Reads data out of its own binary image Show sources
| api_process_name | process: 5732b93642462b9c529ac1888286d778f044f6b1.exe, pid: 2756, offset: 0x00000000, length: 0x000b7b5b |
| api_process_name | process: 5732b93642462b9c529ac1888286d778f044f6b1.exe, pid: 2756, offset: 0x0001121c, length: 0x000a6943 |
Attempts to connect to a dead IP:Port (14 unique times) Show sources
| network_host_ip | 52.85.98.91:80 (United States) |
| network_host_ip | 52.85.98.251:80 (United States) |
| network_host_ip | 52.85.98.136:80 (United States) |
| network_host_ip | 172.217.10.142:443 (United States) |
| network_host_ip | 151.101.2.133:80 (United States) |
| network_host_ip | 52.85.98.129:80 (United States) |
| network_host_ip | 52.85.98.18:80 (United States) |
| network_host_ip | 184.26.44.97:80 (United States) |
| network_host_ip | 54.76.182.212:443 (United States) |
| network_host_ip | 52.85.98.27:443 (United States) |
| network_host_ip | 72.21.91.29:80 (United States) |
| network_host_ip | 162.247.242.20:443 (unknown) |
| network_host_ip | 151.101.2.110:443 (United States) |
| network_host_ip | 23.4.187.27:80 (United States) |
HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources
| network_anomaly | HTTP traffic contains a POST request with no referer header |
| network_anomaly | HTTP traffic contains a POST request with no user-agent header |
| network_anomaly | http://api.xtrdlapi.com/layout_exception.php?v=1.0.0.15962 |
| network_anomaly | http://crl.globalsign.net/primobject.crl |
Performs some HTTP requests Show sources
| network_url | http://www.google-analytics.com/__utm.gif?utmwv=5.3.6&utmhn=&utmr=-&utmp=&utmac=UA-44288146-1&utmcc=__utma%3D999.999.999.999.999.1%3B&utms=1&utmvid=0xEB9CD1823A0C473C&guid=on&utmt=event&utme=5(DownloadManager*NET%20Framework*Installed)&utmsr=800x600&utmsc=32-bit |
| network_url | http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGxZ76nhAOEO4wa6j%2BApJVk%3D |
| network_url | http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCECLU1%2BUEK%2BnCmZywXEyiu08%3D |
| network_url | http://x.ss2.us/x.cer |
| network_url | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D |
| network_url | http://s.ss2.us/r.crl |
| network_url | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D |
| network_url | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D |
| network_url | http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAnEcGcK1jMsIIACRqKgD8o%3D |
| network_url | http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGMYDTj7gJd4qdA1oxYY%2BEA%3D |
| network_url | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAyO4MkNaokViAQGHuJB%2Ba8%3D |
| network_url | http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkbwjNvPLFRm7zMB3V80 |
| network_url | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D |
| network_url | http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEA1fNxT7Zt2V3O1CaWimmzM%3D |
| network_url | http://api.xtrdlapi.com/layout_exception.php?v=1.0.0.15962 |
| network_url | http://crl.globalsign.net/primobject.crl |
Network activity contains more than one unique useragent. Show sources
| Process | 5732b93642462b9c529ac1888286d778f044f6b1.exe |
| User-Agent | Mozilla/4.0 (compatible; en-US; NSIS; Windows NT 6.1) |
| Process | DownloadManager.exe |
| User-Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
At least one IP Address, Domain, or File Name was found in a crypto call Show sources
| ioc | http://www.symauth.com/cps0 |
| ioc | http://www.symauth.com/rpa04 |
| ioc | http://www.symauth.com/rpa0 |
| ioc | https://d.symcb.com/cps0 |
| ioc | https://d.symcb.com/rpa0 |
Attempts to modify proxy settings
Anomalous binary characteristics Show sources
| static_pe_anomaly | Actual checksum does not match that reported in PE header |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Drops a binary and executes it Show sources
| file_dropped | C:\Users\user\AppData\Local\Temp\DM_yDk9Jw0okW\DownloadManager.exe |
A process attempted to delay the analysis task. Show sources
| api_process_name | DownloadManager.exe tried to sleep 474 seconds, actually delayed analysis time by 0 seconds |