Windows Analysis Report
ujsvTrVlol.exe

Overview

General Information

Sample name: ujsvTrVlol.exe
renamed because original name is a hash value
Original sample name: 15af4a7899b540337cebe28776f4e24874aa6ac219636ca76b5b106f98919a04.exe
Analysis ID: 1502382
MD5: 35868ed1b450f9fcf74d7076b64383f2
SHA1: a5be319b81e0551e27436f0a5010808723d48704
SHA256: 15af4a7899b540337cebe28776f4e24874aa6ac219636ca76b5b106f98919a04
Tags: exe
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Contains functionality to inject code into remote processes
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Detected potential crypto function
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: ujsvTrVlol.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E2205 FindFirstFileW,FindClose, 0_2_00007FF7F59E2205
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E21E4 FindFirstFileW,FindClose, 0_2_00007FF7F59E21E4
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E21DC FindFirstFileW,FindClose, 0_2_00007FF7F59E21DC
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E21F1 FindFirstFileW,FindClose, 0_2_00007FF7F59E21F1
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E55D2 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00007FF7F59E55D2
Source: ujsvTrVlol.exe String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: ujsvTrVlol.exe String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: ujsvTrVlol.exe, 00000000.00000002.1734267913.00007FF7F5A04000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://gcc.gnu.org/bugs/):

System Summary
barindex
PE file has nameless sections
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E493C 0_2_00007FF7F59E493C
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E58C0 0_2_00007FF7F59E58C0
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E1E5B 0_2_00007FF7F59E1E5B
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E159A 0_2_00007FF7F59E159A
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59EA9FA 0_2_00007FF7F59EA9FA
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E8982 0_2_00007FF7F59E8982
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E4963 0_2_00007FF7F59E4963
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E8F62 0_2_00007FF7F59E8F62
PE / OLE file has an invalid certificate
Source: ujsvTrVlol.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: ujsvTrVlol.exe Static PE information: Number of sections : 12 > 10
Source: ujsvTrVlol.exe Static PE information: Section: ZLIB complexity 0.9949612657563025
Source: classification engine Classification label: mal80.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E493C GetEnvironmentVariableW,GetFileAttributesW,GetEnvironmentVariableW,GetFileAttributesW,CreateToolhelp32Snapshot,Process32FirstW,_wcsicmp,Process32NextW,_wcsicmp, 0_2_00007FF7F59E493C
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 8
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 9
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 4
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 5
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 6
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 7
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 0
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 1
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 2
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 3
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: -1472423074-1413185751. Number: 10
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe File read: C:\Users\user\Desktop\ujsvTrVlol.exe Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32 Jump to behavior
Source: ujsvTrVlol.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: ujsvTrVlol.exe Static file information: File size 16260936 > 1048576
Source: ujsvTrVlol.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x323600

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Unpacked PE file: 0.2.ujsvTrVlol.exe.7ff7f59e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:W;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW; vs Unknown_Section0:ER;Unknown_Section1:W;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:W;Unknown_Section6:W;Unknown_Section7:W;Unknown_Section8:W;Unknown_Section9:R;Unknown_Section10:EW;Unknown_Section11:EW;
PE file contains sections with non-standard names
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name:
Source: ujsvTrVlol.exe Static PE information: section name: entropy: 7.992284035028791
Source: ujsvTrVlol.exe Static PE information: section name: entropy: 7.857678669786828
Source: ujsvTrVlol.exe Static PE information: section name: entropy: 7.813860737497707
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\ujsvTrVlol.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $SANDBOXIERPCSS.EXETA
Source: ujsvTrVlol.exe, 00000000.00000002.1733413761.000001E800C45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXEZ1Y)H
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NETSNIFFER.EXE#
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: QEMU-GA.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXE3
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXEQ
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIESVC.EXE&
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIECTRL.EXEC
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $APIMONITOR-X86.EXEURES\Q
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE=
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IMPORTREC.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $FAKEHTTPSERVER.EXEU+
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE[
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $BEHAVIORDUMPER.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733413761.000001E800C45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE?1QD-
Source: ujsvTrVlol.exe, 00000000.00000002.1733413761.000001E800C45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE>
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGMON.EXEG
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMUSRVC.EXE0
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXEV
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CFF EXPLORER.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXE9
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNS.EXES\PICTURES\\{
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .SANDBOXIEDCOMLAUNCH.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXELOL.EXE\WINDOWS\INETCACHE\\
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "PROC_ANALYZER.EXEG
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000002.1733413761.000001E800C45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCPDUMP.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HOOKEXPLORER.EXEK
Source: ujsvTrVlol.exe, 00000000.00000002.1733413761.000001E800C45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXE91PC-
Source: ujsvTrVlol.exe, 00000000.00000002.1733736527.000001E802A60000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000002.1733413761.000001E800C45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "PROCESSHACKER.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802AC9000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802AC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXEC
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ujsvTrVlol.exe API coverage: 8.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ujsvTrVlol.exe TID: 1804 Thread sleep count: 231 > 30 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ujsvTrVlol.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E2205 FindFirstFileW,FindClose, 0_2_00007FF7F59E2205
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E21E4 FindFirstFileW,FindClose, 0_2_00007FF7F59E21E4
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E21DC FindFirstFileW,FindClose, 0_2_00007FF7F59E21DC
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E21F1 FindFirstFileW,FindClose, 0_2_00007FF7F59E21F1
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1733962235.000001E803070000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicheartbeatfaceY
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vmwareVBoxService.exe
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vmware
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmtools
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemu-ga!
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretray.exeO
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1733962235.000001E803070000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLEAUT32.dllager.dllHhyper-v m
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretray.exeW
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe>1qe-
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V (guest)
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe>1qe-
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe<
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmsrvc.exeM
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmusrvc.exe0
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exe>1qe-
Source: ujsvTrVlol.exe, 00000000.00000003.1728764942.000001E803176000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Exchange ServicevmickvpexchangeHyper-V Heartbeat ServicevmicheartbeatHyper-V Gue
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe(
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemu-ga.exe
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exe5
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000003.1728764942.000001E803176000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l Direct ServicevmicvmsessionHyper-V Time Synchronization ServicevmictimesyncHyp
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmmemctl.exec
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe]
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Fvmware physical disk helper servicee\windows\inetcache\
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe>1qe-
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000003.1728764942.000001E803176000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hutdown ServicevmicshutdownHyper-V Remote Desktop Virtualization ServicevmicrdvH
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmscsi.exe
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmtoolsd.exeC
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemu-ga@
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exe{
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: ujsvTrVlol.exe, 00000000.00000003.1728764942.000001E803176000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: meW32TimeVolume Shadow CopyVSSHyper-V Volume Shadow Copy RequestorvmicvssHyper
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: ujsvTrVlol.exe, ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exe^
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: ujsvTrVlol.exe, 00000000.00000002.1734318346.00007FF7F5A16000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E1131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,_malloc_dbg,strlen,_malloc_dbg,_cexit, 0_2_00007FF7F59E1131
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F5A11690 SetUnhandledExceptionFilter, 0_2_00007FF7F5A11690

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59E58C0 ExitProcess,CreateMutexA,GetLastError,CreateProcessA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualProtect,QueueUserAPC,ResumeThread, 0_2_00007FF7F59E58C0
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\ujsvTrVlol.exe NtProtectVirtualMemory: Indirect: 0x7FF7F65F92E1 Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe NtProtectVirtualMemory: Indirect: 0x7FF7F5AABD37 Jump to behavior
Source: C:\Users\user\Desktop\ujsvTrVlol.exe NtSetInformationThread: Indirect: 0x7FF7F5A5ACC1 Jump to behavior
Source: ujsvTrVlol.exe, 00000000.00000002.1733792396.000001E802B65000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802B65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shell_traywndexeeh
Source: ujsvTrVlol.exe, 00000000.00000002.1733962235.000001E803070000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program manager chrome
Source: ujsvTrVlol.exe, 00000000.00000002.1733917093.000001E802BFB000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729442062.000001E802BF8000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000003.1729303397.000001E802B65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: progmane
Source: C:\Users\user\Desktop\ujsvTrVlol.exe Code function: 0_2_00007FF7F59F2040 GetSystemTimeAsFileTime, 0_2_00007FF7F59F2040
AV process strings found (often used to terminate AV products)
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procmon.exe
Source: ujsvTrVlol.exe, 00000000.00000002.1734103431.000001E803486000.00000004.00000020.00020000.00000000.sdmp, ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fch32.exe
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: spideragent.exe
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procexp.exe
Source: ujsvTrVlol.exe, 00000000.00000002.1733602494.000001E8026A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fsaua.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502382 Sample: ujsvTrVlol.exe Startdate: 01/09/2024 Architecture: WINDOWS Score: 80 8 Machine Learning detection for sample 2->8 10 PE file has nameless sections 2->10 12 AI detected suspicious sample 2->12 5 ujsvTrVlol.exe 2->5         started        process3 signatures4 14 Detected unpacking (changes PE section rights) 5->14 16 Query firmware table information (likely to detect VMs) 5->16 18 Contains functionality to inject code into remote processes 5->18 20 3 other signatures 5->20
No contacted IP infos