Reads data out of its own binary image Show sources
| api_process_name | process: oqm5r5hfdcd.exe, pid: 1768, offset: 0x00051f10, length: 0x00005b10 |
| api_process_name | process: oqm5r5hfdcd.exe, pid: 1768, offset: 0x00057ac5, length: 0x0003e88e |
Attempts to connect to a dead IP:Port (1 unique times) Show sources
| network_host_ip | 127.0.0.1:49261 |
Starts servers listening on 127.0.0.1:0
HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources
| network_anomaly | HTTP traffic contains a POST request with no referer header |
| network_anomaly | HTTP traffic contains a POST request with no user-agent header |
| network_anomaly | HTTP traffic contains a GET request with no user-agent header |
| network_anomaly | http://www.wizzmonetize.com/remotes_xml_sections.php |
| network_anomaly | http://asedownloadgate.com/from_backup/747474/AdsShow_installer.exe |
| network_anomaly | http://asedownloadgate.com/3/000000/wizzcaster_installer_v2.exe |
| network_anomaly | http://asedownloadgate.com/exe/updater.exe |
| network_anomaly | http://asedownloadgate.com/safe_download/582369/AdsShow.exe |
| network_anomaly | http://asedownloadgate.com/download/3/wizzcaster_v2.exe |
| network_anomaly | http://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load |
| network_anomaly | http://asedownloadgate.com/download/3/wizzcaster_uninstaller_v2.exe |
| network_anomaly | http://ladomainadeserver.com/api/v5/config |
| network_anomaly | http://ladomainadeserver.com/api/v5/link |
Performs some HTTP requests Show sources
| network_url | http://www.wizzmonetize.com/remotes_xml_sections.php |
| network_url | http://asedownloadgate.com/from_backup/747474/AdsShow_installer.exe |
| network_url | http://asedownloadgate.com/3/000000/wizzcaster_installer_v2.exe |
| network_url | http://asedownloadgate.com/exe/updater.exe |
| network_url | http://asedownloadgate.com/safe_download/582369/AdsShow.exe |
| network_url | http://asedownloadgate.com/download/3/wizzcaster_v2.exe |
| network_url | http://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load |
| network_url | http://asedownloadgate.com/download/3/wizzcaster_uninstaller_v2.exe |
| network_url | http://ladomainadeserver.com/api/v5/config |
| network_url | http://ladomainadeserver.com/api/v5/link |
At least one IP Address, Domain, or File Name was found in a crypto call Show sources
| ioc | e.1f |
| ioc | a.4z |
| ioc | 0.j. |
| ioc | b.0f |
| ioc | q.ur |
| ioc | -.o0 |
Collects information to fingerprint the system Show sources
| registry_read | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Drops a binary and executes it Show sources
| file_dropped | C:\Users\user\AppData\Roaming\a022yqeqrbb\oqm5r5hfdcd.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\4H89P7ZWCO\up.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\is-VGP26.tmp\oqm5r5hfdcd.tmp |
| file_dropped | C:\Program Files\2VCLXBBP8J\2VCLXBBP8.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\4H89P7ZWCO\SecondL.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\4H89P7ZWCO\OneTwo.exe |
Installs itself for autorun at Windows startup Show sources
| registry_write | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9167502 |
| data | "C:\Users\user\AppData\Roaming\a022yqeqrbb\oqm5r5hfdcd.exe" /VERYSILENT |
| registry_write | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5S1OX8UILO2BUD7 |
| data | "C:\Program Files\2VCLXBBP8J\2VCLXBBP8.exe" |
| registry_write | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OMEWPRODUCT_X65WX |
| data | "C:\Users\user\AppData\Local\Temp\44ee549bd481f02c6c0edc02da5fe6fe5af442f0.exe" |
Possible date expiration check, exits too soon after checking local time Show sources
| api_process_name | cmd.exe, PID 1136 |
Detects VMware through the presence of a registry key Show sources
| registry_query | HKEY_CURRENT_USER\Software\VMware, Inc. |
Checks the presence of disk drives in the registry, possibly for anti-virtualization Show sources
| registry_query | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 |
Attempts to identify installed analysis tools by registry key Show sources
| registry_query | HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 |
| registry_query | HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 |
| registry_query | HKEY_CLASSES_ROOT\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 |
| registry_query | HKEY_CURRENT_CONFIG\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 |
| registry_query | HKEY_USERS\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 |
| registry_query | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 |
| registry_query | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 |
| registry_query | HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 |
| registry_query | HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 |
| registry_query | HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 |
| registry_query | HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark |
| registry_query | HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark |
| registry_query | HKEY_CLASSES_ROOT\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark |
| registry_query | HKEY_CURRENT_CONFIG\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark |
| registry_query | HKEY_USERS\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark |
| registry_query | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark |
| registry_query | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark |
| registry_query | HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark |
| registry_query | HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark |
| registry_query | HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark |
A process attempted to delay the analysis task by a long amount of time. Show sources
| api_process_name | 2VCLXBBP8.exe tried to sleep 15420 seconds, actually delayed analysis time by 0 seconds |
| api_process_name | 44ee549bd481f02c6c0edc02da5fe6fe5af442f0.exe tried to sleep 5460 seconds, actually delayed analysis time by 0 seconds |
| api_process_name | oqm5r5hfdcd.tmp tried to sleep 4980 seconds, actually delayed analysis time by 0 seconds |
Tries to unhook or modify Windows functions monitored by Cuckoo Show sources
| function_modify | function_name: LdrLoadDll, type: modification |
Attempts to repeatedly call a single API many times in order to delay analysis time Show sources
| api_process_name | firefox.exe (2836) called API GetSystemTime 11148 times |
| api_process_name | firefox.exe (2836) called API GetSystemTimeAsFileTime 182064 times |