Windows Analysis Report
GesApIoVpU.exe

Overview

General Information

Sample name:	GesApIoVpU.exe renamed because original name is a hash value
Original sample name:	ff21ad97101c63845d80c0df6808575d05095fa902821dc4fa52e462ef338140.exe
Analysis ID:	1501752
MD5:	c8f9956ef78e7878d289a8b9197eefdb
SHA1:	c315cd7143c01adb167f81d2e2d5df98e872ed2c
SHA256:	ff21ad97101c63845d80c0df6808575d05095fa902821dc4fa52e462ef338140
Tags:	120-46-149-112exe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

One or more processes crash

Sigma detected: Communication To Uncommon Destination Ports

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GesApIoVpU.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: GesApIoVpU.exe	ReversingLabs: Detection: 39%
Source: GesApIoVpU.exe	Virustotal: Detection: 14%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: GesApIoVpU.exe

Joe Sandbox ML: detected

Source: GesApIoVpU.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: E:\Project\RefleXXion\x64\Release\RefleXXion-EXE.pdb source: GesApIoVpU.exe

Networking

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49732 -> 8888

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 120.46.149.112:8888

Source: unknown	TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown	TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown	TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown	TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown	TCP traffic detected without corresponding DNS query: 120.46.149.112

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Code function: 0_2_00007FF6D25A1740 malloc,InternetOpenW,InternetOpenUrlA,InternetReadFile,HeapCreate,RtlAllocateHeap,memcpy,

0_2_00007FF6D25A1740

Source: global traffic

HTTP traffic detected: GET /safekey HTTP/1.1User-Agent: myappHost: 120.46.149.112:8888Cache-Control: no-cache

Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112/
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112/uG
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28EFC000.00000004.00000020.00020000.00000000.sdmp, GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F70000.00000004.00000020.00020000.00000000.sdmp, GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F97000.00000004.00000020.00020000.00000000.sdmp, GesApIoVpU.exe, 00000000.00000002.2066554017.0000002EEB17A000.00000004.00000010.00020000.00000000.sdmp, GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekey
Source: GesApIoVpU.exe, 00000000.00000002.2066554017.0000002EEB17A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekeyB
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekeyc
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekeys
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekeyv
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekeyvF
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net

Contains functionality to call native functions

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Code function: 0_2_00007FF6D25A13B0 printf,GetModuleHandleA,GetLastError,printf,GetProcAddress,printf,printf,CloseHandle,printf,K32GetModuleInformation,GetLastError,printf,printf,printf,printf,printf,NtProtectVirtualMemory,printf,NtProtectVirtualMemory,printf,printf,GetProcAddress,NtUnmapViewOfSection,printf,FindCloseChangeNotification,printf,

0_2_00007FF6D25A13B0

Detected potential crypto function

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Code function: 0_2_00007FF6D25A1740

0_2_00007FF6D25A1740

One or more processes crash

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7356 -s 1072

Source: classification engine

Classification label: mal72.troj.evad.winEXE@2/5@0/1

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7356

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\89319366-ad9c-4edf-9ade-daf7919c2c39

Jump to behavior

Source: GesApIoVpU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GesApIoVpU.exe	ReversingLabs: Detection: 39%
Source: GesApIoVpU.exe	Virustotal: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\GesApIoVpU.exe "C:\Users\user\Desktop\GesApIoVpU.exe"
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7356 -s 1072

Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: GesApIoVpU.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: GesApIoVpU.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: GesApIoVpU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: E:\Project\RefleXXion\x64\Release\RefleXXion-EXE.pdb source: GesApIoVpU.exe

Source: GesApIoVpU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: GesApIoVpU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: GesApIoVpU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: GesApIoVpU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: GesApIoVpU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49732 -> 8888

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28FB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28FB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\GesApIoVpU.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Code function: 0_2_00007FF6D25A20B0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6D25A20B0

Source: C:\Users\user\Desktop\GesApIoVpU.exe	Code function: 0_2_00007FF6D25A20B0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D25A20B0
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Code function: 0_2_00007FF6D25A2258 SetUnhandledExceptionFilter,	0_2_00007FF6D25A2258
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Code function: 0_2_00007FF6D25A1BC4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6D25A1BC4

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtClose: Direct from: 0x7FF6D25A16EF
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtSetSecurityObject: Direct from: 0x7FFE221C26A1	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtReadVirtualMemory: Direct from: 0x7FF6D25A1532	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6D25A18E6	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtQuerySystemInformation: Direct from: 0x16F2ADF0080	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5E	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6D25A18D2	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D25A1847	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtUnmapViewOfSection: Direct from: 0x7FF6D25A16CF	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtQueryInformationToken: Direct from: 0x7FF6D25A1822	Jump to behavior

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Code function: 0_2_00007FF6D25A1F90 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6D25A1F90

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
120.46.149.112	unknown	China		4847	CNIX-APChinaNetworksInter-ExchangeCN	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://120.46.149.112:8888/safekey	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GesApIoVpU.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: GesApIoVpU.exe	ReversingLabs: Detection: 39%
Source: GesApIoVpU.exe	Virustotal: Detection: 14%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: GesApIoVpU.exe

Joe Sandbox ML: detected

Source: GesApIoVpU.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: E:\Project\RefleXXion\x64\Release\RefleXXion-EXE.pdb source: GesApIoVpU.exe

Networking

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49732 -> 8888

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 120.46.149.112:8888

Source: unknown	TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown	TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown	TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown	TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown	TCP traffic detected without corresponding DNS query: 120.46.149.112

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Code function: 0_2_00007FF6D25A1740 malloc,InternetOpenW,InternetOpenUrlA,InternetReadFile,HeapCreate,RtlAllocateHeap,memcpy,

0_2_00007FF6D25A1740

Source: global traffic

HTTP traffic detected: GET /safekey HTTP/1.1User-Agent: myappHost: 120.46.149.112:8888Cache-Control: no-cache

Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112/
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112/uG
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28EFC000.00000004.00000020.00020000.00000000.sdmp, GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F70000.00000004.00000020.00020000.00000000.sdmp, GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F97000.00000004.00000020.00020000.00000000.sdmp, GesApIoVpU.exe, 00000000.00000002.2066554017.0000002EEB17A000.00000004.00000010.00020000.00000000.sdmp, GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekey
Source: GesApIoVpU.exe, 00000000.00000002.2066554017.0000002EEB17A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekeyB
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekeyc
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekeys
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekeyv
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.46.149.112:8888/safekeyvF
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net

Contains functionality to call native functions

Source: C:\Users\user\Desktop\GesApIoVpU.exe

0_2_00007FF6D25A13B0

Detected potential crypto function

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Code function: 0_2_00007FF6D25A1740

0_2_00007FF6D25A1740

One or more processes crash

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7356 -s 1072

Source: classification engine

Classification label: mal72.troj.evad.winEXE@2/5@0/1

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7356

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\89319366-ad9c-4edf-9ade-daf7919c2c39

Jump to behavior

Source: GesApIoVpU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GesApIoVpU.exe	ReversingLabs: Detection: 39%
Source: GesApIoVpU.exe	Virustotal: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\GesApIoVpU.exe "C:\Users\user\Desktop\GesApIoVpU.exe"
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7356 -s 1072

Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: GesApIoVpU.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: GesApIoVpU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: GesApIoVpU.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: GesApIoVpU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: E:\Project\RefleXXion\x64\Release\RefleXXion-EXE.pdb source: GesApIoVpU.exe

Source: GesApIoVpU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: GesApIoVpU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: GesApIoVpU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: GesApIoVpU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: GesApIoVpU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49732 -> 8888

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28FB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28FB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: GesApIoVpU.exe, 00000000.00000002.2066914686.0000016F28F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\GesApIoVpU.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\GesApIoVpU.exe

0_2_00007FF6D25A20B0

Source: C:\Users\user\Desktop\GesApIoVpU.exe	Code function: 0_2_00007FF6D25A20B0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D25A20B0
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Code function: 0_2_00007FF6D25A2258 SetUnhandledExceptionFilter,	0_2_00007FF6D25A2258
Source: C:\Users\user\Desktop\GesApIoVpU.exe	Code function: 0_2_00007FF6D25A1BC4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6D25A1BC4

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtClose: Direct from: 0x7FF6D25A16EF
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtSetSecurityObject: Direct from: 0x7FFE221C26A1	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtReadVirtualMemory: Direct from: 0x7FF6D25A1532	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6D25A18E6	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtQuerySystemInformation: Direct from: 0x16F2ADF0080	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5E	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6D25A18D2	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtProtectVirtualMemory: Direct from: 0x7FF6D25A1847	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtUnmapViewOfSection: Direct from: 0x7FF6D25A16CF	Jump to behavior
Source: C:\Users\user\Desktop\GesApIoVpU.exe	NtQueryInformationToken: Direct from: 0x7FF6D25A1822	Jump to behavior

Source: C:\Users\user\Desktop\GesApIoVpU.exe

Code function: 0_2_00007FF6D25A1F90 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6D25A1F90

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

ID:	1501752
Product:	CloudBasic
Start time:	12:42:12
Start date:	30.08.2024
Sample:	GesApIoVpU.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c8f9956ef78e7878d289a8b9197eefdb
SHA1:	c315cd7143c01adb167f81d2e2d5df98e872ed2c
SHA256:	ff21ad97101c63845d80c0df6808575d05095fa902821dc4fa52e462ef338140
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GesApIoVpU.exe_5ea3397a741e5f68ac27938378e376aaae817630_80bf81c8_24071944-6c9e-4368-85e3-787597bc2646\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C50F686CA720B80D51FD8C6F0F0DDCE5	A8C28F3DB57F84D6FDFF264C68634DEE91B45074	4CAE016AF3865C774EF251A94E0A3CFFF4B8BFD3F20BDA05BC324D37CB44C266
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6991.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Aug 30 10:43:26 2024, 0x1205a4 type	49700D0EBA9BCF6C269A579A3D57BE04	FA3081B8CD750E72D699F4ED42CA5A8F89EAFBEB	556D3116AD00BF8E8B9BD28F06B517E5143D0A88416494A2A4DB2EE5ECC36CFD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A6D.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A14F9ED7205D5ECD712D2020F1F15CF0	33B457241BEBFFA3E862BFD52F228FFAFE9E6925	B14C18FAC25BBCA848D3C2BB295D4992F5AF0D8C8E2761F06C882DF7DB3B425B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A8D.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	96C18B12B9368F854C38004B565C688F	AEBBE0F5ACB84815DB8994EAEE0B1FBA19C2276A	C996DDBAB381303A061D6A4614345F3F0948320AF3A1357BC5A761AA8E47C346
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	A3E8D7EA5615E02ED1674B1834373861	BFEFBDB1E40E7032FB0B9A642E52E3E6BD8E9D8B	36AC2EF5D177440BF5364D70B2AABEA8B124BC411BA10DCB5E1E2591B42532E3

Windows Analysis Report
GesApIoVpU.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report GesApIoVpU.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
GesApIoVpU.exe