Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1637446
MD5:	b4ad1bac62eb28ad0bff59d9cf44abad
SHA1:	bae90c58ce70d8238254029b9d660fab66736b52
SHA256:	8a35e6b6f7fce33c90f04aa7ddf355d4fa8b9329757709de60b4dcf7a39c50b9
Tags:	exeuser-jstrosch
Infos:

Detection

Socks5Systemz

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Socks5Systemz

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to infect the boot sector

Joe Sandbox ML detected suspicious sample

PE file has a writeable .text section

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6584 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B4AD1BAC62EB28AD0BFF59D9CF44ABAD)

file.tmp (PID: 6608 cmdline: "C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp" /SL5="$403B6,3806947,56832,C:\Users\user\Desktop\file.exe" MD5: E6F1560243CF0446AD812B0ED380C515)

docman.exe (PID: 7044 cmdline: "C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe" -i MD5: AA31470E55EEEB23F1389D2EACD35F7B)

svchost.exe (PID: 1216 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5132 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6156 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

sppsvc.exe (PID: 6020 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)

svchost.exe (PID: 5876 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1380 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1180 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 5836 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 4664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2173153779.0000000002C41000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000003.00000002.2172910401.0000000002722000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: docman.exe PID: 7044	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1216, ProcessName: svchost.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T16:37:57.359558+0100	2028765	3	Unknown Traffic	192.168.2.8	49693	176.113.115.96	443	TCP
2025-03-13T16:38:01.537027+0100	2028765	3	Unknown Traffic	192.168.2.8	49694	176.113.115.96	443	TCP
2025-03-13T16:38:06.988881+0100	2028765	3	Unknown Traffic	192.168.2.8	49696	176.113.115.96	443	TCP
2025-03-13T16:38:11.482015+0100	2028765	3	Unknown Traffic	192.168.2.8	49697	176.113.115.96	443	TCP
2025-03-13T16:38:14.125021+0100	2028765	3	Unknown Traffic	192.168.2.8	49698	176.113.115.96	443	TCP
2025-03-13T16:38:16.813423+0100	2028765	3	Unknown Traffic	192.168.2.8	49699	176.113.115.96	443	TCP
2025-03-13T16:38:19.534246+0100	2028765	3	Unknown Traffic	192.168.2.8	49700	176.113.115.96	443	TCP
2025-03-13T16:38:22.309147+0100	2028765	3	Unknown Traffic	192.168.2.8	49701	176.113.115.96	443	TCP
2025-03-13T16:38:25.084324+0100	2028765	3	Unknown Traffic	192.168.2.8	49702	176.113.115.96	443	TCP
2025-03-13T16:38:27.812106+0100	2028765	3	Unknown Traffic	192.168.2.8	49703	176.113.115.96	443	TCP
2025-03-13T16:38:30.452411+0100	2028765	3	Unknown Traffic	192.168.2.8	49704	176.113.115.96	443	TCP
2025-03-13T16:38:33.145674+0100	2028765	3	Unknown Traffic	192.168.2.8	49705	176.113.115.96	443	TCP
2025-03-13T16:38:35.821770+0100	2028765	3	Unknown Traffic	192.168.2.8	49706	176.113.115.96	443	TCP
2025-03-13T16:38:38.394562+0100	2028765	3	Unknown Traffic	192.168.2.8	49707	176.113.115.96	443	TCP
2025-03-13T16:38:40.991057+0100	2028765	3	Unknown Traffic	192.168.2.8	49708	176.113.115.96	443	TCP
2025-03-13T16:38:43.732969+0100	2028765	3	Unknown Traffic	192.168.2.8	49709	176.113.115.96	443	TCP
2025-03-13T16:38:47.651781+0100	2028765	3	Unknown Traffic	192.168.2.8	49710	176.113.115.96	443	TCP
2025-03-13T16:38:50.862763+0100	2028765	3	Unknown Traffic	192.168.2.8	49711	176.113.115.96	443	TCP
2025-03-13T16:38:53.680273+0100	2028765	3	Unknown Traffic	192.168.2.8	49712	176.113.115.96	443	TCP
2025-03-13T16:38:56.328843+0100	2028765	3	Unknown Traffic	192.168.2.8	49713	176.113.115.96	443	TCP
2025-03-13T16:38:58.995883+0100	2028765	3	Unknown Traffic	192.168.2.8	49714	176.113.115.96	443	TCP
2025-03-13T16:39:01.573614+0100	2028765	3	Unknown Traffic	192.168.2.8	49715	176.113.115.96	443	TCP
2025-03-13T16:39:04.251079+0100	2028765	3	Unknown Traffic	192.168.2.8	49717	176.113.115.96	443	TCP
2025-03-13T16:39:07.000369+0100	2028765	3	Unknown Traffic	192.168.2.8	49718	176.113.115.96	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T16:37:59.654826+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49693	176.113.115.96	443	TCP
2025-03-13T16:38:02.543207+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49694	176.113.115.96	443	TCP
2025-03-13T16:38:07.900854+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49696	176.113.115.96	443	TCP
2025-03-13T16:38:12.329807+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49697	176.113.115.96	443	TCP
2025-03-13T16:38:14.935972+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49698	176.113.115.96	443	TCP
2025-03-13T16:38:17.645700+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49699	176.113.115.96	443	TCP
2025-03-13T16:38:20.516834+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49700	176.113.115.96	443	TCP
2025-03-13T16:38:23.148127+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49701	176.113.115.96	443	TCP
2025-03-13T16:38:25.883411+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49702	176.113.115.96	443	TCP
2025-03-13T16:38:28.616391+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49703	176.113.115.96	443	TCP
2025-03-13T16:38:31.333561+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	176.113.115.96	443	TCP
2025-03-13T16:38:33.967323+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49705	176.113.115.96	443	TCP
2025-03-13T16:38:36.649648+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	176.113.115.96	443	TCP
2025-03-13T16:38:39.194455+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49707	176.113.115.96	443	TCP
2025-03-13T16:38:41.883215+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49708	176.113.115.96	443	TCP
2025-03-13T16:38:45.739416+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	176.113.115.96	443	TCP
2025-03-13T16:38:48.477775+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49710	176.113.115.96	443	TCP
2025-03-13T16:38:51.884758+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	176.113.115.96	443	TCP
2025-03-13T16:38:54.494694+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49712	176.113.115.96	443	TCP
2025-03-13T16:38:57.162287+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49713	176.113.115.96	443	TCP
2025-03-13T16:38:59.796063+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49714	176.113.115.96	443	TCP
2025-03-13T16:39:02.370891+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49715	176.113.115.96	443	TCP
2025-03-13T16:39:05.106580+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49717	176.113.115.96	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\ProgramData\DocumentManager\DocumentManager.exe	Avira: detection malicious, Label: ADWARE/AVI.ICLoader.dngvt
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Avira: detection malicious, Label: ADWARE/AVI.ICLoader.dngvt

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\DocumentManager\DocumentManager.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 26%			Perma Link
Source: file.exe	ReversingLabs: Detection: 31%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0045D230 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,	1_2_0045D230
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0045D2E4 ArcFourCrypt,	1_2_0045D2E4
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0045D2FC ArcFourCrypt,	1_2_0045D2FC
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_10001000 ISCryptGetVersion,	1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_10001130 ArcFourCrypt,	1_2_10001130

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Unpacked PE file: 3.2.docman.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Document Manager_is1

Jump to behavior

Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49718 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcp100.i386.pdb source: is-B0CLT.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: is-11QFP.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	1_2_00475798
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00498FDC

Source: global traffic

TCP traffic: 192.168.2.8:49695 -> 45.93.20.230:2024

Source: Joe Sandbox View

IP Address: 176.113.115.96 176.113.115.96

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49696 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49697 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49702 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49711 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49694 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49704 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49706 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49708 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49715 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49713 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49698 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49712 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49701 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49703 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49700 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49693 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49705 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49714 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49699 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49709 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49718 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49717 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49707 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49710 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49693 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49709 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49717 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49703 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49700 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49708 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49697 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49694 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49696 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49698 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49702 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49701 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49699 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49713 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49710 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49714 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49715 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49704 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49707 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49712 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49705 -> 176.113.115.96:443

Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81729326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348ddcda945f40cb HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c926d19fe6595cd66946851e91fcd85241ab258d81729326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348ddcda945f40cb HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38d926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38a926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38b926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb388926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb389926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb386926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb387926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f842a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f852a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f862a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f872a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f802a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f812a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f822a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f832a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8c2a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8d2a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c842a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c852a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c862a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c872a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.230
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.230
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.230
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.230
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.230
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_02C42B95 WSASetLastError,WSARecv,WSASetLastError,select,

3_2_02C42B95

Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81729326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348ddcda945f40cb HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c926d19fe6595cd66946851e91fcd85241ab258d81729326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348ddcda945f40cb HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38d926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38a926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38b926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb388926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb389926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb386926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb387926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f842a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f852a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f862a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f872a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f802a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f812a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f822a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f832a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8c2a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8d2a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c842a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c852a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c862a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c872a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96

Source: svchost.exe, 00000005.00000002.2174384043.000002450E200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: is-NUA9V.tmp.1.dr, is-83D10.tmp.1.dr	String found in binary or memory: http://icu-project.org
Source: svchost.exe, 00000006.00000002.1365058924.00000286DE813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: file.tmp, file.tmp, 00000001.00000000.907618182.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-P08SJ.tmp.1.dr, file.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: file.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: file.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: file.exe, 00000000.00000003.906715737.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.906877266.0000000002088000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.907618182.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-P08SJ.tmp.1.dr, file.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: file.exe, 00000000.00000003.906715737.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.906877266.0000000002088000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.907618182.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-P08SJ.tmp.1.dr, file.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: docman.exe, 00000003.00000002.2171704942.00000000009B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/
Source: docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/-
Source: docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/I
Source: docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2173560191.0000000003369000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb386926d19fe6595cd66946951e91fcd85270
Source: docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb387926d19fe6595cd66946951e91fcd85270
Source: docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb388926d19fe6595cd66946951e91fcd85270
Source: docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb389926d19fe6595cd66946951e91fcd85270
Source: docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38a926d19fe6595cd66946951e91fcd85270
Source: docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.00000000009B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38b926d19fe6595cd66946951e91fcd85270
Source: docman.exe, 00000003.00000002.2171704942.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.000000000096B000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c802a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2173560191.000000000339D000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c842a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c852a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c862a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c872a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2171704942.00000000009A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c926d19fe6595cd66946851e91fcd85241
Source: docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38d926d19fe6595cd66946951e91fcd85270
Source: docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f802a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f812a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.00000000009A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f822a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2173560191.000000000339D000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f832a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2171704942.00000000009A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f842a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f852a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f862a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f872a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2173560191.000000000339D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8c2a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2173560191.000000000339D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8d2a1cec7a86d87bdb6546ad12dac0290
Source: docman.exe, 00000003.00000002.2171704942.00000000009B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f926d19fe6595cd66946851e91fcd85241
Source: docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/en-GB
Source: docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/kb6N
Source: docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/mCertificates
Source: docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/priseCertificates
Source: docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/rb?N
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000006.00000002.1365182425.00000286DE863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000006.00000002.1365215244.00000286DE870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364463995.00000286DE86E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000006.00000002.1365198697.00000286DE868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364499887.00000286DE867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000006.00000002.1365215244.00000286DE870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364463995.00000286DE86E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000006.00000003.1364626084.00000286DE85A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365080642.00000286DE82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364530578.00000286DE862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365182425.00000286DE863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000006.00000002.1365080642.00000286DE82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365198697.00000286DE868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364499887.00000286DE867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000006.00000002.1365080642.00000286DE82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364530578.00000286DE862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365182425.00000286DE863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000006.00000002.1365129429.00000286DE842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000006.00000003.1364530578.00000286DE862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365182425.00000286DE863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000006.00000003.1364722743.00000286DE846000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&
Source: svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000006.00000003.1364530578.00000286DE862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365182425.00000286DE863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000006.00000003.1364572283.00000286DE85E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365129429.00000286DE842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000006.00000003.1263557752.00000286DE836000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000006.00000002.1365080642.00000286DE82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365198697.00000286DE868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364499887.00000286DE867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000005.00000003.1206120751.000002450E120000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000006.00000002.1365080642.00000286DE82B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: file.exe, 00000000.00000003.906300687.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.906371782.0000000002081000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171361329.0000000002081000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.908738461.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.908807981.0000000002128000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.2171967645.0000000002128000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.2171503643.00000000006BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.easycutstudio.com/support.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.8:49718 version: TLS 1.2

System Summary

PE file has a writeable .text section

Source: docman.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DocumentManager.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0042F594 NtdllDefWindowProc_A,	1_2_0042F594
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00423B94 NtdllDefWindowProc_A,	1_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004125E8 NtdllDefWindowProc_A,	1_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00479380 NtdllDefWindowProc_A,	1_2_00479380
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_0045763C

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E944

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00470C74	1_2_00470C74
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0043533C	1_2_0043533C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004813C4	1_2_004813C4
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00467848	1_2_00467848
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004303D0	1_2_004303D0
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0044453C	1_2_0044453C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004885E0	1_2_004885E0
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00434638	1_2_00434638
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00444AE4	1_2_00444AE4
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0048ED0C	1_2_0048ED0C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00430F5C	1_2_00430F5C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0045F16C	1_2_0045F16C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004451DC	1_2_004451DC
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0045B21C	1_2_0045B21C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004455E8	1_2_004455E8
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00487680	1_2_00487680
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0046989C	1_2_0046989C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00451A30	1_2_00451A30
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0043DDC4	1_2_0043DDC4
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_00401000	3_2_00401000
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_609660FA	3_2_609660FA
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6092114F	3_2_6092114F
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6091F2C9	3_2_6091F2C9
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096923E	3_2_6096923E
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6093323D	3_2_6093323D
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6095C314	3_2_6095C314
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60950312	3_2_60950312
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094D33B	3_2_6094D33B
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6093B368	3_2_6093B368
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096748C	3_2_6096748C
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6093F42E	3_2_6093F42E
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60954470	3_2_60954470
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_609615FA	3_2_609615FA
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096A5EE	3_2_6096A5EE
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096D6A4	3_2_6096D6A4
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_609606A8	3_2_609606A8
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60932654	3_2_60932654
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60955665	3_2_60955665
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094B7DB	3_2_6094B7DB
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6092F74D	3_2_6092F74D
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60964807	3_2_60964807
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094E9BC	3_2_6094E9BC
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60937929	3_2_60937929
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6093FAD6	3_2_6093FAD6
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096DAE8	3_2_6096DAE8
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094DA3A	3_2_6094DA3A
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60936B27	3_2_60936B27
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60954CF6	3_2_60954CF6
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60950C6B	3_2_60950C6B
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60966DF1	3_2_60966DF1
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60963D35	3_2_60963D35
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60909E9C	3_2_60909E9C
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60951E86	3_2_60951E86
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60912E0B	3_2_60912E0B
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60954FF8	3_2_60954FF8
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_02C5BAFD	3_2_02C5BAFD
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_02C62A80	3_2_02C62A80
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_02C5D32F	3_2_02C5D32F
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_02C570C0	3_2_02C570C0
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_02C4E089	3_2_02C4E089
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_02C6267D	3_2_02C6267D
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_02C5B609	3_2_02C5B609
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_02C5874A	3_2_02C5874A
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_02C5BF15	3_2_02C5BF15
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_02C60DB4	3_2_02C60DB4

Source: Joe Sandbox View

Dropped File: C:\ProgramData\DocumentManager\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: String function: 02C62A10 appears 136 times
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: String function: 02C57760 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00408C1C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00406AD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 0040596C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00407904 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00445E48 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00457FC4 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00457DB8 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00434550 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00403494 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 004533B8 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00446118 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: String function: 00403684 appears 229 times

Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-P08SJ.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-P08SJ.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-P08SJ.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: sqlite3.dll.3.dr	Static PE information: Number of sections : 19 > 10
Source: is-PIO29.tmp.1.dr	Static PE information: Number of sections : 19 > 10

Source: file.exe, 00000000.00000003.906715737.00000000023A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.906877266.0000000002088000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/37@0/3

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_02C4F8D0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,

3_2_02C4F8D0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455EB4

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,

3_2_0040D454

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_0046E5B8 GetVersion,CoCreateInstance,

1_2_0046E5B8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409C34

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_0040D252 StartServiceCtrlDispatcherA,

3_2_0040D252

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_0040D252 StartServiceCtrlDispatcherA,

3_2_0040D252

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:4664:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: docman.exe, docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: docman.exe, docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: docman.exe, docman.exe, 00000003.00000003.940140522.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2174366796.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-PIO29.tmp.1.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: file.exe	Virustotal: Detection: 26%
Source: file.exe	ReversingLabs: Detection: 31%

Source: file.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: file.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp" /SL5="$403B6,3806947,56832,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process created: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe "C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe" -i
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp" /SL5="$403B6,3806947,56832,C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process created: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe "C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe" -i	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Document Manager_is1

Jump to behavior

Source: file.exe

Static file information: File size 4057649 > 1048576

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcp100.i386.pdb source: is-B0CLT.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: is-11QFP.tmp.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Unpacked PE file: 3.2.docman.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Unpacked PE file: 3.2.docman.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Source: is-PIO29.tmp.1.dr	Static PE information: section name: /4
Source: is-PIO29.tmp.1.dr	Static PE information: section name: /19
Source: is-PIO29.tmp.1.dr	Static PE information: section name: /35
Source: is-PIO29.tmp.1.dr	Static PE information: section name: /51
Source: is-PIO29.tmp.1.dr	Static PE information: section name: /63
Source: is-PIO29.tmp.1.dr	Static PE information: section name: /77
Source: is-PIO29.tmp.1.dr	Static PE information: section name: /89
Source: is-PIO29.tmp.1.dr	Static PE information: section name: /102
Source: is-PIO29.tmp.1.dr	Static PE information: section name: /113
Source: is-PIO29.tmp.1.dr	Static PE information: section name: /124
Source: sqlite3.dll.3.dr	Static PE information: section name: /4
Source: sqlite3.dll.3.dr	Static PE information: section name: /19
Source: sqlite3.dll.3.dr	Static PE information: section name: /35
Source: sqlite3.dll.3.dr	Static PE information: section name: /51
Source: sqlite3.dll.3.dr	Static PE information: section name: /63
Source: sqlite3.dll.3.dr	Static PE information: section name: /77
Source: sqlite3.dll.3.dr	Static PE information: section name: /89
Source: sqlite3.dll.3.dr	Static PE information: section name: /102
Source: sqlite3.dll.3.dr	Static PE information: section name: /113
Source: sqlite3.dll.3.dr	Static PE information: section name: /124

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004065C8 push 00406605h; ret	0_2_004065FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004849F4 push 00484B02h; ret	1_2_00484AFA
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0040995C push 00409999h; ret	1_2_00409991
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00458060 push 00458098h; ret	1_2_00458090
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004860E4 push ecx; mov dword ptr [esp], ecx	1_2_004860E9
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax	1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004783C8 push ecx; mov dword ptr [esp], edx	1_2_004783C9
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004104F0 push ecx; mov dword ptr [esp], edx	1_2_004104F5
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00412938 push 0041299Bh; ret	1_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0049AD44 pushad ; retf	1_2_0049AD53
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0040CE48 push ecx; mov dword ptr [esp], edx	1_2_0040CE4A
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00459378 push 004593BCh; ret	1_2_004593B4
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0040F3A8 push ecx; mov dword ptr [esp], edx	1_2_0040F3AA
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004434B4 push ecx; mov dword ptr [esp], ecx	1_2_004434B8
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0045186C push 0045189Fh; ret	1_2_00451897
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00451A30 push ecx; mov dword ptr [esp], eax	1_2_00451A35
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00495BE4 push ecx; mov dword ptr [esp], ecx	1_2_00495BE9
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00419C38 push ecx; mov dword ptr [esp], ecx	1_2_00419C3D

Source: is-11QFP.tmp.1.dr

Static PE information: section name: .text entropy: 6.90903234258047

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0

3_2_02C4E8B2

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\is-KRL2E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\is-B0CLT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\icuuc51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\icuin51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\Qt5Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\is-NUA9V.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NLOO6.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NLOO6.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\is-FHEDJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NLOO6.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\is-83D10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	File created: C:\ProgramData\DocumentManager\DocumentManager.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\is-5HEL3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\is-11QFP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\is-O3CPC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	File created: C:\ProgramData\DocumentManager\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\is-PIO29.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Document Manager 3.15\uninstall\is-P08SJ.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	File created: C:\ProgramData\DocumentManager\DocumentManager.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	File created: C:\ProgramData\DocumentManager\sqlite3.dll			Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0

3_2_02C4E8B2

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_0040D252 StartServiceCtrlDispatcherA,

3_2_0040D252

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,	1_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004241A4 IsIconic,SetActiveWindow,	1_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_004843A8
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F2F0
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004175A8 IsIconic,GetCapture,	1_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00417CDE IsIconic,SetWindowPos,	1_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CE0

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F128

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_00401C30 rdtsc

3_2_00401C30

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,

3_2_02C4E9B6

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Window / User API: threadDelayed 3741			Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Window / User API: threadDelayed 6195			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\is-FHEDJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NLOO6.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\is-KRL2E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\is-B0CLT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\is-83D10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\icuuc51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\is-5HEL3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\is-11QFP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\is-O3CPC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\Qt5Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\icuin51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\is-PIO29.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\is-NUA9V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\uninstall\is-P08SJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NLOO6.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NLOO6.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Document Manager 3.15\libEGL.dll (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5971

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

API coverage: 4.9 %

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe TID: 7072	Thread sleep count: 3741 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe TID: 7072	Thread sleep time: -7482000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe TID: 5620	Thread sleep time: -1080000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe TID: 7072	Thread sleep count: 6195 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe TID: 7072	Thread sleep time: -12390000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5736	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	1_2_00475798
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: 1_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00498FDC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B78

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: svchost.exe, 00000009.00000002.2172296928.000002621448A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2172200144.000002621447D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: docman.exe, 00000003.00000002.2173560191.0000000003312000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.00000000008C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2174516126.000002450E258000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.2171781602.0000026214402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000009.00000002.2171979905.000002621442B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000009.00000002.2172296928.000002621448A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2171979905.000002621442B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2172296928.000002621448A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: docman.exe, 00000003.00000002.2173560191.0000000003312000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2172862436.0000024508C2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: svchost.exe, 00000009.00000002.2172126002.0000026214453000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
Source: svchost.exe, 00000009.00000002.2172296928.000002621448A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node			graph_0-6768
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	API call chain: ExitProcess graph end node			graph_3-62613

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_00401C30 rdtsc

3_2_00401C30

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_00404A84 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,VirtualAlloc,LdrInitializeThunk,

3_2_00404A84

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_02C53A08 _memset,IsDebuggerPresent,

3_2_02C53A08

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_02C5E6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

3_2_02C5E6BE

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_02C45E59 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,

3_2_02C45E59

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_02C580E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_02C580E8

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_00478DC4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00478DC4

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

1_2_0042EE28

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E0AC

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe

Code function: 3_2_02C4E86A cpuid

3_2_02C4E86A

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_0040520C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: GetLocaleInfoA,	1_2_00408578
Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp	Code function: GetLocaleInfoA,	1_2_004085C4

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_00458670 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00458670

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp

Code function: 1_2_00455644 GetUserNameA,

1_2_00455644

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405CF4 GetVersionExA,

0_2_00405CF4

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

Source: svchost.exe, 0000000B.00000002.2172572971.0000019B3A702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.2172572971.0000019B3A702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Socks5Systemz

Source: Yara match	File source: 00000003.00000002.2173153779.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2172910401.0000000002722000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: docman.exe PID: 7044, type: MEMORYSTR

Remote Access Functionality

Yara detected Socks5Systemz

Source: Yara match	File source: 00000003.00000002.2173153779.0000000002C41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2172910401.0000000002722000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: docman.exe PID: 7044, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,	3_2_609660FA
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,	3_2_6090C1D6
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,	3_2_60963143
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	3_2_6096A2BD
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,	3_2_6096923E
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,	3_2_6096A38C
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,	3_2_6096748C
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,	3_2_609254B1
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_6094B407
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6090F435 sqlite3_bind_parameter_index,	3_2_6090F435
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,	3_2_609255D4
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_609255FF sqlite3_bind_text,	3_2_609255FF
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,	3_2_6096A5EE
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,	3_2_6094B54C
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,	3_2_60925686
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,	3_2_6094A6C5
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,	3_2_609256E5
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,	3_2_6094B6ED
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6092562A sqlite3_bind_blob,	3_2_6092562A
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,	3_2_60925655
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	3_2_6094C64A
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,	3_2_609687A7
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_6095F7F7
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,	3_2_6092570B
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	3_2_6095F772
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,	3_2_60925778
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6090577D sqlite3_bind_parameter_name,	3_2_6090577D
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,	3_2_6094B764
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6090576B sqlite3_bind_parameter_count,	3_2_6090576B
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	3_2_6094A894
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	3_2_6095F883
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,	3_2_6094C8C2
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,	3_2_6096281E
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,	3_2_6096583A
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,	3_2_6095F9AD
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	3_2_6094A92B
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6090EAE5 sqlite3_transfer_bindings,	3_2_6090EAE5
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	3_2_6095FB98
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,	3_2_6095ECA6
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	3_2_6095FCCE
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,	3_2_6095FDAE
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,	3_2_60966DF1
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,	3_2_60969D75
Source: C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	Code function: 3_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	3_2_6095FFB2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	5 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	5 Windows Service	21 Software Packing	NTDS	46 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 DLL Side-Loading	LSA Secrets	191 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	Virustotal		Browse
file.exe	32%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\DocumentManager\DocumentManager.exe	100%	Avira	ADWARE/AVI.ICLoader.dngvt
C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	100%	Avira	ADWARE/AVI.ICLoader.dngvt
C:\ProgramData\DocumentManager\DocumentManager.exe	50%	ReversingLabs	Win32.Trojan.Fuery
C:\ProgramData\DocumentManager\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\Qt5Concurrent.dll (copy)	4%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\Qt5PrintSupport.dll (copy)	4%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe	50%	ReversingLabs	Win32.Trojan.Fuery
C:\Users\user\AppData\Local\Document Manager 3.15\icuin51.dll (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\icuuc51.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\is-11QFP.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\is-5HEL3.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\is-83D10.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\is-B0CLT.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\is-FHEDJ.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\is-KRL2E.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\is-NUA9V.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\is-O3CPC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\is-PIO29.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\libEGL.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\libGLESv2.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\msvcp100.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\msvcr100.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\sqlite3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\uninstall\is-P08SJ.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Document Manager 3.15\uninstall\unins000.exe (copy)	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NLOO6.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NLOO6.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NLOO6.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38a926d19fe6595cd66946951e91fcd85270	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81729326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348ddcda945f40cb	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb389926d19fe6595cd66946951e91fcd85270	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c926d19fe6595cd66946851e91fcd85241	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f812a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38b926d19fe6595cd66946951e91fcd85270	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f842a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c842a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38d926d19fe6595cd66946951e91fcd85270	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8c2a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb387926d19fe6595cd66946951e91fcd85270	0%	Avira URL Cloud	safe
https://176.113.115.96/rb?N	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f872a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f862a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c802a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f852a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f872a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f802a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8d2a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb388926d19fe6595cd66946951e91fcd85270	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f822a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8d2a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8c2a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/mCertificates	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f832a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38d926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38a926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c926d19fe6595cd66946851e91fcd85241ab258d81729326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348ddcda945f40cb	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38b926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	0%	Avira URL Cloud	safe
https://176.113.115.96/-	0%	Avira URL Cloud	safe
https://176.113.115.96/I	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f842a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f862a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f852a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f802a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c842a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f822a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f812a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c852a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c862a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f832a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/kb6N	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c872a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c852a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb387926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb386926d19fe6595cd66946951e91fcd85270	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb388926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb389926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb386926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f926d19fe6595cd66946851e91fcd85241	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c862a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c872a1cec7a86d87bdb6546ad12dac0290	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81729326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348ddcda945f40cb	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f872a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f862a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8c2a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8d2a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c926d19fe6595cd66946851e91fcd85241ab258d81729326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348ddcda945f40cb	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38a926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38b926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38d926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f842a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f852a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f822a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f832a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f802a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f812a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c842a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c852a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c862a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c872a1cec7a86d87bdb6546ad12dac0290fe91ed51629366be8ef43a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949c17834fbd504	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb388926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb389926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb386926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb387926d19fe6595cd66946951e91fcd85270fec18d005672e26e1fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c40c17036f1df	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38a926d19fe6595cd66946951e91fcd85270	docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c842a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2173560191.000000000339D000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000006.00000002.1365198697.00000286DE868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364499887.00000286DE867000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f842a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2171704942.00000000009A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f812a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38b926d19fe6595cd66946951e91fcd85270	docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.00000000009B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38d926d19fe6595cd66946951e91fcd85270	docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8c2a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2173560191.000000000339D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000006.00000002.1365182425.00000286DE863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/en-GB	docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb389926d19fe6595cd66946951e91fcd85270	docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000006.00000002.1365129429.00000286DE842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c926d19fe6595cd66946851e91fcd85241	docman.exe, 00000003.00000002.2171704942.00000000009A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb387926d19fe6595cd66946951e91fcd85270	docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/rb?N	docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000006.00000002.1365058924.00000286DE813000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000006.00000003.1364626084.00000286DE85A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365080642.00000286DE82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364530578.00000286DE862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365182425.00000286DE863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f872a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com/	file.tmp, file.tmp, 00000001.00000000.907618182.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-P08SJ.tmp.1.dr, file.tmp.0.dr	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c802a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2171704942.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.000000000096B000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f802a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f8d2a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2173560191.000000000339D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000006.00000002.1365080642.00000286DE82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365198697.00000286DE868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364499887.00000286DE867000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	file.exe	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000006.00000003.1364572283.00000286DE85E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365129429.00000286DE842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000005.00000002.2174384043.000002450E200000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2/C:	svchost.exe, 00000005.00000003.1206120751.000002450E120000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000006.00000003.1263557752.00000286DE836000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f852a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://icu-project.org	is-NUA9V.tmp.1.dr, is-83D10.tmp.1.dr	false		high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb388926d19fe6595cd66946951e91fcd85270	docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f822a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.00000000009A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000006.00000003.1364530578.00000286DE862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365182425.00000286DE863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.easycutstudio.com/support.html	file.exe, 00000000.00000003.906300687.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.906371782.0000000002081000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2171361329.0000000002081000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.908738461.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.908807981.0000000002128000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.2171967645.0000000002128000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.2171503643.00000000006BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f832a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2173560191.000000000339D000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000006.00000002.1365215244.00000286DE870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364463995.00000286DE86E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/I	docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/mCertificates	docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/	docman.exe, 00000003.00000002.2171704942.00000000009B6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	file.exe	false		high
https://176.113.115.96/priseCertificates	docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000006.00000002.1365080642.00000286DE82B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/-	docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f862a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2171704942.0000000000982000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000006.00000002.1365080642.00000286DE82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365198697.00000286DE868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364499887.00000286DE867000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&	svchost.exe, 00000006.00000003.1364722743.00000286DE846000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000006.00000002.1365215244.00000286DE870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364463995.00000286DE86E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000006.00000002.1365080642.00000286DE82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364530578.00000286DE862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365182425.00000286DE863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000006.00000003.1364530578.00000286DE862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365182425.00000286DE863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/kb6N	docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c852a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod/C:	edb.log.5.dr	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000006.00000003.1364652308.00000286DE841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38f926d19fe6595cd66946851e91fcd85241	docman.exe, 00000003.00000002.2171704942.00000000009B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/psU	file.exe, 00000000.00000003.906715737.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.906877266.0000000002088000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.907618182.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-P08SJ.tmp.1.dr, file.tmp.0.dr	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb386926d19fe6595cd66946951e91fcd85270	docman.exe, 00000003.00000002.2173560191.000000000331B000.00000004.00000020.00020000.00000000.sdmp, docman.exe, 00000003.00000002.2173560191.0000000003369000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c862a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.remobjects.com/ps	file.exe, 00000000.00000003.906715737.00000000023A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.906877266.0000000002088000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.907618182.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-P08SJ.tmp.1.dr, file.tmp.0.dr	false		high
https://176.113.115.96/ai/?key=8f3f2b3ae514176a774cb0f2231678fbb38c872a1cec7a86d87bdb6546ad12dac0290	docman.exe, 00000003.00000002.2173560191.0000000003327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000006.00000002.1365147954.00000286DE858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364666520.00000286DE857000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.93.20.230	unknown	Netherlands		174	COGENT-174US	false
176.113.115.96	unknown	Russian Federation		49505	SELECTELRU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637446
Start date and time:	2025-03-13 16:36:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/37@0/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 205 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:37:28	API Interceptor	2x Sleep call for process: svchost.exe modified
11:37:36	API Interceptor	468331x Sleep call for process: docman.exe modified
11:38:36	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.93.20.230	eF5TnJ6Frr.exe	Get hash	malicious	Socks5Systemz	Browse
45.93.20.230	dxRwXy19pq.exe	Get hash	malicious	Socks5Systemz	Browse
176.113.115.96	eF5TnJ6Frr.exe	Get hash	malicious	Socks5Systemz	Browse
	dxRwXy19pq.exe	Get hash	malicious	Socks5Systemz	Browse
	12321321.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse
	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse
	soft.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SELECTELRU	L0erlgyZ6f.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	176.113.115.6
	ET3Sc57mx4.exe	Get hash	malicious	Amadey	Browse	176.113.115.6
	13s1HMkHKv.exe	Get hash	malicious	Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer	Browse	176.113.115.6
	wJWNpO6lcm.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer	Browse	176.113.115.6
	94.154.34.34-mipsel-2025-03-03T16_58_40.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.154.34.34
	download.php.exe.bin.exe	Get hash	malicious	Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	176.113.115.6
	eF5TnJ6Frr.exe	Get hash	malicious	Socks5Systemz	Browse	176.113.115.96
	IFwhIemq7R.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, zgRAT	Browse	176.113.115.6
	BTn1AT2k3Y.exe	Get hash	malicious	LummaC Stealer	Browse	176.113.115.7
	uw7A6EF76R.exe	Get hash	malicious	Amadey	Browse	176.113.115.6
COGENT-174US	Owari.arm.elf	Get hash	malicious	Unknown	Browse	204.240.223.132
	QUOTATION_MARQUOTE312025#U00faPDF.scr	Get hash	malicious	MSIL Logger	Browse	198.16.88.194
	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Get hash	malicious	GhostRat, ValleyRAT	Browse	206.238.115.224
	http://szrjxkj.com/dongtai/8622.html	Get hash	malicious	Unknown	Browse	38.174.150.133
	http://888881e.com/	Get hash	malicious	Unknown	Browse	149.104.73.29
	http://8669595.com/	Get hash	malicious	Bet365 Phisher	Browse	149.104.73.32
	PURCHASE ORDER N0259305-06SN.exe	Get hash	malicious	FormBook	Browse	149.104.35.122
	miori.x86.elf	Get hash	malicious	Unknown	Browse	38.119.147.17
	http://pastorizaplastics.com	Get hash	malicious	Unknown	Browse	154.39.177.133
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	38.47.158.2

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	eF5TnJ6Frr.exe	Get hash	malicious	Socks5Systemz	Browse	176.113.115.96
	dxRwXy19pq.exe	Get hash	malicious	Socks5Systemz	Browse	176.113.115.96
	12321321.exe	Get hash	malicious	Socks5Systemz	Browse	176.113.115.96
	file.exe	Get hash	malicious	Socks5Systemz	Browse	176.113.115.96
	file.exe	Get hash	malicious	Socks5Systemz	Browse	176.113.115.96
	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse	176.113.115.96
	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse	176.113.115.96
	xn3nGSFdRn.exe	Get hash	malicious	Vidar	Browse	176.113.115.96
	soft.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse	176.113.115.96
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse	176.113.115.96

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\DocumentManager\sqlite3.dll	eF5TnJ6Frr.exe	Get hash	malicious	Socks5Systemz	Browse
	dxRwXy19pq.exe	Get hash	malicious	Socks5Systemz	Browse
	12321321.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse
	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse
	soft.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse

Created / dropped Files

C:\ProgramData\DocumentManager\DocumentManager.exe

Download File

Process:	C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2866176
Entropy (8bit):	6.48083470037312
Encrypted:	false
SSDEEP:	49152:ffhR5lOL+oJtNCoOO6CHoUnf04zdZVRqSPWnUtbAT6yR:n3nf/CHomf0ydZqSOnU5AR
MD5:	AA31470E55EEEB23F1389D2EACD35F7B
SHA1:	A4436069E4B3C8E0EC8AD5E025A42C6099890EEA
SHA-256:	00A4E07EE759E2891DB4ED31A784863F9BD55190E4E7F458CE33854008040A17
SHA-512:	C8ABC07E3327956BD60C11108FD0206F772FC6A855A2DB4F9B9A34661FE8EB449C713BF585E26266FB279F39675970445DD6E0805F0FA4FB767AEBDC5037B00B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L...qy.g.................l#.........@&#.......#...@.......................... ,......T,.......................................#.@.... $...............................................................................#..............................text....j#......l#.................`....rdata...%....#..&...p#.............@..@.data....c....#..0....#.............@....rsrc........ $.......#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DocumentManager\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: eF5TnJ6Frr.exe, Detection: malicious, Browse Filename: dxRwXy19pq.exe, Detection: malicious, Browse Filename: 12321321.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: tKBxw8eOIV.exe, Detection: malicious, Browse Filename: tKBxw8eOIV.exe, Detection: malicious, Browse Filename: soft.exe, Detection: malicious, Browse Filename: 9uWGaRcOv8.exe, Detection: malicious, Browse Filename: 9uWGaRcOv8.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8022099649540033
Encrypted:	false
SSDEEP:	1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUA2:RJE+Lfki1GjHwU/+vVhWqp7
MD5:	71CB4D098F06C603CC44DC436AD6FFCC
SHA1:	59AAA7C9A79246362A1D32F605E7EA97D00433CC
SHA-256:	66A4142AE58A618ABA4C527855EFE3A5DAB97D17BE35325CE19E9F93B1A7945A
SHA-512:	C97E8137FBF5CF40763E5C6B278E4DD6CDDDC946B6EEF2BD57DE011FF6CB0184D47FE6277B381DE0E8B761EF2E0F3DE79EB68F9F93FE2DD78283646367D87774
Malicious:	false
Preview:	..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xb40e9886, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	0.9433347978506547
Encrypted:	false
SSDEEP:	1536:jSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:jazaHvxXy2V2UR
MD5:	7FEB273910DC797055C5DD0DC8FD0D9F
SHA1:	BA8F9F4EB59896D98132C0E526361755C7C1392B
SHA-256:	595652B528C286333CE17F520B6AB0B16C93F6797B532882D8D933CD37532B5E
SHA-512:	9D40B548A4E13751DD7F0BA8E8110FD8B93BB5487ADF2BF238E5224DAE8CEA706D9BECF53AF60260BA50A2071109C0BBD04B2060F9607F77916CA8BF92C6960E
Malicious:	false
Preview:	....... ...............X\...;...{......................0.x...... ...{s..%...}..h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{..................................xWE'.%...}.................{.U..%...}...........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08136950403195778
Encrypted:	false
SSDEEP:	3:rSl/lKYeOz9nFSGsl/nqlFcl1ZUllll9w0ATilllillGBnX/l/Tj/k7/t:2XKzi9Vsl/qlFclQ/lYTitG254
MD5:	BDF3E21B21A98ECF47DAC90ABE5A71A9
SHA1:	AC82F0834B530A939EF04F5D69AA9136EA9EECCF
SHA-256:	1BDA0240C7FCD5BE678651A4F9060E69AA39000D3F2C11B4BAB269ACC6BD08E5
SHA-512:	9EFC28F0598AAD848BDBFAE6B607B6B62A0AB56213D3F42A2F343EC22B8B77D1C7F20A045819FF3CAC14176FC859951F985D195D5111E85344B3B493C200846B
Malicious:	false
Preview:	..7......................................;...{...%...}... ...{s.......... ...{s.. ...{s.P.... ...{s.................{.U..%...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\hc133it54.dat

Download File

Process:	C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:wCltn:wCX
MD5:	21C055611149248610A699B28C051C54
SHA1:	4E673CD1D774A68E7912B7FA065F7BCEAFD9CE95
SHA-256:	0AE176F5C1C8A72B87E422434ACB70A233BF9FD6593E8ABE8C0B20EA4827D390
SHA-512:	932E08245C0CAE388141DD59A9B279B0426AD29B10BBCC83A6FFF814E5FEA31C71C6AA8B52887A8EBE07A705BE9C8A9C74F8B766154D40FB7E96E830A097EC63
Malicious:	false
Preview:	...g....

C:\ProgramData\hc133rc54.dat

Download File

Process:	C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:Q:Q
MD5:	D23576281336D61C0DE8A5D88D91CDAC
SHA1:	9A2BD7DBF2A8146F9EA7C5F5D8AB2184CC585BBF
SHA-256:	44B34BA1E158565CD98B8B42DA82AB3DA3855B9828EF66847EED4A66A20C22B4
SHA-512:	BCB3D280B010333840870CF1390A02BF7D79475CA8EFC36DE13AF7F6E239757E4A5CD0BB8C0B7ECDF6FE979BD50B3A0F7B60E14A616DE4C29646A253374484B0
Malicious:	false
Preview:	....

C:\ProgramData\hc133resa.dat

Download File

Process:	C:\Users\user\AppData\Local\Document Manager 3.15\docman.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.951914235012335
Encrypted:	false
SSDEEP:	3:ZoeGqdhHzXDBdUBWetxt:kq3HzX3UFx
MD5:	DD1ADC2BD780F3D8A4D52C8F148CCC77
SHA1:	E1920FE88E516FEEE3573E21D3914784A6367AE9
SHA-256:	5D08D3AC6C11A03519DCBD53D0FFBCAC8FD0099A8FB525760FDEB5DE11BEC463
SHA-512:	D4E83054B8033D52B42352BA425DE086A22119A854DB1A35C51433E392FDC10082AFB8675958CF897E27F06862865DCE861FAC1175B90DDF51AEAF94C368943F
Malicious:	false
Preview:	1eb2b8720110dff756582a45e74bb62f518d3799011c89eb7c719048e83fac56................................................................

C:\Users\user\AppData\Local\Document Manager 3.15\Qt5Concurrent.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.996483336647155
Encrypted:	false
SSDEEP:	384:lLKSmUAPRD6PA/GKge44+4yif7DOnFPV5kzaOCSSZ:IVH/D4z4yG7DOnFdKaO6Z
MD5:	C5735F75847667E33A6B2D5E50D19C6F
SHA1:	D2C5952138FA5A246EC5900C9E680E7AEAF099AF
SHA-256:	32B0ACDF551507B4A8B9BD0467BEFDC2539C776E3F48221F0B577499F6EAE616
SHA-512:	DA961258A682C732F0A480EE7220D74B4511FA5313FB3BF0ACAF07AA42FA7410F3EE1A83C221C995854C2919286676F346A45CD278E1D1929E0164155F6D98F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................^....v.U......S......g......Q..............f......V......W......P....Rich...........................PE..L......Q...........!..... ...$.......(.......0.....f.................................$....@..........................?......L6..P....`..,....................p......................................x1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......<..............@....rsrc...,....`.......>..............@..@.reloc.......p.......D..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Document Manager 3.15\Qt5PrintSupport.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EMSTT.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	226304
Entropy (8bit):	6.833378525054972

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\DocumentManager\DocumentManager.exe

C:\ProgramData\DocumentManager\sqlite3.dll

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\hc133it54.dat

C:\ProgramData\hc133rc54.dat

C:\ProgramData\hc133resa.dat

C:\Users\user\AppData\Local\Document Manager 3.15\Qt5Concurrent.dll (copy)

C:\Users\user\AppData\Local\Document Manager 3.15\Qt5PrintSupport.dll (copy)

Windows Analysis Report
file.exe