Windows Analysis Report
8xfH5IUIWU.exe

Overview

General Information

Sample name: 8xfH5IUIWU.exe
renamed because original name is a hash value
Original sample name: 40a27408f7e3f7cd6938a4d7dd890d3f86001f9e2ef6090ba6a00e4dfc4ca081.exe
Analysis ID: 1502258
MD5: a2c74b5aad6f1e7dc6b11a61c5ae2c46
SHA1: 431faa2771a4090ea286cc6d6ecf77e32a4cf340
SHA256: 40a27408f7e3f7cd6938a4d7dd890d3f86001f9e2ef6090ba6a00e4dfc4ca081
Tags: exe
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: 8xfH5IUIWU.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74423AB FindFirstFileW,FindClose, 0_2_00007FF7A74423AB
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74423B3 FindFirstFileW,FindClose, 0_2_00007FF7A74423B3
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A744239E FindFirstFileW,FindClose, 0_2_00007FF7A744239E
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74423C0 FindFirstFileW,FindClose, 0_2_00007FF7A74423C0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 4x nop then dec rdx 0_2_00007FF7A74793D0
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7444DEA InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00007FF7A7444DEA
Source: 8xfH5IUIWU.exe String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: 8xfH5IUIWU.exe String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://gcc.gnu.org/bugs/):

System Summary
barindex
PE file has nameless sections
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7503240 NtReadFile, 0_2_00007FF7A7503240
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7503300 NtCreateFile, 0_2_00007FF7A7503300
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7503060 NtCreateSection, 0_2_00007FF7A7503060
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7502F90 NtMapViewOfSection, 0_2_00007FF7A7502F90
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A76B9DA8 NtReadFile, 0_2_00007FF7A76B9DA8
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7441E8D: DeviceIoControl,OpenProcess,TerminateProcess, 0_2_00007FF7A7441E8D
Detected potential crypto function
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74450D8 0_2_00007FF7A74450D8
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7443F9B 0_2_00007FF7A7443F9B
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7448792 0_2_00007FF7A7448792
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7441616 0_2_00007FF7A7441616
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A744A22A 0_2_00007FF7A744A22A
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A745124B 0_2_00007FF7A745124B
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74481B2 0_2_00007FF7A74481B2
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A744202A 0_2_00007FF7A744202A
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7455FB0 0_2_00007FF7A7455FB0
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7441E8D 0_2_00007FF7A7441E8D
PE file contains more sections than normal
Source: 8xfH5IUIWU.exe Static PE information: Number of sections : 12 > 10
Source: 8xfH5IUIWU.exe Static PE information: Section: ZLIB complexity 0.9956341911764706
Source: classification engine Classification label: mal88.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7443F9B GetEnvironmentVariableW,GetFileAttributesW,GetEnvironmentVariableW,GetFileAttributesW,CreateToolhelp32Snapshot,Process32FirstW,_wcsicmp,Process32NextW,_wcsicmp, 0_2_00007FF7A7443F9B
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: 1383544257--904687418. Number: 0
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe File read: C:\Users\user\Desktop\8xfH5IUIWU.exe Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 Jump to behavior
Source: 8xfH5IUIWU.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 8xfH5IUIWU.exe Static file information: File size 3241472 > 1048576
Source: 8xfH5IUIWU.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x2c1a00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Unpacked PE file: 0.2.8xfH5IUIWU.exe.7ff7a7440000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:W;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW; vs Unknown_Section0:ER;Unknown_Section1:W;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:W;Unknown_Section6:W;Unknown_Section7:W;Unknown_Section8:W;Unknown_Section9:R;Unknown_Section10:EW;Unknown_Section11:EW;
PE file contains an invalid checksum
Source: 8xfH5IUIWU.exe Static PE information: real checksum: 0x2fb10 should be: 0x31f037
PE file contains sections with non-standard names
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name:
Source: 8xfH5IUIWU.exe Static PE information: section name: entropy: 7.992733295273297
Source: 8xfH5IUIWU.exe Static PE information: section name: entropy: 7.808705679598211
Source: 8xfH5IUIWU.exe Static PE information: section name: entropy: 7.73306314545859

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: DeviceIoControl,OpenProcess,TerminateProcess, \\.\PhysicalDrive0 0_2_00007FF7A7441E8D

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: DeviceIoControl,OpenProcess,TerminateProcess, \\.\PhysicalDrive0 0_2_00007FF7A7441E8D
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: QEMU HARDDISK QEMU HARDDISK 0_2_00007FF7A7441E8D
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE{
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE#
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXEG
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $SANDBOXIERPCSS.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE{
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A630000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXEU
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXES
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIESVC.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: QEMU-GA.EXEQ
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXEI
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXE)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIECTRL.EXEA\\CU
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $BEHAVIORDUMPER.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNS.EXENS\PICTURES\
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXEK
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HOOKEXPLORER.EXE+
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXEZ
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE_
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXEM
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CFF EXPLORER.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE&
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDBG.EXEW
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE$
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGMON.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022103652.000001F378B0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXEUIWU.EXE,
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NETSNIFFER.EXEO
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .SANDBOXIEDCOMLAUNCH.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE]
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE`
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "PROC_ANALYZER.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXEC
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXEZ
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $APIMONITOR-X86.EXETURES\
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "PROCESSHACKER.EXECU
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMUSRVC.EXET
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXEW
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A630000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Window / User API: threadDelayed 665 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe API coverage: 6.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe TID: 6588 Thread sleep count: 665 > 30 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74423AB FindFirstFileW,FindClose, 0_2_00007FF7A74423AB
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74423B3 FindFirstFileW,FindClose, 0_2_00007FF7A74423B3
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A744239E FindFirstFileW,FindClose, 0_2_00007FF7A744239E
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74423C0 FindFirstFileW,FindClose, 0_2_00007FF7A74423C0
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: basic_string::appendcannot create std::vector larger than max_size()Stop reversing the programReconsider your life choicesAnd go touch some grass\\.\PhysicalDrive0DADY HARDDISKQEMU HARDDISKvector::_M_range_insert
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37AA6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <hyper-v guest shutdown servicell
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vmware
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmmemctl.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmtools
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37AA6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >hyper-v guest service interfacel!
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: QEMU HARDDISK
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmtoolsd.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V (guest)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A68B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #vmware physical disk helper service
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe-
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmsrvc.exeE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe,
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemu-ga.exeq
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37AA6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Fvmware physical disk helper service
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemu-ga
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exe*
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmusrvc.exet
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exe
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A940000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Fvmware physical disk helper servicexe\windows\history\
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmscsi.exe}
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Virtual MachinesbiedllVBoxService.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37AA6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Bhyper-v powershell direct servicel
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemu-ga`j+{
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74516E5 ??3@YAXPEAX@Z,IsDebuggerPresent,RaiseException, 0_2_00007FF7A74516E5
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7441131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,_malloc_dbg,strlen,_malloc_dbg,_cexit, 0_2_00007FF7A7441131
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7450708 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,TlsGetValue,TlsSetValue, 0_2_00007FF7A7450708
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74706B0 SetUnhandledExceptionFilter, 0_2_00007FF7A74706B0

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A74450D8 ExitProcess,CreateMutexA,GetLastError,CreateProcessA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualProtect,QueueUserAPC,ResumeThread, 0_2_00007FF7A74450D8
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe NtSetInformationThread: Indirect: 0x7FF7A74B6B0D Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe NtProtectVirtualMemory: Indirect: 0x7FF7A7504AAB Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe NtProtectVirtualMemory: Indirect: 0x7FF7A7F08EBA Jump to behavior
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023056255.000001F37AE80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: progman service
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023056255.000001F37AE80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program manager Chromeer
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shell_traywnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A745BAD0 cpuid 0_2_00007FF7A745BAD0
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe Code function: 0_2_00007FF7A7451870 GetSystemTimeAsFileTime, 0_2_00007FF7A7451870
AV process strings found (often used to terminate AV products)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procdump.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tcpview.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: spideragent.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fsaua.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ollydbg.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regmon.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502258 Sample: 8xfH5IUIWU.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 88 8 Machine Learning detection for sample 2->8 10 PE file has nameless sections 2->10 12 AI detected suspicious sample 2->12 5 8xfH5IUIWU.exe 2->5         started        process3 signatures4 14 Detected unpacking (changes PE section rights) 5->14 16 Query firmware table information (likely to detect VMs) 5->16 18 Contains functionality to infect the boot sector 5->18 20 5 other signatures 5->20
No contacted IP infos