/dp66roauucji6olf7ycwe24lea_6869/hfnkpiml
Source: qmgr.db.9.drString found in binary or memory: http://storage.googleapis.com/update-delta/ggkkehgbnfjpeggfpleeakpidbkibbmn/2021.9.13.1142/2021.9.7.
Source: qmgr.db.9.drString found in binary or memory: http://storage.googleapis.com/update-delta/jamhcnnkihinmdlkakkaopbjbbcngflc/96.0.4648.2/96.0.4642.0/
Source: qmgr.db.9.drString found in binary or memory: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/45/43/19f2dc8e4c5c5d0383
Source: svchost.exe, 0000000A.00000002.1413674689.000001EB6AA13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2591550979.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175ADF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000A.00000003.1412346107.000001EB6AA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412882691.000001EB6AA66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412147713.000001EB6AA5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000003.1411946565.000001EB6AA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414009932.000001EB6AA69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.1411617066.000001EB6AA87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414104509.000001EB6AA89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000003.1411617066.000001EB6AA87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414104509.000001EB6AA89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.1412346107.000001EB6AA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412882691.000001EB6AA66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000A.00000003.1411946565.000001EB6AA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414009932.000001EB6AA69000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413753825.000001EB6AA27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.1412882691.000001EB6AA66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.1412704562.000001EB6AA4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.1412522832.000001EB6AA42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.1411946565.000001EB6AA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414009932.000001EB6AA69000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413753825.000001EB6AA27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.992864168.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/
Source: winlogon.exe, 00000005.00000003.992664689.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.992864168.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/000000000039F130000000000039F130
Source: winlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/000000000039F130000000000039F130c
Source: winlogon.exe, 00000005.00000003.2148470099.00000289D0A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD
Source: winlogon.exe, 00000005.00000003.2148346052.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148470099.00000289D0A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD#
Source: winlogon.exe, 00000005.00000003.2148346052.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148470099.00000289D0A0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD(
Source: winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CDIDInfo
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8(
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/00000000003C68D800000000003C68D81
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8M
Source: winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8g(P#
Source: winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/ernamosong.com/00000000003BB6CD00000000003BB6CD#
Source: winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://esh.hoovernamosong.com/r
Source: qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: qmgr.db.9.drString found in binary or memory: https://msftspeechmodelsprod.azureedge.net/SR/SV10-EV100/en-us-n/MV101/naspmodelsmetadata.xmlPC:
Source: winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2591550979.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175ADF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: svchost.exe, 0000000A.00000002.1413793845.000001EB6AA34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtu
Source: svchost.exe, 0000000A.00000003.1412522832.000001EB6AA42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1413793845.000001EB6AA34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=
Source: svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413753825.000001EB6AA27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: imfsbSvc.exe, imfsbSvc.exe.0.dr, imfsbDll.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownHTTPS traffic detected: 160.16.200.77:443 -> 192.168.11.20:49707 version: TLS 1.2
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: imfsbSvc.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: imfsbSvc.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: imfsbSvc.exe, 00000000.00000003.931799901.000001BB26369000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimfsbDll.dll vs imfsbSvc.exe
Source: imfsbSvc.exe, 00000000.00000002.937404523.0000000055AEE000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameimfsbDll.dll vs imfsbSvc.exe
Source: imfsbSvc.exe, 00000004.00000002.1237149499.0000000055A4E000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameimfsbDll.dll vs imfsbSvc.exe
Source: imfsbDll.dll.0.drBinary string: sppc.dllSPPCTransportEndpoint-00001B18FBAB6-56F8-4702-84E0-41053293A869_vsnwprintfntdll_vsnprintf\Device\SandboxieDriverApi%S%SNotifyServiceStatusChangeANotifyServiceStatusChangeANotifyServiceStatusChangeWNotifyServiceStatusChangeWChangeServiceConfigAChangeServiceConfigAChangeServiceConfigWChangeServiceConfigWChangeServiceConfig2AChangeServiceConfig2AChangeServiceConfig2WChangeServiceConfig2WCloseServiceHandleCloseServiceHandleControlServiceControlServiceCreateServiceACreateServiceACreateServiceWCreateServiceWDeleteServiceDeleteServiceOpenSCManagerAOpenSCManagerAOpenSCManagerWOpenSCManagerWOpenServiceAOpenServiceAOpenServiceWOpenServiceWQueryServiceConfigAQueryServiceConfigAQueryServiceConfigWQueryServiceConfigWQueryServiceConfig2AQueryServiceConfig2AQueryServiceConfig2WQueryServiceConfig2WQueryServiceObjectSecurityQueryServiceObjectSecurityQueryServiceStatusQueryServiceStatusQueryServiceStatusExQueryServiceStatusExRegisterServiceCtrlHandlerARegisterServiceCtrlHandlerARegisterServiceCtrlHandlerWRegisterServiceCtrlHandlerWRegisterServiceCtrlHandlerExARegisterServiceCtrlHandlerExARegisterServiceCtrlHandlerExWRegisterServiceCtrlHandlerExWSetServiceObjectSecuritySetServiceObjectSecuritySetServiceStatusSetServiceStatusStartServiceAStartServiceAStartServiceWStartServiceWStartServiceCtrlDispatcherAStartServiceCtrlDispatcherAStartServiceCtrlDispatcherWStartServiceCtrlDispatcherWcryptsvc
Source: imfsbSvc.exe.0.drBinary string: DropAdminRightsNtAlpcConnectPortNtAlpcSendWaitReceivePortlsarpcsrvsvcwkssvcsamrnetlogon\device\mup\\PIPE\\device\namedpipe\ntsvcsplugplay\RPC Control\%s_NetProxy:Use=%c:Use=NtReplyWaitReceivePort beforeNtReplyWaitReceivePort afterGetProcessIdOfThreadProcessServer::Handler/msg->msgid: %dProcessServer::RunSandboxedHandlerProcessServer::RunSandboxedHandler/ cmd: %sdir: %senv: %sProcessServer::RunSandboxedHandler/CallerPid: %dProcessServer::RunSandboxedHandler/OpenProcess trueCallerInSandbox = trueCallerInSandbox = falsePrimaryTokenHandleCallerPid: %dRunSandboxedStartProcess sucRunSandboxedDupAndCloseHandles sucRunSandboxedDupAndCloseHandles failRunSandboxedStartProcess fail err: %d!PrimaryTokenHandleOpenProcess fail, err: %d*SYSTEM**THREAD*ProcessServer::RunSandboxedStartProcesscrflags2 != (*crflags)*COMSRV*cmd is *COMSRV*CallerProcessId: %dRunSandboxedComServer fail, !cmdCreateProcessAsUser cmd: %sCreateProcessAsUser LastError: %dSetThreadTokenSetThreadToken !ok LastError: %dok && StartProgramInSandboxSbieApi_CallTwo rc != 0 LastError: %d! ok TerminateProcess 1020!StartProgramInSandbox 1021!ok 1022\imfsbSvc.exe" Sandboxie_ComProxy_ComServer:pstorec.dllPStoreCreateInstanceGlobalSettingsUserSettings_UserSettings_PortableUserSettings_%08XMicrosoft Base Cryptographic Provider v1.0[%d / %08X]EditAdminOnlyEditPassword]
Source: imfsbSvc.exe.0.drBinary string: F.urlURLInternetShortcut ""00000000_SBIE_COMSRV_EXE00000000_SBIE_COMSRV_CMDiexplore.exewmplayer.exewinamp.exekmplayer.exe/Enqueue%S [HR=%08X/%d]"%s" "%s"O:SYG:SYD:(A;;GA;;;SY)%s-internal-%dDriverAssist::MsgWorkerThreadMsgWorkerThread msgid: %d[11 / %d]*?*?*?*[33 / %08X]\Software\Microsoft\Windows\CurrentVersion\ExplorerLogon User Name%S [%d / %d][%08X]\Registry\Machine\System\CurrentControlSet\Services\imfsbDrvSeLoadDriverPrivilege5.40%SLOWLEVEL.textzzzzLdrInitializeThunk\imfsbDll.dllLdrLoadDllLdrGetProcedureAddressNtRaiseHardErrorRtlFindActivationContextSectionStringkernel32.dll\32ERROR_NOT_READYInjectLow_OpenProcess failNtDeviceIoControlFileInjectLow_SendHandle failInjectLow_BuildTramp failInjectLow_CopySyscalls failInjectLow_CopyData failInjectLow_WriteJump fail!msg->bHostInjectGuiServer::GetInstance()->InitProcess failSbieApi_CallOne API_INJECT_COMPLETE sucerrlvl err: %d%S [%02X / %d]hProcesserrlvlInjectLow_OpenProcessOpenProcess suctime.dwLowDateTime == msg->create_time\Device\SandboxieDriverApi%S [%02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X]kernel32.dllntdll.dllLogFile%04d-%02d-%02d %02d:%02d:%02d %sMultiLog
Source: classification engineClassification label: mal76.troj.spyw.evad.winEXE@19/11@4/2
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6616:304:WilStaging_02
Source: C:\ProgramData\IObit\imfsbSvc.exeMutant created: \BaseNamedObjects\Global\YUDQZWQCDE
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8852:304:WilStaging_02
Source: C:\Windows\System32\winlogon.exeMutant created: \BaseNamedObjects\Global\HUnsdg6TYGD8JKSDUjayda09hasd
Source: C:\Users\user\Desktop\imfsbSvc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\DMJAESUETR
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: imfsbSvc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\winlogon.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeFile read: C:\Users\user\Desktop\imfsbSvc.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\imfsbSvc.exe "C:\Users\user\Desktop\imfsbSvc.exe"
Source: C:\Users\user\Desktop\imfsbSvc.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignore
Source: unknownProcess created: C:\ProgramData\IObit\imfsbSvc.exe C:\ProgramData\IObit\imfsbSvc.exe
Source: C:\ProgramData\IObit\imfsbSvc.exeProcess created: C:\Windows\System32\winlogon.exe C:\Windows\system32\winlogon.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\imfsbSvc.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignoreJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeProcess created: C:\Windows\System32\winlogon.exe C:\Windows\system32\winlogon.exeJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: imfsbdll.dllJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeSection loaded: imfsbdll.dllJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeSection loaded: userenv.dllJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeSection loaded: netapi32.dllJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeSection loaded: wkscli.dllJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wscsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vbsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: securitycenterbroker.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
Source: imfsbSvc.exeStatic PE information: certificate valid
Source: imfsbSvc.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: imfsbSvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: imfsbSvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: imfsbSvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: imfsbSvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: imfsbSvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: imfsbSvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: imfsbSvc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: imfsbSvc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbDll.pdb source: imfsbSvc.exe, 00000000.00000003.931799901.000001BB26396000.00000004.00000020.00020000.00000000.sdmp, imfsbSvc.exe, 00000000.00000002.937298009.0000000055ACE000.00000002.00000001.01000000.00000004.sdmp, imfsbSvc.exe, 00000004.00000002.1237019264.0000000055A2E000.00000002.00000001.01000000.00000007.sdmp, imfsbDll.dll.0.dr
Source: Binary string: C:\IMF9\sandboxie-master\core\low\obj\amd64\LowLevel.pdb source: imfsbSvc.exe, imfsbSvc.exe.0.dr
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbSvc.pdb source: imfsbSvc.exe, imfsbSvc.exe.0.dr
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbDll.pdb7 source: imfsbSvc.exe, 00000000.00000003.931799901.000001BB26396000.00000004.00000020.00020000.00000000.sdmp, imfsbSvc.exe, 00000000.00000002.937298009.0000000055ACE000.00000002.00000001.01000000.00000004.sdmp, imfsbSvc.exe, 00000004.00000002.1237019264.0000000055A2E000.00000002.00000001.01000000.00000007.sdmp, imfsbDll.dll.0.dr
Source: imfsbSvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: imfsbSvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: imfsbSvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: imfsbSvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: imfsbSvc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\imfsbSvc.exeFile created: C:\ProgramData\IObit\DgApi.dllJump to dropped file
Source: C:\Users\user\Desktop\imfsbSvc.exeFile created: C:\ProgramData\IObit\imfsbSvc.exeJump to dropped file
Source: C:\Users\user\Desktop\imfsbSvc.exeFile created: C:\ProgramData\IObit\imfsbDll.dllJump to dropped file
Source: C:\Users\user\Desktop\imfsbSvc.exeFile created: C:\ProgramData\IObit\DgApi.dllJump to dropped file
Source: C:\Users\user\Desktop\imfsbSvc.exeFile created: C:\ProgramData\IObit\imfsbSvc.exeJump to dropped file
Source: C:\Users\user\Desktop\imfsbSvc.exeFile created: C:\ProgramData\IObit\imfsbDll.dllJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignore

Hooking and other Techniques for Hiding and Protection

barindex
Deletes itself after installation
Source: C:\Windows\System32\winlogon.exeFile deleted: c:\users\user\desktop\imfsbsvc.exeJump to behavior
Source: C:\Windows\System32\winlogon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IObit\VSUBVZEHXI YUVJYXLUJump to behavior
Source: C:\Windows\System32\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: imfsbSvc.exe, imfsbSvc.exe.0.drBinary or memory string: [12 / %D][13 / %D][14 / %D][15 / %D][16 / %D][17 / %D][18 / %D]SANDBOXIE.INIINILOCATION.TMP-%DSBIECTRL_ENABLEAUTOSTARTDEFAULT /OPEN /SYNCSBIECTRL.EXESTARTSERVICE%S [%S]/ENV:00000000_SBIE_%S="%S" /BOX:-%D DEVICE_MAPSERVICE_NAME/HIDE_WINDOW IMFSBSTART.EXE%S_UACPROXY:%08X_%08X_%08X_%08X_@%S*MSI*WINDOWS INSTALLERSHGETSTOCKICONINFOSANDBOXIE_UAC_WINDOWCLASSARIAL" RUNASSHELLEXECUTEEXWWINSTA.DLLWINSTATIONQUERYINFORMATIONWWINSTATIONISSESSIONREMOTEABLEWINSTATIONNAMEFROMLOGONIDWWINSTATIONGETCONNECTIONPROPERTYWINSTATIONFREEPROPERTYVALUEWINSTATIONDISCONNECT
Source: C:\Users\user\Desktop\imfsbSvc.exeDropped PE file which has not been started: C:\ProgramData\IObit\DgApi.dllJump to dropped file
Source: C:\ProgramData\IObit\imfsbSvc.exe TID: 8920Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 9004Thread sleep count: 36 > 30Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 9004Thread sleep time: -110000s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 9004Thread sleep time: -40000s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 9004Thread sleep time: -140000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3012Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3012Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\ProgramData\IObit\imfsbSvc.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\System32\winlogon.exeThread delayed: delay time: 110000Jump to behavior
Source: C:\Windows\System32\winlogon.exeThread delayed: delay time: 40000Jump to behavior
Source: C:\Windows\System32\winlogon.exeThread delayed: delay time: 140000Jump to behavior
Source: imfsbSvc.exe, 00000004.00000002.1237595354.0000029F009E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&/
Source: winlogon.exe, 00000005.00000003.2604696671.00000289D0969000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.992864168.00000289D09BF000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D0941000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555058406.00000289D0969000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785424916.00000289D09B1000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099469685.00000289D09B0000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D0966000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D096E000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D0969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515681394.0000019175A8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.2783609777.000001E6CF202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: imfsbSvc.exe, 00000000.00000002.937668906.000001BB26356000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\winlogon.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeProcess token adjusted: DebugJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\winlogon.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Allocates memory in foreign processes
Source: C:\ProgramData\IObit\imfsbSvc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 289D08A0000 protect: page read and writeJump to behavior
Writes to foreign memory regions
Source: C:\ProgramData\IObit\imfsbSvc.exeMemory written: C:\Windows\System32\winlogon.exe base: 289D08A0000Jump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeMemory written: C:\Windows\System32\winlogon.exe base: 7FF6C19AD9A0Jump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignoreJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeProcess created: C:\Windows\System32\winlogon.exe C:\Windows\system32\winlogon.exeJump to behavior
Source: imfsbSvc.exe, imfsbSvc.exe.0.drBinary or memory string: CicMarshalWndClassProgmanMSTaskSwWClassexcel.exepowerpnt.exe
Source: imfsbSvc.exe, imfsbSvc.exe.0.drBinary or memory string: *GUIPROXY_%08X\imfsbSvc.exe" Sandboxie%s_GuiProxy_%08X,%dWinSta0\Default[%02X / %08X]_GuiProxy_Console,IsHungAppWindowuser32.dllNtUserQueryWindowwin32u.dll_GuiProxy%s_%s_Session_%d_Job_%08XS:(ML;;NW;;;LW)%s_WinSta_%d\%s_Desktop_%dSandboxie_ConsoleReadyEvent_%08XSandboxie_GuiProxy_Console,CloseClipboard %08XShell_TrayWndASIndicator/ignoreuipi$:
Source: C:\Users\user\Desktop\imfsbSvc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\IObit\imfsbSvc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\winlogon.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
Source: svchost.exe, 0000000E.00000002.2785016923.00000219A6902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.2785016923.00000219A6902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\winlogon.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.jsJump to behavior
Source: C:\Windows\System32\winlogon.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
Windows Service		1
Windows Service		1
Masquerading		1
OS Credential Dumping		241
Security Software Discovery		Remote Services1
Data from Local System		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		212
Process Injection		1
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Modify Registry		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook31
Virtualization/Sandbox Evasion		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script212
Process Injection		LSA Secrets23
System Information Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564524 Sample: imfsbSvc.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 76 43 esh.hoovernamosong.com 2->43 47 Multi AV Scanner detection for dropped file 2->47 49 Connects to many ports of the same IP (likely port scanning) 2->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->51 8 imfsbSvc.exe 2->8         started        11 imfsbSvc.exe 8 2->11         started        14 svchost.exe 2->14         started        16 6 other processes 2->16 signatures3 process4 dnsIp5 57 Writes to foreign memory regions 8->57 59 Allocates memory in foreign processes 8->59 19 winlogon.exe 2 12 8->19         started        33 C:\ProgramData\IObit\imfsbSvc.exe, PE32+ 11->33 dropped 35 C:\ProgramData\IObit\imfsbDll.dll, PE32+ 11->35 dropped 37 C:\ProgramData\IObit\DgApi.dll, PE32+ 11->37 dropped 39 C:\...\imfsbSvc.exe:Zone.Identifier, ASCII 11->39 dropped 23 cmd.exe 1 11->23         started        61 Changes security center settings (notifications, updates, antivirus, firewall) 14->61 25 MpCmdRun.exe 1 14->25         started        41 127.0.0.1 unknown unknown 16->41 file6 signatures7 process8 dnsIp9 45 esh.hoovernamosong.com 160.16.200.77, 443, 49706, 49707 SAKURA-BSAKURAInternetIncJP Japan 19->45 53 Tries to harvest and steal browser information (history, passwords, etc) 19->53 55 Deletes itself after installation 19->55 27 conhost.exe 23->27         started        29 sc.exe 1 23->29         started        31 conhost.exe 25->31         started        signatures10 process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
imfsbSvc.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\IObit\DgApi.dll37%ReversingLabsWin64.Trojan.Snappybee
C:\ProgramData\IObit\imfsbDll.dll39%ReversingLabsWin64.Trojan.Snappybee
C:\ProgramData\IObit\imfsbSvc.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8G0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD#0%Avira URL Cloudsafe
HTTP://esh.hoovernamosong.com:80B0%Avira URL Cloudsafe
HTTP://esh.hoovernamosong.com:8060%Avira URL Cloudsafe
http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF(0%Avira URL Cloudsafe
http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE80%Avira URL Cloudsafe
http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF10%Avira URL Cloudsafe
https://esh.hoovernamosong.com/r0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CDIDInfo0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD(0%Avira URL Cloudsafe
http://esh.hoovernamosong.com/000000000039F835000000000039F8350%Avira URL Cloudsafe
HTTP://esh.hoovernamosong.com:80%0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8g(P#0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/ernamosong.com/00000000003BB6CD00000000003BB6CD#0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/000000000039F130000000000039F130c0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8M0%Avira URL Cloudsafe
http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8#0%Avira URL Cloudsafe
https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
HTTP://esh.hoovernamosong.com:800%Avira URL Cloudsafe
http://www.bingmapsportal.com0%Avira URL Cloudsafe
http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAFa0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/00000000003C68D800000000003C68D810%Avira URL Cloudsafe
http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE83.0.30729;0%Avira URL Cloudsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD0%Avira URL Cloudsafe
http://esh.hoovernamosong.com/000000000039F835000000000039F835M0%Avira URL Cloudsafe
http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8t0%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8(0%Avira URL Cloudsafe
http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8Y0%Avira URL Cloudsafe
http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF0%Avira URL Cloudsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=0%Avira URL Cloudsafe
https://dynamic.t0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/00000000003C68D800000000003C68D80%Avira URL Cloudsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=0%Avira URL Cloudsafe
http://www.quovadis.bm00%Avira URL Cloudsafe
https://t0.ssl.ak.dynamic.tiles.virtu0%Avira URL Cloudsafe
http://esh.hoovernamosong.com/000000000039F835000000000039F835(0%Avira URL Cloudsafe
https://esh.hoovernamosong.com/000000000039F130000000000039F1300%Avira URL Cloudsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
esh.hoovernamosong.com
160.16.200.77
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8true
    • Avira URL Cloud: safe
    		unknown
    http://esh.hoovernamosong.com/000000000039F835000000000039F835true
    • Avira URL Cloud: safe
    		unknown
    https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CDtrue
    • Avira URL Cloud: safe
    		unknown
    http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAFtrue
    • Avira URL Cloud: safe
    		unknown
    https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8true
    • Avira URL Cloud: safe
    		unknown
    https://esh.hoovernamosong.com/000000000039F130000000000039F130true
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    HTTP://esh.hoovernamosong.com:806winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF(winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000A.00000003.1411946565.000001EB6AA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414009932.000001EB6AA69000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000A.00000003.1412522832.000001EB6AA42000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CDIDInfowinlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          HTTP://esh.hoovernamosong.com:80Bwinlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAF1winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD#winlogon.exe, 00000005.00000003.2148346052.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555004222.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148470099.00000289D0A0D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8Gwinlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://esh.hoovernamosong.com/winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.992864168.00000289D09A9000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://esh.hoovernamosong.com/rwinlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785210838.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://esh.hoovernamosong.com/00000000003BB6CD00000000003BB6CD(winlogon.exe, 00000005.00000003.2148346052.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148470099.00000289D0A0D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://esh.hoovernamosong.com/ernamosong.com/00000000003BB6CD00000000003BB6CD#winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.1412346107.000001EB6AA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412882691.000001EB6AA66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412147713.000001EB6AA5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://esh.hoovernamosong.com/000000000039F130000000000039F130cwinlogon.exe, 00000005.00000003.2099309780.00000289D098D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413753825.000001EB6AA27000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8g(P#winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=svchost.exe, 0000000A.00000002.1413793845.000001EB6AA34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      HTTP://esh.hoovernamosong.com:80%winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8#winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      HTTP://esh.hoovernamosong.com:80winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2604696671.00000289D098D000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148519607.00000289D098D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ocsp.quovadisoffshore.com0winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2591550979.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175ADF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175B07000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8Mwinlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE83.0.30729;winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.bingmapsportal.comsvchost.exe, 0000000A.00000002.1413674689.000001EB6AA13000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.1412346107.000001EB6AA5C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412882691.000001EB6AA66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.1411946565.000001EB6AA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414009932.000001EB6AA69000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413753825.000001EB6AA27000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://esh.hoovernamosong.com/00000000003BBBAF00000000003BBBAFawinlogon.exe, 00000005.00000003.2555058406.00000289D098D000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8twinlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://esh.hoovernamosong.com/00000000003C68D800000000003C68D81winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000A.00000003.1411617066.000001EB6AA87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414104509.000001EB6AA89000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000A.00000003.1411946565.000001EB6AA68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414009932.000001EB6AA69000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413753825.000001EB6AA27000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000003.1412882691.000001EB6AA66000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000003.1412522832.000001EB6AA42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.ver)svchost.exe, 00000009.00000002.2515546830.0000019175A54000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://esh.hoovernamosong.com/000000000039F835000000000039F835Mwinlogon.exe, 00000005.00000003.2099146701.00000289D0A0C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1413860019.000001EB6AA43000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://esh.hoovernamosong.com/00000000003C68D800000000003C68D8(winlogon.exe, 00000005.00000003.2604645352.00000289D0A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://g.live.com/odclientsettings/Prod/C:qmgr.db.9.drfalse
                                                		high
                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://esh.hoovernamosong.com/00000000003C6DE800000000003C6DE8Ywinlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://dynamic.tsvchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000A.00000002.1413830455.000001EB6AA40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://dev.ditu.live.com/REST/v1/Transit/Schedules/svchost.exe, 0000000A.00000003.1411617066.000001EB6AA87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1414104509.000001EB6AA89000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.quovadis.bm0winlogon.exe, 00000005.00000003.992491389.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2554813752.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2591550979.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2148181877.00000289D09DB000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, winlogon.exe, 00000005.00000002.2785500553.00000289D09DC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175ADF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2515844845.0000019175B07000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000002.1413979320.000001EB6AA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1411996638.000001EB6AA62000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000A.00000003.1412292601.000001EB6AA59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://t0.ssl.ak.dynamic.tiles.virtusvchost.exe, 0000000A.00000002.1413793845.000001EB6AA34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1412646757.000001EB6AA31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://esh.hoovernamosong.com/000000000039F835000000000039F835(winlogon.exe, 00000005.00000003.2099146701.00000289D09DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.1414072508.000001EB6AA81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.1412704562.000001EB6AA4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              160.16.200.77
                                                              		esh.hoovernamosong.comJapan9370SAKURA-BSAKURAInternetIncJPtrue

                                                              Private

                                                              IP
                                                              127.0.0.1

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1564524
                                                              Start date and time:2024-11-28 13:26:41 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 9m 43s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                              Run name:Run with higher sleep bypass
                                                              Number of analysed new started processes analysed:19
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:imfsbSvc.exe
                                                              Detection:MAL
                                                              Classification:mal76.troj.spyw.evad.winEXE@19/11@4/2
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, backgroundTaskHost.exe
                                                              • Excluded IPs from analysis (whitelisted): 23.204.248.25
                                                              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • VT rate limit hit for: imfsbSvc.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              No simulations

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              No context

                                                              Domains

                                                              No context

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              SAKURA-BSAKURAInternetIncJPnabx86.elfGet hashmaliciousUnknownBrowse
                                                              • 163.43.243.149
                                                              powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 160.16.177.244
                                                              https://docs.google.com/presentation/d/1z_B5nVWxQSqBMnIWjAfO37AM3HSOm_XjEmM3UM39DA0/previewGet hashmaliciousUnknownBrowse
                                                              • 160.16.237.149
                                                              i486.elfGet hashmaliciousMiraiBrowse
                                                              • 160.18.19.40
                                                              arm.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 110.44.149.161
                                                              amen.spc.elfGet hashmaliciousMiraiBrowse
                                                              • 59.106.78.176
                                                              Ref_ENQ-V-R-3512.docxGet hashmaliciousFormBookBrowse
                                                              • 153.121.40.91
                                                              RFQ.docxGet hashmaliciousFormBookBrowse
                                                              • 153.121.40.91
                                                              nuklear.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                              • 163.43.146.137

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              37f463bf4616ecd445d4a1937da06e19inseminating.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 160.16.200.77
                                                              Salary Revision _pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 160.16.200.77
                                                              oS6KsQIqJxe038Y.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                              • 160.16.200.77
                                                              faktura461250706050720242711#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 160.16.200.77
                                                              rXVQIR00071840-180218627117.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 160.16.200.77
                                                              SOLICITUD DE PRESUPUESTO 27-11-2024#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 160.16.200.77
                                                              factura_461250706050720242711#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 160.16.200.77
                                                              Purchase-Order27112024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 160.16.200.77
                                                              Update.jsGet hashmaliciousNetSupport RATBrowse
                                                              • 160.16.200.77

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\ProgramData\IObit\DgApi.dll

                                                              Download File
                                                              Process:C:\Users\user\Desktop\imfsbSvc.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):261120
                                                              Entropy (8bit):6.439095548023039
                                                              Encrypted:false
                                                              SSDEEP:6144:aJG8G4Z2pZcMx+/HTAOx+CbWHlouxsMnWU:CFMZjxaMA+CbWHldW
                                                              MD5:43F3F328248DA7BDA95407968604FF0B
                                                              SHA1:7D9EA7C8934D293429103FD0F8F58B370BD1249B
                                                              SHA-256:B2B617E62353A672626C13CC7AD81B27F23F91282AAD7A3A0DB471D84852A9AC
                                                              SHA-512:4FA1F97BEE76DFF470F25CDBAD71A1B152E5E4896F824E078B9634E53FCB02FEEE203350767B9AC11A763A04D9CD7A3DC0D946D14129F3BDBD7A7FB78050A7DD
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 37%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[....}.O.}.O.}.O...O.}.O...O.}.O...O.}.OM..N.}.OM..N.}.OM..N.}.O..{O.}.O.}.O`}.O...N.}.O...N.}.O...N.}.ORich.}.O........................PE..d..."p.d.........." .........Z......Pr.......................................`............`.................................................<...P............0...............P..,...p...8............................................................................text............................... ..`.rdata..............................@..@.data....>..........................@....pdata.......0......................@..@.reloc..,....P......................@..B................................................................................................................................................................................................................................................................................

                                                              C:\ProgramData\IObit\dbindex.dat

                                                              Download File
                                                              Process:C:\Users\user\Desktop\imfsbSvc.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):131065
                                                              Entropy (8bit):7.9987745357371525
                                                              Encrypted:true
                                                              SSDEEP:3072:zaNVm/i2SD6ixL7x6oC3bwmNU4MNTVI7nBHM+ZNWqdiTOz2:pi2ajL78kJdXM2oW64R
                                                              MD5:B706F4806DC88611873CADEB3AD1FF97
                                                              SHA1:DFE752F103E8E0CDB6EE419A5E753A451488420C
                                                              SHA-256:1A38303FB392CCC5A88D236B4F97ED404A89C1617F34B96ED826E7BB7257E296
                                                              SHA-512:76576B52092CE91E00824B41F8D04570BB2BEFECC2E45C8027E31AB802E752C2B47156F3BEFF6F1B1CD8181AA9A9275F02D9DD11BF8E3AC54B12F8F93EC39FBD
                                                              Malicious:false
                                                              Preview:...W..j.F...8.F...!....L[...o.p.N.~S...{G.t.y9Bu......8...Y...z..2.n...|..Y.jR>.b...G.m.....;....x.....@9...).vp.P.....p.6g..'T.7Sx...p.......%J|<..d:....Z.9gN ....._:....yLr.8....].s,..ff.6......../.].-.\eQ..y.....+.UZ_.>+"......$..c.V.P.....[..w.....4.f....&...j...b.GA$.N]W.!...d....3..8..bB...NR........X,..qE..b+.M.u......H\.pX}.v.3i.....st..M......G.....f...e...?.......X...ZLV......V..$x.l..I.};;](T'.e.'....;.l..x@.10...9...`..r]..J.;#2.....U..|,~!.I..(:..^..:_..S3..g^.R...I._.....(B|d..k-.....h....T.YM.0.c.B..M.=? ...@O....r.....H.4.ws.Q.....r....Y@.....VR...(....%...^....:[.....(.D1.. ........o.OV...4.T..IJ.3...Ei.aR...PUT.X.I...q.0..K....gW..N.,J..5.sHd..s..{UZQ.lw.,....<..*5....m<T1.........bC.....m...V."7.8Os...E..s.&zY...DE!_.$....h.N{.oF.b..WW..........o.W........}..v..H.B..1.P.t%.....Z.z.Y.F...MJu.~{..$.@a".^..Rd..\m....l...#..4y.:..LX.c.}."......_J...[.Luw....o....3j.,U=".`..?..|.._...|.ojk.v+......a...........-.x..

                                                              C:\ProgramData\IObit\imfsbDll.dll

                                                              Download File
                                                              Process:C:\Users\user\Desktop\imfsbSvc.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):621264
                                                              Entropy (8bit):5.743772810032184
                                                              Encrypted:false
                                                              SSDEEP:6144:BZNQxws72WY28YXHuXP+pNRT2El1WZ2RxTX/jo620lJu:BZuxwsCWY2RTtR17nu
                                                              MD5:45D7997340065904AE092AC427C54F41
                                                              SHA1:6CD5114BEDF9C867B32558EE961FBF052A2A125D
                                                              SHA-256:05840DE7FA648C41C60844C4E5D53DBB3BC2A5250DCB158A95B77BC0F68FA870
                                                              SHA-512:38281505C2695BBB9D0FC398B9192A3C07C04788817452B98516EEE6944DB5B356B79299E7D1C434DB6CC2AF55A9C22D0DFCEA1874035163E5418F62DC76F9DD
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 39%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.v.............a.u.....a.c..............................$................................Rich....................PE..d.....9a.........." .........................."}..........................................`..................................................I..P....p...........U...:...@.......... ...8............................................@...............................text...X........................... ..`.rdata..............................@..@.data...\9...........~..............@....pdata..._.......`..................@..@.idata..I(...@...*..................@..@.rsrc........p.......$..............@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                              C:\ProgramData\IObit\imfsbSvc.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\imfsbSvc.exe
                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):347344
                                                              Entropy (8bit):6.337397239640206
                                                              Encrypted:false
                                                              SSDEEP:6144:ZEtNasNqZsBotlNFVK12krBAixDbJeRG+2RzV5F0Xmbv9OiLLMyc5:ZEtNYZ3tlNFVo24AixPJqavLZc5
                                                              MD5:CA73DA8345DE507AC023D52B4B5C1814
                                                              SHA1:EF32667DE23715EF2903B185C08ED9B5DC7CFEED
                                                              SHA-256:5B88F7D36FE435CD6944BDA05F1758F64C7D5136A5F529A58522AC3B0DC9743A
                                                              SHA-512:B5140EF135E8CAFC7A6C3B7AAA514612E3EA6A25653C925385421C2BBBA75CD51BD228AC5C671DE383555658573293C1E20A93950AE1BE52E86DA6780AEE4339
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......f..."..."..."....1.'....3.....2.,...8..#.......*.......6............g..+....g..:......!...".........#......7....?.#...".W. ......#...Rich"...................PE..d.....9a.........."......d..........p..........@.............................`......^.....`.................................................<........0...........7.......@...P.......;..T...........................`;...............................................text....c.......d.................. ..`.rdata...5.......6...h..............@..@.data...............................@....pdata...7.......8..................@..@.gfids....... ......................@..@.rsrc........0... ..................@..@.reloc.......P......................@..B................................................................................................................................................................

                                                              C:\ProgramData\IObit\imfsbSvc.exe:Zone.Identifier

                                                              Download File
                                                              Process:C:\Users\user\Desktop\imfsbSvc.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):8192
                                                              Entropy (8bit):0.3599130113691179
                                                              Encrypted:false
                                                              SSDEEP:12:+SAI77eaaD0JcaaD0JwQQAKSAI77eaaD0JcaaD0JwQQA:yI77etgJctgJwlI77etgJctgJw
                                                              MD5:6392E749087750C619B28C674473B996
                                                              SHA1:DE33774F94EC8C968A49D8188FCBCD09BC63ECED
                                                              SHA-256:9E4E6E5AAE2BCFB52099CF307BBF20E844A3059CD31D6A5FFE2560AE2E2601B6
                                                              SHA-512:9CE396499E6B662E84FD73308B4BA31A8708AA5C17B2D7E28A7F21E1E6A47F4714E5BF200F40BDF3EF35041A108DDF32EE1E1B7CF8318E3D36602F6A347A4AD7
                                                              Malicious:false
                                                              Preview:..U...........4.......).*9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................4.............................................................................................................................................................................................................................................................................................................................................................

                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1310720
                                                              Entropy (8bit):0.13675180069934845
                                                              Encrypted:false
                                                              SSDEEP:384:mJHL7HbahIfcjcidIiBysHciXBs78MmhRht43mKdyrf6YM5PDH:mJP74rzc8Myr43mNrf6YM5P
                                                              MD5:0E39E31023DBAFABCAC3124A07EE4A17
                                                              SHA1:D6777B3F0A79218673037DDF4F1B0050208B25C4
                                                              SHA-256:E21B3FBD4954C61909B67FF5E23EEAEB06C092B530BC7CB9F9DDFEB1201E4CCD
                                                              SHA-512:40B64823B6727AC2F7EFFB4E5079688CDE851FC53C2B7282670D7A606B0F023C52CE0AE996C11B86CE0CF2E026C8702552FCD189A984928C74720F3B7B4F86F4
                                                              Malicious:false
                                                              Preview:...........@..@.3...{g..*...yo.........<.....).*9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................;..........v[.2}c}c.#.........`h.d...............h.<.....6.:......p..*9...y..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0bb51b49, page size 16384, Windows version 10.0
                                                              Category:dropped
                                                              Size (bytes):1048576
                                                              Entropy (8bit):0.8697943006522405
                                                              Encrypted:false
                                                              SSDEEP:1536:TSB2qSB2gSjlK/LfDalKohVF8/bGLBSBLil2d/3Cr5DHzk/3A5v7GoCnLKxKHKrx:TapaQK0yfOD8F31Xw
                                                              MD5:DC4D27B72770FC7FB056D46362360AFD
                                                              SHA1:DA89FDD6EC21060247BC0396CD7A8EBF44FAF6A4
                                                              SHA-256:F939434CB69DA913A051CA03A5EC529EAA2C2B5409AC10A31DD8BA9308480A53
                                                              SHA-512:3F0CDA9726AA749EB265D8A3C47223FFBE9954C62E19E92C291C2EC38A707C01C644BB16EDF0DAC23CA1E1288D3E3C0D4650FC2ADD953EBE5FCF6744DDFDF7A7
                                                              Malicious:false
                                                              Preview:...I... ................p..*9...y......................6.3......"...|w.. ...|Q.h.2......"...|w.6.3...........).*9...y..........................................................................................................bJ......n....@...................................................................................................... ...................................................................................................................................................................................................................................................V.%.."...|wJ....................."...|w..........................#......6.3.....................................................................................................................................................................................................................................................................................................................................................

                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):16384
                                                              Entropy (8bit):0.07992452282830131
                                                              Encrypted:false
                                                              SSDEEP:3:jqh2cpEn+sHllDBpzyewJ5WSHll+sHllAllo0lJlbxvws:aa+sfDbyewJ5WSflfAL
                                                              MD5:DB024FD7E4FB67F58501B9E4737B663A
                                                              SHA1:2B8E86CFE898A058ED8F3693492425D0FF409A0A
                                                              SHA-256:DFAA7A33B558E3AF7094BE8FBF9BD62F0DD7E89BDC3E359B4A956484EFCE7078
                                                              SHA-512:F06E26AAC12219C9EDCEE186C3CF4AA491BB9B484A11B99FF1FBE1C1D8FCC453C757A04158CEB27E8DC58041A54294FAC2675AD51CD95482BE4F509B29350B9E
                                                              Malicious:false
                                                              Preview:.3O.....................................*9...y... ...|Q.."...|w.........."...|w.."...|w....q."...|w......................"...|w.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):55
                                                              Entropy (8bit):4.306461250274409
                                                              Encrypted:false
                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                              Malicious:false
                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                              Download File
                                                              Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):41762
                                                              Entropy (8bit):3.241162655149969
                                                              Encrypted:false
                                                              SSDEEP:384:L+7H+hH+hR+hM+hJ+hS+hh+hB+h3+hV+h4+hU+hV+hy+hRU3+h5UZ+hA:GVD
                                                              MD5:19E95CC8D6A7D1042A7ED18E3783A7C6
                                                              SHA1:FAA129F1CC25579B2BA47D514DC843B604EB7458
                                                              SHA-256:9E5FF30923322A350AD9F543A1CF7021F1BF84F9E3DF05F4E150C11859AEE825
                                                              SHA-512:BA0EE531BA688E95B7E8AF268D5B67BE375F45A4E543E1706486978519D4870880D8E66FC39415987770C1FE1EDEA5D1293EA7A322AD605928EDAB1380CD0A88
                                                              Malicious:false
                                                              Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. A.u.g. .. 0.5. .. 2.0.2.3. .2.2.:.0.4.:.5.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                              Static File Info

                                                              General

                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                              Entropy (8bit):6.337397239640206
                                                              TrID:
                                                              • Win64 Executable GUI (202006/5) 92.65%
                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                              • DOS Executable Generic (2002/1) 0.92%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:imfsbSvc.exe
                                                              File size:347'344 bytes
                                                              MD5:ca73da8345de507ac023d52b4b5c1814
                                                              SHA1:ef32667de23715ef2903b185c08ed9b5dc7cfeed
                                                              SHA256:5b88f7d36fe435cd6944bda05f1758f64c7d5136a5f529a58522ac3b0dc9743a
                                                              SHA512:b5140ef135e8cafc7a6c3b7aaa514612e3ea6a25653c925385421c2bbba75cd51bd228ac5c671de383555658573293c1e20a93950ae1be52e86da6780aee4339
                                                              SSDEEP:6144:ZEtNasNqZsBotlNFVK12krBAixDbJeRG+2RzV5F0Xmbv9OiLLMyc5:ZEtNYZ3tlNFVo24AixPJqavLZc5
                                                              TLSH:E6747D45F3E418E5EA6BC13989A3D51BE67278111760DBDF0370826A3F23BD16A3DB21
                                                              File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......f..."..."...".....1.'.....3.......2.,....8..#.......*.......6............g..+....g..:.......!..."...........#.......7.....?.#..

                                                              File Icon

                                                              Icon Hash:90cececece8e8eb0

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x14001f170
                                                              Entrypoint Section:.text
                                                              Digitally signed:true
                                                              Imagebase:0x140000000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x6139C8DD [Thu Sep 9 08:42:05 2021 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:6
                                                              OS Version Minor:0
                                                              File Version Major:6
                                                              File Version Minor:0
                                                              Subsystem Version Major:6
                                                              Subsystem Version Minor:0
                                                              Import Hash:e20cce52935dcbdf120d0fe332168d10

                                                              Authenticode Signature

                                                              Signature Valid:true
                                                              Signature Issuer:CN=DigiCert EV Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                              Signature Validation Error:The operation completed successfully
                                                              Error Number:0
                                                              Not Before, Not After
                                                              • 27/08/2019 02:00:00 30/08/2022 14:00:00
                                                              Subject Chain
                                                              • CN="IObit CO., LTD", O="IObit CO., LTD", L=Chengdu, S=Sichuan, C=CN, SERIALNUMBER=91510107072412418F, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1="Wuhou District, Chengdu", OID.1.3.6.1.4.1.311.60.2.1.2=Sichuan, OID.1.3.6.1.4.1.311.60.2.1.3=CN
                                                              Version:3
                                                              Thumbprint MD5:627EB5F58AA7BB5E49C3ED2D92DD61FD
                                                              Thumbprint SHA-1:C2D65E12D4FC8DB328577D74F4BD417FEC0F28B1
                                                              Thumbprint SHA-256:0686186695953609414F4D551738F90203E37E2E651CBB2E7CDB6F033E0EB155
                                                              Serial:0D98F5DF96C592C5B76BFDE1CB823096

                                                              Entrypoint Preview

                                                              Instruction
                                                              dec eax
                                                              sub esp, 28h
                                                              call 00007F33C4C1DFB0h
                                                              dec eax
                                                              add esp, 28h
                                                              jmp 00007F33C4C1D937h
                                                              int3
                                                              int3
                                                              inc eax
                                                              push ebx
                                                              dec eax
                                                              sub esp, 20h
                                                              dec eax
                                                              mov ebx, ecx
                                                              dec eax
                                                              mov eax, edx
                                                              dec eax
                                                              lea ecx, dword ptr [0001C9C9h]
                                                              dec eax
                                                              mov dword ptr [ebx], ecx
                                                              dec eax
                                                              lea edx, dword ptr [ebx+08h]
                                                              xor ecx, ecx
                                                              dec eax
                                                              mov dword ptr [edx], ecx
                                                              dec eax
                                                              mov dword ptr [edx+08h], ecx
                                                              dec eax
                                                              lea ecx, dword ptr [eax+08h]
                                                              call 00007F33C4C20889h
                                                              dec eax
                                                              lea eax, dword ptr [0001CA59h]
                                                              dec eax
                                                              mov dword ptr [ebx], eax
                                                              dec eax
                                                              mov eax, ebx
                                                              dec eax
                                                              add esp, 20h
                                                              pop ebx
                                                              ret
                                                              int3
                                                              xor eax, eax
                                                              dec eax
                                                              mov dword ptr [ecx+10h], eax
                                                              dec eax
                                                              lea eax, dword ptr [0001CA4Fh]
                                                              dec eax
                                                              mov dword ptr [ecx+08h], eax
                                                              dec eax
                                                              lea eax, dword ptr [0001CA34h]
                                                              dec eax
                                                              mov dword ptr [ecx], eax
                                                              dec eax
                                                              mov eax, ecx
                                                              ret
                                                              int3
                                                              dec eax
                                                              lea eax, dword ptr [0001C975h]
                                                              dec eax
                                                              mov dword ptr [ecx], eax
                                                              dec eax
                                                              add ecx, 08h
                                                              jmp 00007F33C4C208D2h
                                                              int3
                                                              dec eax
                                                              mov dword ptr [esp+08h], ebx
                                                              push edi
                                                              dec eax
                                                              sub esp, 20h
                                                              dec eax
                                                              lea eax, dword ptr [0001C957h]
                                                              dec eax
                                                              mov edi, ecx
                                                              dec eax
                                                              mov dword ptr [ecx], eax
                                                              mov ebx, edx
                                                              dec eax
                                                              add ecx, 08h
                                                              call 00007F33C4C208AFh
                                                              test bl, 00000001h
                                                              je 00007F33C4C1DABFh
                                                              mov edx, 00000018h
                                                              dec eax
                                                              mov ecx, edi
                                                              call 00007F33C4C1D475h
                                                              dec eax
                                                              mov eax, edi
                                                              dec eax
                                                              mov ebx, dword ptr [esp+30h]
                                                              dec eax
                                                              add esp, 20h

                                                              Rich Headers

                                                              Programming Language:
                                                              • [IMP] VS2015 UPD3.1 build 24215
                                                              • [ C ] VS2015 UPD3.1 build 24215
                                                              • [C++] VS2015 UPD3.1 build 24215
                                                              • [RES] VS2015 UPD3 build 24213
                                                              • [LNK] VS2015 UPD3.1 build 24215

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x4893c0x118.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x1fd0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x4e0000x37a4.pdata
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x50c000x40d0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x550000x6a8.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x43b000x54.rdata
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x43b600x94.rdata
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x380000xcb8.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x363a30x36400adaed845aa76e95b19ef6d1b9451fad4False0.5539449524769585data6.392642559878584IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0x380000x135a80x136005f82a5eab9777181ed6c7c5b5e0435eeFalse0.4251260080645161data5.113273953227112IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0x4c0000x1fb40xc00b219f7da6d9e6f8fc66fb1911b8d4f13False0.19108072916666666data2.5572052693801814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .pdata0x4e0000x37a40x38001e90241e3e01b5bbab8207d7289818f8False0.474609375data5.5830297706186185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .gfids0x520000xe40x20028b7de2b64e0f9465b393905f515b86fFalse0.328125Linux/i386 core file of '\' (signal 55)2.0399083813350414IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .rsrc0x530000x1fd00x2000a4de5172aee8728eca667ce5837ba7e3False0.4366455078125data4.546132680078495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x550000x6a80x8001bb762a032ac4543e7d043213ed3acb2False0.57666015625data5.002880185935442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_RCDATA0x531000x1a00PE32+ executable (DLL) (GUI) x86-64, for MS WindowsEnglishUnited States0.4307391826923077
                                                              RT_VERSION0x54b000x34cdataEnglishUnited States0.47393364928909953
                                                              RT_MANIFEST0x54e500x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                              Imports

                                                              DLLImport
                                                              imfsbDll.dllSbieDll_IsOpenClsid, SbieApi_IsBoxEnabled, SbieDll_RunSandboxed, SbieApi_CallZero, SbieApi_CallOne, SbieApi_GetVersion, SbieApi_GetWork, SbieApi_GetHomePath, SbieApi_EnumProcessEx, SbieApi_SetUserName, SbieApi_GetUnmountHive, SbieDll_FormatMessage2, SbieDll_ComCreateStub, SbieDll_RunFromHome, SbieApi_QueryProcess, SbieDll_PortName, SbieApi_QueryProcessPath, SbieApi_QueryProcessEx2, SbieApi_QueryProcessInfo, SbieApi_QueryPathList, SbieDll_KillOne, SbieDll_FreeMem, SbieDll_QueueCreate, SbieDll_QueueGetReq, SbieDll_QueuePutRpl, SbieApi_QueryConf, SbieApi_CheckInternetAccess, SbieApi_QueryConfBool, SbieApi_CallTwo, SbieApi_SessionLeader, SbieApi_LogEx, SbieApi_Log, SbieApi_ReloadConf, SbieApi_OpenProcess, SbieDll_GetLanguage, SbieDll_FormatMessage0, SbieDll_GetServiceRegistryValue
                                                              ntdll.dllNtWriteFile, RtlLookupFunctionEntry, RtlVirtualUnwind, RtlUnwindEx, RtlPcToFileHeader, NtReadFile, NtSetInformationFile, NtQueryInformationFile, NtQueryDirectoryFile, NtCreateFile, RtlSetDaclSecurityDescriptor, RtlNtStatusToDosError, NtAllocateVirtualMemory, NtLoadDriver, RtlInitUnicodeString, NtReplyWaitReceivePort, NtRequestPort, NtCreatePort, NtUnloadKey, NtOpenKey, NtOpenFile, NtClose, NtQueryKey, NtQuerySystemInformation, NtLoadKey, RtlCreateSecurityDescriptor, NtQueryInformationProcess, NtSetInformationThread, NtOpenProcessToken, NtOpenThreadToken, NtQueryInformationToken, NtDuplicateToken, NtFilterToken, NtConnectPort, NtRequestWaitReplyPort, NtAcceptConnectPort, NtCompleteConnectPort, NtImpersonateClientOfPort, NtOpenDirectoryObject, NtSetInformationProcess, NtOpenProcess, NtDuplicateObject, RtlCaptureContext
                                                              KERNEL32.dllEncodePointer, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, IsDebuggerPresent, UnhandledExceptionFilter, CloseHandle, GetLastError, HeapCreate, HeapAlloc, HeapFree, GetProcessHeap, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, SetEvent, WaitForSingleObject, CreateMutexW, OpenMutexW, CreateEventW, OpenEventW, Sleep, ExitProcess, TerminateProcess, CreateThread, GetCurrentThread, OpenProcess, GetTickCount, CreateFileMappingW, OpenFileMappingW, MapViewOfFile, UnmapViewOfFile, GetProcAddress, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, LocalFree, WaitForMultipleObjects, GetEnvironmentVariableW, TlsFree, GetFullPathNameW, GetPrivateProfileStringW, CreateFileW, SetFilePointer, WriteFile, OutputDebugStringW, DuplicateHandle, SetLastError, GetProcessTimes, GetCurrentProcess, SetThreadPriority, TerminateThread, GetLocalTime, GetVersionExW, VirtualAlloc, VirtualFree, VirtualAllocEx, VirtualProtectEx, ReadProcessMemory, WriteProcessMemory, GetModuleHandleA, LoadResource, LockResource, SizeofResource, LocalAlloc, FindResourceW, GetSystemWindowsDirectoryW, ResetEvent, GetCurrentProcessId, GetCurrentThreadId, ProcessIdToSessionId, IsProcessInJob, GetModuleHandleW, GlobalSize, LoadLibraryW, RegisterWaitForSingleObject, UnregisterWait, CreateJobObjectW, AssignProcessToJobObject, QueryInformationJobObject, SetInformationJobObject, AllocConsole, GetConsoleWindow, GetConsoleProcessList, RaiseException, InitializeCriticalSectionAndSpinCount, GetCommandLineW, GetSystemInfo, CancelIo, DefineDosDeviceW, OpenThread, TlsAlloc, TlsGetValue, TlsSetValue, ResumeThread, QueueUserWorkItem, GetExitCodeProcess, DeleteFileW, GetFileAttributesW, SetEndOfFile, SetFileAttributesW, HeapReAlloc, GetWindowsDirectoryW, CopyFileW, SuspendThread, CreateProcessW, GetModuleFileNameW, MulDiv, FreeLibrary, LoadLibraryExW, GetStringTypeW, GetModuleHandleExW, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, GetStdHandle, GetACP, GetFileType, LCMapStringW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, HeapSize, GetConsoleCP, GetConsoleMode, SetFilePointerEx, FlushFileBuffers, SetCurrentDirectoryW, WriteConsoleW
                                                              USER32.dllGetClassLongPtrA, GetClassLongPtrW, GetDesktopWindow, GetParent, EnumChildWindows, FindWindowA, FindWindowW, FindWindowExA, FindWindowExW, GetShellWindow, EnumWindows, EnumThreadWindows, GetClassNameA, GetClassNameW, GetWindowThreadProcessId, GetWindow, GetIconInfo, ChangeDisplaySettingsExA, ChangeDisplaySettingsExW, MonitorFromWindow, GetWindowInfo, UserHandleGrantAccess, PackDDElParam, RegisterClassExW, ShowWindow, BeginPaint, EndPaint, GetMonitorInfoW, GetClientRect, GetPropW, GetPropA, SetPropW, ReleaseDC, GetDC, GetClassLongW, IsWindowEnabled, IsWindowUnicode, KillTimer, EnumClipboardFormats, GetClipboardData, GetClipboardSequenceNumber, IsZoomed, IsIconic, IsWindowVisible, SetWindowPos, DestroyWindow, IsWindow, CreateWindowExW, RegisterClassW, DefWindowProcW, PostMessageW, PostMessageA, SendNotifyMessageW, SendNotifyMessageA, SendMessageTimeoutW, SendMessageW, SendMessageA, GetProcessWindowStation, SetProcessWindowStation, CreateWindowStationW, GetThreadDesktop, SetThreadDesktop, CreateDesktopW, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, SetTimer, DispatchMessageW, GetMessageW, wsprintfW, GetClassLongA, GetWindowLongPtrW, GetWindowLongPtrA, GetWindowLongW, GetWindowLongA, MapWindowPoints, ScreenToClient, ClientToScreen, ClipCursor, SetCursorPos, SetForegroundWindow, GetWindowRect
                                                              ADVAPI32.dllCreateProcessAsUserW, OpenThreadToken, DuplicateTokenEx, OpenProcessToken, AdjustTokenPrivileges, LookupAccountSidW, LookupPrivilegeValueW, RegCloseKey, RegOpenKeyExW, RegQueryValueExW, ConvertStringSidToSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegOpenUserClassesRoot, RegOpenCurrentUser, GetSecurityDescriptorSacl, GetTokenInformation, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetTokenInformation, SetSecurityInfo, CloseServiceHandle, ControlService, EnumServicesStatusExW, OpenSCManagerW, OpenServiceW, StartServiceW, OpenEventLogW, ReportEventW, RegisterServiceCtrlHandlerExW, SetServiceStatus, StartServiceCtrlDispatcherW, RevertToSelf, SetThreadToken, AddAccessAllowedAce, DuplicateToken, GetLengthSid, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, CryptAcquireContextW, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, QueryServiceStatusEx, QueryServiceConfig2W, CryptHashData, CryptDestroyHash, EnumServicesStatusW, QueryServiceConfigW
                                                              PSAPI.DLLGetModuleBaseNameW, EnumProcessModules
                                                              ole32.dllCreateStreamOnHGlobal, CoInitializeEx, CoInitialize, CoRevokeClassObject, CoRegisterClassObject, CoGetObject, CoTaskMemFree, StringFromGUID2, CoCopyProxy, CoSetProxyBlanket, CoQueryProxyBlanket, CoInitializeSecurity, CoUnmarshalInterface, CoMarshalInterface, CoGetClassObject
                                                              CRYPT32.dllCryptProtectData, CryptUnprotectData
                                                              USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock
                                                              GDI32.dllTextOutW, DeleteDC, GetDIBits, GetMetaFileBitsEx, GetEnhMetaFileBits, CreateFontW, CreateSolidBrush, GetDeviceCaps, SelectObject, SetBkColor, CreateCompatibleDC, SetTextColor
                                                              NETAPI32.dllNetUseAdd
                                                              WTSAPI32.dllWTSQueryUserToken
                                                              RPCRT4.dllRpcStringFreeW, RpcBindingToStringBindingW, RpcMgmtEpEltInqBegin, RpcMgmtEpEltInqDone, RpcMgmtEpEltInqNextW

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              EnglishUnited States

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 28, 2024 13:31:36.905395031 CET497068443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:37.182991028 CET844349706160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:37.682873011 CET497068443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:37.960120916 CET844349706160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:38.463993073 CET497068443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:38.741926908 CET844349706160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:39.245079041 CET497068443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:39.522799015 CET844349706160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:40.026225090 CET497068443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:40.303818941 CET844349706160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:40.775001049 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:40.775043964 CET44349707160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:40.775156975 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:40.788855076 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:40.788872004 CET44349707160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:41.461658955 CET44349707160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:41.461915970 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:41.502860069 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:41.502939939 CET44349707160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:41.503814936 CET44349707160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:41.504087925 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:41.505503893 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:41.549431086 CET44349707160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:42.050105095 CET44349707160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:42.050244093 CET44349707160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:42.050321102 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:42.050426960 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:42.050426960 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:42.050467968 CET49707443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:42.128973007 CET4970880192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:42.406420946 CET8049708160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:42.406621933 CET4970880192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:42.406709909 CET4970880192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:31:42.684117079 CET8049708160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:42.684160948 CET8049708160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:31:42.684453964 CET4970880192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:32:57.684458017 CET8049708160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:32:57.684633970 CET4970880192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:30.330368996 CET4970880192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:30.607774019 CET8049708160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:32.954791069 CET497178443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:33.240365982 CET844349717160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:33.751446009 CET497178443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:34.037122965 CET844349717160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:34.547964096 CET497178443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:34.833867073 CET844349717160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:35.344679117 CET497178443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:35.630451918 CET844349717160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:36.141242027 CET497178443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:36.426628113 CET844349717160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:36.434303045 CET49718443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:36.434350967 CET44349718160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:36.434752941 CET49718443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:36.434752941 CET49718443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:36.434814930 CET44349718160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:37.013884068 CET44349718160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:37.014060974 CET49718443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:37.014333963 CET49718443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:37.014343023 CET44349718160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:37.018783092 CET49718443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:37.018816948 CET44349718160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:37.585282087 CET44349718160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:37.585360050 CET44349718160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:37.585426092 CET49718443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:37.585566998 CET49718443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:37.585566998 CET49718443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:37.585613966 CET49718443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:37.685710907 CET4971980192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:37.971613884 CET8049719160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:37.972220898 CET4971980192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:37.972222090 CET4971980192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:33:38.262392044 CET8049719160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:38.262456894 CET8049719160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:33:38.262749910 CET4971980192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:18.519401073 CET497208443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:18.796418905 CET844349720160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:19.303812027 CET497208443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:19.581574917 CET844349720160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:20.084681988 CET497208443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:20.368567944 CET844349720160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:20.881539106 CET497208443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:21.173466921 CET844349720160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:21.678563118 CET497208443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:21.955957890 CET844349720160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:21.994976997 CET49721443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:21.995089054 CET44349721160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:21.995340109 CET49721443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:21.995671988 CET49721443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:21.995734930 CET44349721160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:22.616321087 CET44349721160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:22.616528988 CET49721443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:22.616885900 CET49721443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:22.616900921 CET44349721160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:22.617650032 CET49721443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:22.617670059 CET44349721160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:23.226216078 CET44349721160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:23.226349115 CET44349721160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:23.226459980 CET49721443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:23.226546049 CET49721443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:23.226546049 CET49721443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:23.226576090 CET49721443192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:23.303354979 CET4971980192.168.11.20160.16.200.77
                                                              Nov 28, 2024 13:34:23.588895082 CET8049719160.16.200.77192.168.11.20
                                                              Nov 28, 2024 13:34:23.589057922 CET4971980192.168.11.20160.16.200.77

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 28, 2024 13:31:36.728786945 CET5982153192.168.11.208.8.8.8
                                                              Nov 28, 2024 13:31:36.903055906 CET53598218.8.8.8192.168.11.20
                                                              Nov 28, 2024 13:31:40.347955942 CET5171053192.168.11.201.1.1.1
                                                              Nov 28, 2024 13:31:40.768975973 CET53517101.1.1.1192.168.11.20
                                                              Nov 28, 2024 13:33:32.780646086 CET6001653192.168.11.208.8.8.8
                                                              Nov 28, 2024 13:33:32.954345942 CET53600168.8.8.8192.168.11.20
                                                              Nov 28, 2024 13:34:18.345612049 CET6123353192.168.11.208.8.8.8
                                                              Nov 28, 2024 13:34:18.518959045 CET53612338.8.8.8192.168.11.20

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Nov 28, 2024 13:31:36.728786945 CET192.168.11.208.8.8.80xc810Standard query (0)esh.hoovernamosong.comA (IP address)IN (0x0001)false
                                                              Nov 28, 2024 13:31:40.347955942 CET192.168.11.201.1.1.10xe75dStandard query (0)esh.hoovernamosong.comA (IP address)IN (0x0001)false
                                                              Nov 28, 2024 13:33:32.780646086 CET192.168.11.208.8.8.80x96abStandard query (0)esh.hoovernamosong.comA (IP address)IN (0x0001)false
                                                              Nov 28, 2024 13:34:18.345612049 CET192.168.11.208.8.8.80x75Standard query (0)esh.hoovernamosong.comA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Nov 28, 2024 13:31:36.903055906 CET8.8.8.8192.168.11.200xc810No error (0)esh.hoovernamosong.com160.16.200.77A (IP address)IN (0x0001)false
                                                              Nov 28, 2024 13:31:40.768975973 CET1.1.1.1192.168.11.200xe75dNo error (0)esh.hoovernamosong.com160.16.200.77A (IP address)IN (0x0001)false
                                                              Nov 28, 2024 13:33:32.954345942 CET8.8.8.8192.168.11.200x96abNo error (0)esh.hoovernamosong.com160.16.200.77A (IP address)IN (0x0001)false
                                                              Nov 28, 2024 13:34:18.518959045 CET8.8.8.8192.168.11.200x75No error (0)esh.hoovernamosong.com160.16.200.77A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • esh.hoovernamosong.com

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.11.2049708160.16.200.77808940C:\Windows\System32\winlogon.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 28, 2024 13:31:42.406709909 CET480OUTPOST /000000000039F835000000000039F835 HTTP/1.1
                                                              Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                              Content-Length: 94
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                              Host: esh.hoovernamosong.com
                                                              Connection: Keep-Alive
                                                              Cache-Control: no-cache
                                                              Data Raw: 0e d5 78 81 24 a5 62 c4 c7 d6 5b 41 a9 43 0a 6e 3e 87 79 6e df 6b 34 25 bd 18 c6 71 58 e5 bd 0e e3 cb b3 d8 5b 64 f4 7c ad 94 b9 e7 c6 43 09 0e 71 2b 51 4e 0c ae b2 63 5c 63 24 ba 9d 21 4e a1 97 28 25 cf c3 45 43 d5 a4 fb 33 19 db c8 e0 44 8a 71 49 4f b0 25 c6 e3 d4 6f ad 21 8c e2
                                                              Data Ascii: x$b[ACn>ynk4%qX[d|Cq+QNc\c$!N(%EC3DqIO%o!
                                                              Nov 28, 2024 13:31:42.684160948 CET728INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.24.0 (Ubuntu)
                                                              Date: Thu, 28 Nov 2024 12:31:42 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 564
                                                              Connection: keep-alive
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.11.2049719160.16.200.77808940C:\Windows\System32\winlogon.exe
                                                              TimestampBytes transferredDirectionData
                                                              Nov 28, 2024 13:33:37.972222090 CET489OUTPOST /00000000003BBBAF00000000003BBBAF HTTP/1.1
                                                              Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                              Content-Length: 102
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                              Host: esh.hoovernamosong.com
                                                              Connection: Keep-Alive
                                                              Cache-Control: no-cache
                                                              Data Raw: 63 5e ec 29 63 dd 0f f5 77 3c 20 d3 47 b2 7e 99 f8 5b e1 58 ec 98 d0 77 ad 02 d6 a3 c5 53 28 f2 b0 8f a7 3e b1 66 88 50 80 df 46 e9 51 b4 07 73 7c dd c7 c9 df d4 d1 69 d9 50 dd 16 74 09 1b 32 e0 40 cb c4 89 67 a9 f2 89 4b a3 e7 b5 20 d1 27 77 86 1e 91 b1 d7 be 7b d1 48 20 d1 0f ab 7c 92 90 5b 99 6c 14 b0
                                                              Data Ascii: c^)cw< G~[XwS(>fPFQs|iPt2@gK 'w{H |[l
                                                              Nov 28, 2024 13:33:38.262456894 CET728INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.24.0 (Ubuntu)
                                                              Date: Thu, 28 Nov 2024 12:33:38 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 564
                                                              Connection: keep-alive
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                              Nov 28, 2024 13:34:23.303354979 CET470OUTPOST /00000000003C6DE800000000003C6DE8 HTTP/1.1
                                                              Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                              Content-Length: 84
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                              Host: esh.hoovernamosong.com
                                                              Connection: Keep-Alive
                                                              Cache-Control: no-cache
                                                              Data Raw: f7 c8 c6 cc e5 6f e9 6a 06 39 89 de 9f 8f cd fb 5d ec b1 a4 6b c5 42 93 0c 40 90 4c 05 d2 bf 18 57 be a0 47 0b e0 f1 5d 82 87 69 84 9d c2 88 2f 01 64 cd 03 71 71 f7 12 47 a9 df d9 ed 82 4a ec 8f a5 83 70 d3 27 19 05 f2 a2 76 01 34 3d 51 41 d6 ae 21 b7
                                                              Data Ascii: oj9]kB@LWG]i/dqqGJp'v4=QA!
                                                              Nov 28, 2024 13:34:23.588895082 CET728INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.24.0 (Ubuntu)
                                                              Date: Thu, 28 Nov 2024 12:34:23 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 564
                                                              Connection: keep-alive
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.11.2049707160.16.200.774438940C:\Windows\System32\winlogon.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-28 12:31:41 UTC386OUTPOST /000000000039F130000000000039F130 HTTP/1.1
                                                              Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                              Content-Length: 98
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                              Host: esh.hoovernamosong.com
                                                              Connection: Keep-Alive
                                                              Cache-Control: no-cache
                                                              2024-11-28 12:31:41 UTC98OUTData Raw: b0 5d 1b f5 1e de 8d da 5a 47 e8 c7 06 aa 78 95 7f f0 59 17 91 f1 31 42 3e b7 15 90 d8 8c e0 56 55 ee 51 1b 88 12 6b b8 7c 83 7d 1d 9c 3f 0b 0e 3d 3e b6 87 55 c8 79 35 1e e6 f5 d8 e7 2b b1 a9 6b 72 2e 1c 00 fc 1e da 35 30 00 73 db c1 da e5 6e 5b f8 f2 ea dd 2b 7b 8a 12 9e bd db b2 77 dd 44 2d
                                                              Data Ascii: ]ZGxY1B>VUQk|}?=>Uy5+kr.50sn[+{wD-
                                                              2024-11-28 12:31:42 UTC159INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.24.0 (Ubuntu)
                                                              Date: Thu, 28 Nov 2024 12:31:41 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 564
                                                              Connection: close
                                                              2024-11-28 12:31:42 UTC564INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.11.2049718160.16.200.774438940C:\Windows\System32\winlogon.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-28 12:33:37 UTC387OUTPOST /00000000003BB6CD00000000003BB6CD HTTP/1.1
                                                              Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                              Content-Length: 147
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                              Host: esh.hoovernamosong.com
                                                              Connection: Keep-Alive
                                                              Cache-Control: no-cache
                                                              2024-11-28 12:33:37 UTC147OUTData Raw: 69 11 fb 07 c8 d1 b5 65 04 a5 35 8f e1 4d 73 12 ec b9 3f 97 1e 5a 31 52 48 79 45 b9 cb 73 9b 30 fb 31 40 1b d4 8c 88 e6 a0 ef 80 6e 59 e6 eb 01 0d 8b 92 07 76 29 e1 cb 09 1b 32 96 58 a3 9b 9d 62 f3 10 35 02 b9 7b f7 5b 34 c5 ce 7b 37 00 9c d1 43 4a 27 90 d9 d0 e2 8d de 1b 13 93 6d b5 0d e8 5b 2e 21 80 9b 95 83 88 8e 36 86 0f 81 4a 28 54 46 6f bd 1c 97 98 da 34 fa a1 dd 1f f7 b3 e0 75 84 73 23 d2 4a c6 e6 80 e9 2f 85 1c 75 84 5a fe 28 c6
                                                              Data Ascii: ie5Ms?Z1RHyEs01@nYv)2Xb5{[4{7CJ'm[.!6J(TFo4us#J/uZ(
                                                              2024-11-28 12:33:37 UTC159INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.24.0 (Ubuntu)
                                                              Date: Thu, 28 Nov 2024 12:33:37 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 564
                                                              Connection: close
                                                              2024-11-28 12:33:37 UTC564INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.11.2049721160.16.200.774438940C:\Windows\System32\winlogon.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-11-28 12:34:22 UTC387OUTPOST /00000000003C68D800000000003C68D8 HTTP/1.1
                                                              Accept: Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                              Content-Length: 151
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                              Host: esh.hoovernamosong.com
                                                              Connection: Keep-Alive
                                                              Cache-Control: no-cache
                                                              2024-11-28 12:34:22 UTC151OUTData Raw: 4c 98 27 24 b3 2e 6e 17 3b b9 1d e8 5b 35 18 f1 ff 49 f5 93 bd d1 df 81 1e a3 d2 58 18 0f 15 2a b0 8f 10 a1 16 b8 ea d8 4e d1 f0 94 3c 86 d0 50 8f 2b 36 32 b8 cd 23 8a 99 de 5c 32 1f f7 f9 4f fc 9a b4 d8 d5 8b 14 a8 d9 53 13 05 1f 20 b9 86 19 a8 18 b6 e4 d7 41 de ff 9a 32 88 d9 59 86 22 3c 38 b2 c6 28 81 92 d4 56 38 16 fe f0 46 fa 9c b2 df d2 8c 13 ae df 55 0a 1c 06 39 a3 9c 03 b3 03 ad ff cd 5b c4 e6 83 2b 91 c7 47 98 3d 23 27 ad d8 36 9f 8b cd 4f
                                                              Data Ascii: L'$.n;[5IX*N<P+62#\2OS A2Y"<8(V8FU9[+G=#'6O
                                                              2024-11-28 12:34:23 UTC159INHTTP/1.1 404 Not Found
                                                              Server: nginx/1.24.0 (Ubuntu)
                                                              Date: Thu, 28 Nov 2024 12:34:23 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 564
                                                              Connection: close
                                                              2024-11-28 12:34:23 UTC564INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:07:31:34
                                                              Start date:28/11/2024
                                                              Path:C:\Users\user\Desktop\imfsbSvc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\imfsbSvc.exe"
                                                              Imagebase:0x7ff797e70000
                                                              File size:347'344 bytes
                                                              MD5 hash:CA73DA8345DE507AC023D52B4B5C1814
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:1
                                                              Start time:07:31:34
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\cmd.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\cmd.exe
                                                              Imagebase:0x7ff6d5970000
                                                              File size:289'792 bytes
                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:07:31:34
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff697cc0000
                                                              File size:875'008 bytes
                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:07:31:34
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\sc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:sc create "IObit" DisplayName= "Platinum user session wrapper" binPath= "C:\ProgramData\IObit\imfsbSvc.exe" type= own start= auto error= ignore
                                                              Imagebase:0x7ff6ddea0000
                                                              File size:72'192 bytes
                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:07:31:34
                                                              Start date:28/11/2024
                                                              Path:C:\ProgramData\IObit\imfsbSvc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\ProgramData\IObit\imfsbSvc.exe
                                                              Imagebase:0x7ff7ee160000
                                                              File size:347'344 bytes
                                                              MD5 hash:CA73DA8345DE507AC023D52B4B5C1814
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 0%, ReversingLabs
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:07:31:35
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\winlogon.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\winlogon.exe
                                                              Imagebase:0x7ff6c1960000
                                                              File size:944'128 bytes
                                                              MD5 hash:A987B43E6A8E8F894B98A3DF022DB518
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:9
                                                              Start time:07:32:01
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                              Imagebase:0x7ff67c170000
                                                              File size:57'360 bytes
                                                              MD5 hash:F586835082F632DC8D9404D83BC16316
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:07:32:12
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                              Imagebase:0x7ff67c170000
                                                              File size:57'360 bytes
                                                              MD5 hash:F586835082F632DC8D9404D83BC16316
                                                              Has elevated privileges:true
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:07:32:12
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\SgrmBroker.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\SgrmBroker.exe
                                                              Imagebase:0x7ff656320000
                                                              File size:329'504 bytes
                                                              MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:12
                                                              Start time:07:32:12
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\sppsvc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\sppsvc.exe
                                                              Imagebase:0x7ff765d80000
                                                              File size:4'629'328 bytes
                                                              MD5 hash:30C7EF47B57367CC546173BB4BB2BB04
                                                              Has elevated privileges:true
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:07:32:13
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                              Imagebase:0x7ff67c170000
                                                              File size:57'360 bytes
                                                              MD5 hash:F586835082F632DC8D9404D83BC16316
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:14
                                                              Start time:07:32:13
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                              Imagebase:0x7ff67c170000
                                                              File size:57'360 bytes
                                                              MD5 hash:F586835082F632DC8D9404D83BC16316
                                                              Has elevated privileges:true
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:15
                                                              Start time:07:32:13
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                              Imagebase:0x7ff67c170000
                                                              File size:57'360 bytes
                                                              MD5 hash:F586835082F632DC8D9404D83BC16316
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:16
                                                              Start time:07:33:13
                                                              Start date:28/11/2024
                                                              Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                              Imagebase:0x7ff67dd30000
                                                              File size:468'120 bytes
                                                              MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                              Has elevated privileges:true
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:17
                                                              Start time:07:33:13
                                                              Start date:28/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff697cc0000
                                                              File size:875'008 bytes
                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                              Has elevated privileges:true
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Disassembly

                                                              No disassembly