Windows Analysis Report
GxEyLSwNqM.exe

Overview

General Information

Sample name: GxEyLSwNqM.exe
renamed because original name is a hash value
Original sample name: 7403e694ab8b96b57f3cac3b0e66ddad81c4745e986d4974d9d0601765d44fe8.exe
Analysis ID: 1501766
MD5: 2d2bcbb224240fbad170f45226365cd2
SHA1: ec842fb4e6d1bc8ea365e94d0c4e38b30df4df1a
SHA256: 7403e694ab8b96b57f3cac3b0e66ddad81c4745e986d4974d9d0601765d44fe8
Tags: 120-46-149-112exe
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
IP address seen in connection with other malware
One or more processes crash
Sigma detected: Communication To Uncommon Destination Ports

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: GxEyLSwNqM.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: GxEyLSwNqM.exe ReversingLabs: Detection: 42%
Source: GxEyLSwNqM.exe Virustotal: Detection: 14% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: GxEyLSwNqM.exe Joe Sandbox ML: detected
Source: GxEyLSwNqM.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\Project\RefleXXion\x64\Release\RefleXXion-EXE.pdb source: GxEyLSwNqM.exe

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 8888
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49709 -> 120.46.149.112:8888
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 120.46.149.112 120.46.149.112
Source: unknown TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: unknown TCP traffic detected without corresponding DNS query: 120.46.149.112
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Code function: 0_2_00007FF7DF591740 malloc,InternetOpenW,InternetOpenUrlA,InternetReadFile,HeapCreate,HeapAlloc,memcpy, 0_2_00007FF7DF591740
Source: global traffic HTTP traffic detected: GET /safekey HTTP/1.1User-Agent: myappHost: 120.46.149.112:8888Cache-Control: no-cache
Source: GxEyLSwNqM.exe, 00000000.00000002.1418301919.0000020FB10CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://120.46.149.112/
Source: GxEyLSwNqM.exe, 00000000.00000002.1418301919.0000020FB103C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://120.46.149.112:8888/safekey
Source: GxEyLSwNqM.exe, 00000000.00000002.1418301919.0000020FB10F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://120.46.149.112:8888/safekeyN
Source: GxEyLSwNqM.exe, 00000000.00000002.1417965734.000000B0B2AFA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://120.46.149.112:8888/safekeySj
Source: GxEyLSwNqM.exe, 00000000.00000002.1418301919.0000020FB10CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://120.46.149.112:8888/safekeyb
Source: GxEyLSwNqM.exe, 00000000.00000002.1418301919.0000020FB10F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://120.46.149.112:8888/safekeyr
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net
Contains functionality to call native functions
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Code function: 0_2_00007FF7DF5913B0 printf,GetModuleHandleA,GetLastError,printf,GetProcAddress,printf,printf,CloseHandle,printf,K32GetModuleInformation,GetLastError,printf,printf,printf,printf,printf,NtProtectVirtualMemory,printf,NtProtectVirtualMemory,printf,printf,GetProcAddress,NtUnmapViewOfSection,printf,CloseHandle,printf, 0_2_00007FF7DF5913B0
Detected potential crypto function
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Code function: 0_2_00007FF7DF591740 0_2_00007FF7DF591740
One or more processes crash
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7992 -s 1096
Source: classification engine Classification label: mal72.troj.evad.winEXE@2/5@0/1
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7992
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\64beb133-a28f-41c3-8c1f-86a776e288f1 Jump to behavior
Source: GxEyLSwNqM.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: GxEyLSwNqM.exe ReversingLabs: Detection: 42%
Source: GxEyLSwNqM.exe Virustotal: Detection: 14%
Source: unknown Process created: C:\Users\user\Desktop\GxEyLSwNqM.exe "C:\Users\user\Desktop\GxEyLSwNqM.exe"
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7992 -s 1096
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: GxEyLSwNqM.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: GxEyLSwNqM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: GxEyLSwNqM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: GxEyLSwNqM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: GxEyLSwNqM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: GxEyLSwNqM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: GxEyLSwNqM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: GxEyLSwNqM.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: GxEyLSwNqM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Project\RefleXXion\x64\Release\RefleXXion-EXE.pdb source: GxEyLSwNqM.exe
Source: GxEyLSwNqM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: GxEyLSwNqM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: GxEyLSwNqM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: GxEyLSwNqM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: GxEyLSwNqM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 8888
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: GxEyLSwNqM.exe, 00000000.00000002.1418301919.0000020FB10FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr Binary or memory string: VMware-42 27 9c 31 6b 7d 78 89-be 90 b3 22 a5 ab 1b 52
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: GxEyLSwNqM.exe, 00000000.00000002.1418301919.0000020FB10B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: Amcache.hve.5.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Code function: 0_2_00007FF7DF5920B0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7DF5920B0
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Code function: 0_2_00007FF7DF592258 SetUnhandledExceptionFilter, 0_2_00007FF7DF592258
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Code function: 0_2_00007FF7DF591BC4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7DF591BC4
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Code function: 0_2_00007FF7DF5920B0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7DF5920B0

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe NtReadVirtualMemory: Direct from: 0x7FF7DF591532 Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe NtUnmapViewOfSection: Direct from: 0x7FF7DF5916CF Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe NtQueryInformationToken: Direct from: 0x7FF7DF591822 Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe NtClose: Direct from: 0x7FF7DF5916EF
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe NtAllocateVirtualMemory: Direct from: 0x7FF7DF5918D2 Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe NtSetSecurityObject: Direct from: 0x7FFB91EC26B1 Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe NtAllocateVirtualMemory: Direct from: 0x7FFB91EE4BEE Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe NtProtectVirtualMemory: Direct from: 0x7FF7DF591847 Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe NtQuerySystemInformation: Direct from: 0x20FB2EE0080 Jump to behavior
Source: C:\Users\user\Desktop\GxEyLSwNqM.exe Code function: 0_2_00007FF7DF591F90 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7DF591F90
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.5.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501766 Sample: GxEyLSwNqM.exe Startdate: 30/08/2024 Architecture: WINDOWS Score: 72 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 23 2 other signatures 2->23 6 GxEyLSwNqM.exe 6 2->6         started        process3 dnsIp4 15 120.46.149.112, 49709, 8888 CNIX-APChinaNetworksInter-ExchangeCN China 6->15 25 Found direct / indirect Syscall (likely to bypass EDR) 6->25 10 WerFault.exe 19 16 6->10         started        signatures5 process6 file7 13 C:\ProgramData\Microsoft\...\Report.wer, Unicode 10->13 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
120.46.149.112
 unknown China
4847 CNIX-APChinaNetworksInter-ExchangeCN false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://120.46.149.112:8888/safekey false
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown