Reads data out of its own binary image Show sources
| api_process_name | process: 11b7e6fe10e891a7ce79fb97c5b2fb791b05d79e.exe, pid: 2500, offset: 0x00000000, length: 0x00571718 |
| api_process_name | process: 11b7e6fe10e891a7ce79fb97c5b2fb791b05d79e.exe, pid: 2500, offset: 0x0000b81c, length: 0x00565f00 |
| api_process_name | process: FV2-XSONICX-11.0_Windows64b-32b-NewUpdate.exe, pid: 2872, offset: 0x00000000, length: 0x00056a4d |
| api_process_name | process: FV2-XSONICX-11.0_Windows64b-32b-NewUpdate.exe, pid: 2872, offset: 0x00000000, length: 0x0005ff60 |
| api_process_name | process: FV2-XSONICX-11.0_Windows64b-32b-NewUpdate.exe, pid: 2872, offset: 0x00000000, length: 0x001000e1 |
| api_process_name | process: FV2-XSONICX-11.0_Windows64b-32b-NewUpdate.exe, pid: 2872, offset: 0x00000000, length: 0x001008e9 |
| api_process_name | process: FV2-XSONICX-11.0_Windows64b-32b-NewUpdate.exe, pid: 2872, offset: 0x00000000, length: 0x00100ab6 |
| api_process_name | process: FV2-XSONICX-11.0_Windows64b-32b-NewUpdate.exe, pid: 2872, offset: 0x00000000, length: 0x00100aeb |
| api_process_name | process: FV2-XSONICX-11.0_Windows64b-32b-NewUpdate.exe, pid: 2872, offset: 0x00000000, length: 0x00100cba |
| api_process_name | process: FV2-XSONICX-11.0_Windows64b-32b-NewUpdate.exe, pid: 2872, offset: 0x00055b95, length: 0x00520756 |
| api_process_name | process: wscript.exe, pid: 2132, offset: 0x00000000, length: 0x00000040 |
| api_process_name | process: wscript.exe, pid: 2132, offset: 0x000000f0, length: 0x00000018 |
| api_process_name | process: wscript.exe, pid: 2132, offset: 0x000001e8, length: 0x00000078 |
| api_process_name | process: wscript.exe, pid: 2132, offset: 0x00018000, length: 0x00000020 |
| api_process_name | process: wscript.exe, pid: 2132, offset: 0x00018058, length: 0x00000018 |
| api_process_name | process: wscript.exe, pid: 2132, offset: 0x000181a8, length: 0x00000018 |
| api_process_name | process: wscript.exe, pid: 2132, offset: 0x00018470, length: 0x00000010 |
| api_process_name | process: wscript.exe, pid: 2132, offset: 0x00018640, length: 0x00000012 |
Attempts to connect to a dead IP:Port (6 unique times) Show sources
| network_host_ip | 184.26.44.105:80 (United States) |
| network_host_ip | 178.255.83.1:80 (United Kingdom) |
| network_host_ip | 23.67.251.10:80 (United States) |
| network_host_ip | 104.16.91.188:80 (unknown) |
| network_host_ip | 72.21.91.29:80 (United States) |
| network_host_ip | 95.248.69.185:1188 (Italy) |
HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources
| network_anomaly | HTTP traffic contains a POST request with no referer header |
| network_anomaly | http://musigiallifuck.ddns.net:1188/is-ready |
| network_anomaly | http://crl.globalsign.net/primobject.crl |
Performs some HTTP requests Show sources
| network_url | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D |
| network_url | http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D |
| network_url | http://crl.comodoca.com/COMODORSACertificationAuthority.crl |
| network_url | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D |
| network_url | http://s.dropcanvas.com/1000000/965000/964641/FV2-XSONICX.XSONICX |
| network_url | http://s.dropcanvas.com/1000000/930000/929710/updates.txt |
| network_url | http://musigiallifuck.ddns.net:1188/is-ready |
| network_url | http://crl.globalsign.net/primobject.crl |
Network activity contains more than one unique useragent. Show sources
| Process | wscript.exe |
| User-Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Process | FV2-XSONICX(Windows 64Bits).exe |
| User-Agent | Cheat Engine 6.6 : luascript |
A wscript.exe process commonly used in script or document file downloaders initiated network activity Show sources
| http_request | wscript.exe_InternetCrackUrlW_http://musigiallifuck.ddns.net:1188/is-ready |
| http_request_path | wscript.exe_HttpOpenRequestW_/is-ready |
| http_request | wscript.exe_InternetCrackUrlA_http://musigiallifuck.ddns.net |
| http_request | wscript.exe_InternetCrackUrlA_http://musigiallifuck.ddns.net |
| http_request | wscript.exe_InternetCrackUrlW_http://musigiallifuck.ddns.net:1188/is-ready |
| http_request_path | wscript.exe_HttpOpenRequestW_/is-ready |
| http_request | wscript.exe_InternetCrackUrlW_http://musigiallifuck.ddns.net:1188/is-ready |
| http_request_path | wscript.exe_HttpOpenRequestW_/is-ready |
| http_request | wscript.exe_InternetCrackUrlW_http://musigiallifuck.ddns.net:1188/is-ready |
Attempts to block SafeBoot use by removing registry keys Show sources
| registry_delete | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option |
The binary likely contains encrypted or compressed data. Show sources
| packer_section | name: .rsrc, entropy: 7.46, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00003a00, virtual_size: 0x00003928 |
Sniffs keystrokes Show sources
| api_process_name | Process: FV2-XSONICX(Windows 64Bits).exe(1144) |
Collects information to fingerprint the system Show sources
| registry_read | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId |
Drops a binary and executes it Show sources
| file_dropped | C:\Users\user\AppData\Roaming\FV2-XSONICX-11.0_Windows64b-32b-NewUpdate.exe |
Installs itself for autorun at Windows startup Show sources
| registry_write | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Patch |
| data | wscript.exe //B "C:\Users\user\AppData\Roaming\Patch.vbs" |
| registry_write | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Patch |
| data | wscript.exe //B "C:\Users\user\AppData\Roaming\Patch.vbs" |
| file_write | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Patch.vbs |
Attempts to interact with an Alternate Data Stream (ADS) Show sources
| file_query | C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION |
Possible date expiration check, exits too soon after checking local time Show sources
| api_process_name | FV2-XSONICX-11.0_Windows64b-32b-NewUpdate.exe, PID 2872 |
A process attempted to delay the analysis task. Show sources
| api_process_name | wscript.exe tried to sleep 1080 seconds, actually delayed analysis time by 0 seconds |