Windows Analysis Report
P2jWhX7B3B.exe

Overview

General Information

Sample name: P2jWhX7B3B.exe
renamed because original name is a hash value
Original sample name: aa25d7c3077df8436843b7bda71b75a21d26364b433a785b6ef7fee32e685cd6.exe
Analysis ID: 1502381
MD5: 45b0d7e39737d84cda9fe98e63c950a9
SHA1: 2e00d9dca0fb42e29b14141e6e2229f7818bbcf2
SHA256: aa25d7c3077df8436843b7bda71b75a21d26364b433a785b6ef7fee32e685cd6
Tags: exe
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Contains functionality to inject code into remote processes
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: P2jWhX7B3B.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B721E1 FindFirstFileW,FindClose, 0_2_00007FF787B721E1
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B721F5 FindFirstFileW,FindClose, 0_2_00007FF787B721F5
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B721CC FindFirstFileW,FindClose, 0_2_00007FF787B721CC
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B721D4 FindFirstFileW,FindClose, 0_2_00007FF787B721D4
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B755C2 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00007FF787B755C2
Source: P2jWhX7B3B.exe String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: P2jWhX7B3B.exe String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: P2jWhX7B3B.exe, 00000000.00000002.1668288119.00007FF787B94000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://gcc.gnu.org/bugs/):

System Summary
barindex
PE file has nameless sections
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B758B0 0_2_00007FF787B758B0
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B7492C 0_2_00007FF787B7492C
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B78F52 0_2_00007FF787B78F52
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B71E4B 0_2_00007FF787B71E4B
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B7A9EA 0_2_00007FF787B7A9EA
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B7159A 0_2_00007FF787B7159A
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B78972 0_2_00007FF787B78972
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B74953 0_2_00007FF787B74953
PE file contains more sections than normal
Source: P2jWhX7B3B.exe Static PE information: Number of sections : 12 > 10
Source: P2jWhX7B3B.exe Static PE information: Section: ZLIB complexity 0.9947643119747899
Source: classification engine Classification label: mal80.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B7492C GetEnvironmentVariableW,GetFileAttributesW,GetEnvironmentVariableW,GetFileAttributesW,CreateToolhelp32Snapshot,Process32FirstW,_wcsicmp,Process32NextW,_wcsicmp, 0_2_00007FF787B7492C
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 6
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 5
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 8
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 7
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 9
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 0
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 10
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 2
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 1
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 4
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -45918899--1129030014. Number: 3
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe File read: C:\Users\user\Desktop\P2jWhX7B3B.exe Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 Jump to behavior
Source: P2jWhX7B3B.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: P2jWhX7B3B.exe Static file information: File size 3659776 > 1048576
Source: P2jWhX7B3B.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x321600

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Unpacked PE file: 0.2.P2jWhX7B3B.exe.7ff787b70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:W;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW; vs Unknown_Section0:ER;Unknown_Section1:W;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:W;Unknown_Section6:W;Unknown_Section7:W;Unknown_Section8:W;Unknown_Section9:R;Unknown_Section10:EW;Unknown_Section11:EW;
PE file contains an invalid checksum
Source: P2jWhX7B3B.exe Static PE information: real checksum: 0x3960e should be: 0x37e3d5
PE file contains sections with non-standard names
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name:
Source: P2jWhX7B3B.exe Static PE information: section name: entropy: 7.991448404720813
Source: P2jWhX7B3B.exe Static PE information: section name: entropy: 7.887538885458545
Source: P2jWhX7B3B.exe Static PE information: section name: entropy: 7.8223568056302195
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIECTRL.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXE1
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $SANDBOXIERPCSS.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIESVC.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXEN
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXEO
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NETSNIFFER.EXE\CUT
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X64DBG.EXED
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HOOKEXPLORER.EXEES$
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXEO
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNS.EXES\PICTURES\\)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXEC
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXE%
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667669140.0000021CBA2A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE?<
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $BEHAVIORDUMPER.EXED
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CFF EXPLORER.EXE(
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXEP
Source: P2jWhX7B3B.exe, 00000000.00000002.1667573301.0000021CBA155000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGMON.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXEN
Source: P2jWhX7B3B.exe, 00000000.00000002.1667573301.0000021CBA155000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXEC
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .SANDBOXIEDCOMLAUNCH.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $APIMONITOR-X86.EXEURES\
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE8
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "PROC_ANALYZER.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667573301.0000021CBA155000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMUSRVC.EXEZ
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXE\X
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE@
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: QEMU-GA.EXEJ
Source: P2jWhX7B3B.exe, 00000000.00000002.1667573301.0000021CBA155000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXEE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA301000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA2FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXEB3B.EXE\WINDOWS\INETCACHE\\
Source: P2jWhX7B3B.exe, 00000000.00000002.1667573301.0000021CBA155000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "PROCESSHACKER.EXE
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE"
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Window / User API: threadDelayed 422 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe API coverage: 8.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe TID: 5004 Thread sleep count: 422 > 30 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B721E1 FindFirstFileW,FindClose, 0_2_00007FF787B721E1
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B721F5 FindFirstFileW,FindClose, 0_2_00007FF787B721F5
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B721CC FindFirstFileW,FindClose, 0_2_00007FF787B721CC
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B721D4 FindFirstFileW,FindClose, 0_2_00007FF787B721D4
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmscsi.exe,
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmtools8
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vmwareVBoxService.exe
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vmware
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmtoolsd.exe
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V (guest)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemu-ga.exeJ
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exeB
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxserviceh
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe'
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exeB
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exeD
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe/
Source: P2jWhX7B3B.exe, 00000000.00000003.1661631025.0000021CBAA6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Exchange ServicevmickvpexchangeHyper-V Heartbeat ServicevmicheartbeatHyper-V Gue
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmsrvc.exe=
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exeB
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe>
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000003.1662019646.0000021CBAA60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Fvmware physical disk helper service
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exeC
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exeM
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemu-ga
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretray.exeB
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exe)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661631025.0000021CBAA6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l Direct ServicevmicvmsessionHyper-V Time Synchronization ServicevmictimesyncHyp
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmusrvc.exez
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe2
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA2FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Fvmware physical disk helper servicee\windows\inetcache\
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmmemctl.exev
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661631025.0000021CBAA6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hutdown ServicevmicshutdownHyper-V Remote Desktop Virtualization ServicevmicrdvH
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exeb
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668040510.0000021CBAA5C000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1662036173.0000021CBAA5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .new tab - google chromehyper-v
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668080657.0000021CBAA63000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1662019646.0000021CBAA60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :hyper-v data exchange servicecs)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000003.1661631025.0000021CBAA6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: meW32TimeVolume Shadow CopyVSSHyper-V Volume Shadow Copy RequestorvmicvssHyper
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: P2jWhX7B3B.exe, P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: P2jWhX7B3B.exe, 00000000.00000002.1668338582.00007FF787BA6000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B71131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,_malloc_dbg,strlen,_malloc_dbg,_cexit, 0_2_00007FF787B71131
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787BA1690 SetUnhandledExceptionFilter, 0_2_00007FF787BA1690
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787BA1530 RtlAddVectoredExceptionHandler, 0_2_00007FF787BA1530

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B758B0 ExitProcess,CreateMutexA,GetLastError,CreateProcessA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualProtect,QueueUserAPC,ResumeThread, 0_2_00007FF787B758B0
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe NtProtectVirtualMemory: Indirect: 0x7FF787C3BD37 Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe NtSetInformationThread: Indirect: 0x7FF787BEACC1 Jump to behavior
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe NtProtectVirtualMemory: Indirect: 0x7FF7887890CA Jump to behavior
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA415000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1661992608.0000021CBA420000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667924766.0000021CBA423000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: progmanion
Source: P2jWhX7B3B.exe, 00000000.00000002.1668040510.0000021CBAA5C000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1662036173.0000021CBAA5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program manager chromeB
Source: P2jWhX7B3B.exe, 00000000.00000002.1668040510.0000021CBAA57000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000003.1662036173.0000021CBAA57000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shell_traywndxe
Source: C:\Users\user\Desktop\P2jWhX7B3B.exe Code function: 0_2_00007FF787B82030 GetSystemTimeAsFileTime, 0_2_00007FF787B82030
AV process strings found (often used to terminate AV products)
Source: P2jWhX7B3B.exe, 00000000.00000002.1667600109.0000021CBA160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procdump.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procmon.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tcpview.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1668134400.0000021CBAD96000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: spideragent.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fsaua.exe
Source: P2jWhX7B3B.exe, 00000000.00000003.1661845360.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp, P2jWhX7B3B.exe, 00000000.00000002.1667730826.0000021CBA344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regmon.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502381 Sample: P2jWhX7B3B.exe Startdate: 01/09/2024 Architecture: WINDOWS Score: 80 8 Machine Learning detection for sample 2->8 10 PE file has nameless sections 2->10 12 AI detected suspicious sample 2->12 5 P2jWhX7B3B.exe 2->5         started        process3 signatures4 14 Detected unpacking (changes PE section rights) 5->14 16 Query firmware table information (likely to detect VMs) 5->16 18 Contains functionality to inject code into remote processes 5->18 20 3 other signatures 5->20
No contacted IP infos