Edit tour

Windows Analysis Report
GsrDwm0DJG.ps1

Overview

General Information

Sample name:	GsrDwm0DJG.ps1 renamed because original name is a hash value
Original sample name:	9dda3ea193bf9e411bee70975424487b2a6728636e9837dfac6530b44edf48af.ps1
Analysis ID:	1511451
MD5:	bb8b708e6cf1915492af5dcb677a2cdd
SHA1:	9547df0fd4e67dd321da10359f5eb2161790df42
SHA256:	9dda3ea193bf9e411bee70975424487b2a6728636e9837dfac6530b44edf48af
Tags:	deadmunky-nlps1
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected RHADAMANTHYS Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Powershell drops PE file

Sigma detected: Execution from Suspicious Folder

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GsrDwm0DJG.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 7884 cmdline: "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

khle.exe (PID: 7904 cmdline: C:\Users\Public\Documents\khle.exe MD5: EC0F07CB1F1F5B4DD1BD94958C20A5AD)

OpenWith.exe (PID: 7932 cmdline: "C:\Windows\system32\openwith.exe" MD5: E4A834784FA08C17D47A1E72429C5109)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Rhdamanthys/Rhadamanthys-EN.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000003.2213215790.0000020C80000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.2221017960.0000016653D20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.2229840318.00000166561B0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000003.2219039554.0000020C80B30000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000003.2217949508.0000020C80850000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000003.2228942878.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 7296	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x28775f:$b1: ::WriteAllBytes( 0xbe397:$s1: -join 0xbe4c6:$s1: -join 0xe51ac:$s1: -join 0xf242d:$s1: -join 0xf58ef:$s1: -join 0xf5f89:$s1: -join 0xf7a85:$s1: -join 0xf9cd9:$s1: -join 0xfa500:$s1: -join 0xfad5b:$s1: -join 0xfb496:$s1: -join 0xfb4c8:$s1: -join 0xfb510:$s1: -join 0xfb52f:$s1: -join 0xfbd80:$s1: -join 0xfbefc:$s1: -join 0xfbf74:$s1: -join 0xfc007:$s1: -join 0xfc26d:$s1: -join 0xfe426:$s1: -join
Process Memory Space: khle.exe PID: 7904	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: OpenWith.exe PID: 7932	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
10.3.OpenWith.exe.166561b0000.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.OpenWith.exe.166561b0000.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.3.OpenWith.exe.16655ed0000.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.3.khle.exe.20c80b30000.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.3.khle.exe.20c80b30000.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.3.khle.exe.20c80850000.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.3.khle.exe.20c80850000.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Documents\khle.exe, CommandLine: C:\Users\Public\Documents\khle.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\khle.exe, NewProcessName: C:\Users\Public\Documents\khle.exe, OriginalFileName: C:\Users\Public\Documents\khle.exe, ParentCommandLine: "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe , ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 7884, ParentProcessName: conhost.exe, ProcessCommandLine: C:\Users\Public\Documents\khle.exe, ProcessId: 7904, ProcessName: khle.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7296, TargetFilename: C:\Users\Public\Documents\khle.mp3

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GsrDwm0DJG.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GsrDwm0DJG.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GsrDwm0DJG.ps1", ProcessId: 7296, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GsrDwm0DJG.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GsrDwm0DJG.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GsrDwm0DJG.ps1", ProcessId: 7296, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\khle.mp3

Avira: detection malicious, Label: TR/AVI.Rhadamanthys.xgajh

Found malware configuration

Source: 00000009.00000002.2228592994.00007FF79CD21000.00000020.00000001.01000000.00000008.sdmp

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7"}

Multi AV Scanner detection for domain / URL

Source: deadmunky.nl	Virustotal: Detection: 12%			Perma Link
Source: https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Documents\khle.exe (copy)	ReversingLabs: Detection: 60%
Source: C:\Users\Public\Documents\khle.exe (copy)	Virustotal: Detection: 78%	Perma Link
Source: C:\Users\Public\Documents\khle.mp3	ReversingLabs: Detection: 60%
Source: C:\Users\Public\Documents\khle.mp3	Virustotal: Detection: 78%	Perma Link

Multi AV Scanner detection for submitted file

Source: GsrDwm0DJG.ps1

Virustotal: Detection: 7%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Source:	Binary string: kernel32.pdbUGP source: khle.exe, 00000009.00000003.2217151604.0000020C80910000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2216654795.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2224906190.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2225340660.0000016655F90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: khle.exe, 00000009.00000003.2219039554.0000020C80B30000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2217949508.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2229840318.00000166561B0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2228942878.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: khle.exe, 00000009.00000003.2214312830.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2215191261.0000020C80A40000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2222738514.00000166560C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2221852667.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: khle.exe, 00000009.00000003.2217151604.0000020C80910000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2216654795.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2224906190.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2225340660.0000016655F90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: khle.exe, 00000009.00000003.2214312830.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2215191261.0000020C80A40000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2222738514.00000166560C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2221852667.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: khle.exe, 00000009.00000003.2219039554.0000020C80B30000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2217949508.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2229840318.00000166561B0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2228942878.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: C:\Users\Public\Documents\khle.exe

Code function: 4x nop then ret

9_3_0000020C800110BC

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7

Source: global traffic

TCP traffic: 192.168.2.5:49725 -> 194.113.106.180:3715

Source: Joe Sandbox View

ASN Name: RACKTECHRU RACKTECHRU

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\System32\OpenWith.exe

Code function: 10_2_0000016655EDB80C WSARecv,

10_2_0000016655EDB80C

Source: global traffic

DNS traffic detected: DNS query: deadmunky.nl

Source: powershell.exe, 00000000.00000002.2179521473.0000022280CF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2210475905.0000022290081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2179521473.0000022280228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2179521473.0000022280001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2179521473.0000022280C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.2179521473.0000022280228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2179521473.0000022280001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2210475905.0000022290081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2210475905.0000022290081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2210475905.0000022290081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: OpenWith.exe, 0000000A.00000002.3397772991.0000002FE82AB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7
Source: powershell.exe, 00000000.00000002.2179521473.0000022280228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2179521473.0000022280CF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2210475905.0000022290081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2179521473.0000022280C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.2179521473.0000022280C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: khle.exe, 00000009.00000003.2219039554.0000020C80B30000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_d3415766-6

Source: khle.exe, 00000009.00000003.2219039554.0000020C80B30000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_7467e7c8-f

Source: Yara match	File source: 10.3.OpenWith.exe.166561b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.OpenWith.exe.166561b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.OpenWith.exe.16655ed0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.khle.exe.20c80b30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.khle.exe.20c80b30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.khle.exe.20c80850000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.khle.exe.20c80850000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2229840318.00000166561B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2219039554.0000020C80B30000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2217949508.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2228942878.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: khle.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OpenWith.exe PID: 7932, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7296, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\khle.mp3			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\khle.exe (copy)			Jump to dropped file

Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C800156A8 NtQuerySystemInformation,NtQuerySystemInformation,GetTokenInformation,CloseHandle,CloseHandle,		9_3_0000020C800156A8
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C800151B4 NtQueryInformationProcess,		9_3_0000020C800151B4

Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD818D7	9_3_00007FF79CD818D7
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80014A54	9_3_0000020C80014A54
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80013CEC	9_3_0000020C80013CEC
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80011500	9_3_0000020C80011500
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80012F00	9_3_0000020C80012F00
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C8001870C	9_3_0000020C8001870C
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C8001710C	9_3_0000020C8001710C
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80015BC0	9_3_0000020C80015BC0
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80019FFC	9_3_0000020C80019FFC
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80018A58	9_3_0000020C80018A58
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80023E95	9_3_0000020C80023E95
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_3_0000016653BC0967	10_3_0000016653BC0967
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EF2E90	10_2_0000016655EF2E90
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EE1A98	10_2_0000016655EE1A98
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655ED3618	10_2_0000016655ED3618
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EEF9CC	10_2_0000016655EEF9CC
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EF1DE0	10_2_0000016655EF1DE0
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655ED8194	10_2_0000016655ED8194
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EE556C	10_2_0000016655EE556C
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EF4CD8	10_2_0000016655EF4CD8
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EEBCA8	10_2_0000016655EEBCA8
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EE9C54	10_2_0000016655EE9C54
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EEC040	10_2_0000016655EEC040
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655ED943C	10_2_0000016655ED943C
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EF1FF8	10_2_0000016655EF1FF8
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EEE788	10_2_0000016655EEE788
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655ED9788	10_2_0000016655ED9788
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EEC34C	10_2_0000016655EEC34C
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EEBB28	10_2_0000016655EEBB28
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EF2720	10_2_0000016655EF2720
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EF22F4	10_2_0000016655EF22F4
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_2_0000016655EE5AE0	10_2_0000016655EE5AE0

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Documents\khle.exe (copy) 34918278F6EB6B5E3AFA8DA406EB3C5A4CC3B7C4A1CEE55320FECDBEF4E0A463
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Documents\khle.mp3 34918278F6EB6B5E3AFA8DA406EB3C5A4CC3B7C4A1CEE55320FECDBEF4E0A463

Source: Process Memory Space: powershell.exe PID: 7296, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.evad.winPS1@8/7@1/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\khle.mp3

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dsnsq2pv.bku.ps1

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: GsrDwm0DJG.ps1

Virustotal: Detection: 7%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GsrDwm0DJG.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\Public\Documents\khle.exe C:\Users\Public\Documents\khle.exe
Source: C:\Users\Public\Documents\khle.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\Public\Documents\khle.exe C:\Users\Public\Documents\khle.exe	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wudfplatform.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: kernel32.pdbUGP source: khle.exe, 00000009.00000003.2217151604.0000020C80910000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2216654795.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2224906190.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2225340660.0000016655F90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: khle.exe, 00000009.00000003.2219039554.0000020C80B30000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2217949508.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2229840318.00000166561B0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2228942878.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: khle.exe, 00000009.00000003.2214312830.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2215191261.0000020C80A40000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2222738514.00000166560C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2221852667.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: khle.exe, 00000009.00000003.2217151604.0000020C80910000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2216654795.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2224906190.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2225340660.0000016655F90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: khle.exe, 00000009.00000003.2214312830.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2215191261.0000020C80A40000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2222738514.00000166560C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2221852667.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: khle.exe, 00000009.00000003.2219039554.0000020C80B30000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000009.00000003.2217949508.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2229840318.00000166561B0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000003.2228942878.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp

Source: khle.mp3.0.dr	Static PE information: section name: .textbss
Source: khle.mp3.0.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848A65CC3 push eax; iretd	0_2_00007FF848A65CD1
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD8220B push eax; iretd	9_3_00007FF79CD82224
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD86C12 push edx; retf	9_3_00007FF79CD86C26
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD859E3 push esi; retf	9_3_00007FF79CD859E6
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD835EC push esi; ret	9_3_00007FF79CD835ED
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD817D5 push cs; ret	9_3_00007FF79CD818C4
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD840F7 push eax; ret	9_3_00007FF79CD840FB
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD8430B push eax; retf	9_3_00007FF79CD8430C
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD85ED9 push esi; ret	9_3_00007FF79CD85EDD
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD862E3 push ebx; ret	9_3_00007FF79CD862E6
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD848BE push eax; retf	9_3_00007FF79CD848BF
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD84EB2 pushad ; retf	9_3_00007FF79CD84EB3
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD81865 push cs; ret	9_3_00007FF79CD818C4
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD85643 push eax; retf	9_3_00007FF79CD85645
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_00007FF79CD84427 pushad ; ret	9_3_00007FF79CD84428
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C8001C219 pushad ; retf	9_3_0000020C8001C221
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80023E95 push ebp; retf	9_3_0000020C80023E94
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C800274C6 push esi; ret	9_3_0000020C800274CA
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C8002BACB pushad ; iretd	9_3_0000020C80352EB3
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C800256D9 push ecx; ret	9_3_0000020C80025700
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80024B35 push ss; iretd	9_3_0000020C8031919F
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80028560 push ds; retf	9_3_0000020C80028577
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80025C06 push esi; ret	9_3_0000020C80025C07
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C8002B627 push ebp; iretd	9_3_0000020C8002B628
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_3_0000020C80023E70 push ebp; retf	9_3_0000020C80023E94
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_2_00007FF79CD293E6 push 3C95CC23h; iretd	9_2_00007FF79CD293EB
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_2_00007FF79CD2A778 pushfq ; iretd	9_2_00007FF79CD2A779
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_2_00007FF79CD24918 push rsi; retf	9_2_00007FF79CD24923
Source: C:\Users\Public\Documents\khle.exe	Code function: 9_2_00007FF79CD296B5 push FFFFFF81h; retf	9_2_00007FF79CD296B7
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_3_0000016653BC0865 push cs; ret	10_3_0000016653BC0954
Source: C:\Windows\System32\OpenWith.exe	Code function: 10_3_0000016653BC5CA2 push edx; retf	10_3_0000016653BC5CB6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\khle.mp3			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\khle.exe (copy)			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\khle.mp3

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTO
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ON.EXEREGMON.EXEWINDANR.EXEWINDBG.EXE
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3223			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2070			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Documents\khle.exe

Code function: 9_3_0000020C80014FD4 GetSystemInfo,

9_3_0000020C80014FD4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: OpenWith.exe, 0000000A.00000002.3397925763.0000016653DD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: OpenWith.exe, 0000000A.00000003.2228942878.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: OpenWith.exe, 0000000A.00000002.3397925763.0000016653D98000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000A.00000002.3397925763.0000016653DD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 0000000A.00000003.2228942878.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\Public\Documents\khle.exe C:\Users\Public\Documents\khle.exe	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\Documents\khle.exe

Code function: 9_2_00007FF79CD7615C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_00007FF79CD7615C

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: OpenWith.exe, 0000000A.00000002.3398107509.0000016655786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000009.00000003.2213215790.0000020C80000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2221017960.0000016653D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000009.00000003.2213215790.0000020C80000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2221017960.0000016653D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\OpenWith.exe

Code function: 10_2_0000016655EDB374 socket,bind,

10_2_0000016655EDB374

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Masquerading	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	15 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GsrDwm0DJG.ps1	3%	ReversingLabs
GsrDwm0DJG.ps1	8%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Documents\khle.mp3	100%	Avira	TR/AVI.Rhadamanthys.xgajh
C:\Users\Public\Documents\khle.exe (copy)	61%	ReversingLabs	Win64.Spyware.Rhadamanthys
C:\Users\Public\Documents\khle.exe (copy)	78%	Virustotal		Browse
C:\Users\Public\Documents\khle.mp3	61%	ReversingLabs	Win64.Spyware.Rhadamanthys
C:\Users\Public\Documents\khle.mp3	78%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
deadmunky.nl	12%	Virustotal		Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7	7%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://oneget.orgX	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7	0%	Avira URL Cloud	safe
https://oneget.org	0%	Avira URL Cloud	safe
https://oneget.org	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
deadmunky.nl	194.113.106.180	true	true	12%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2179521473.0000022280CF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2210475905.0000022290081000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.2179521473.0000022280C28000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2179521473.0000022280228000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2179521473.0000022280228000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000000.00000002.2210475905.0000022290081000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2179521473.0000022280CF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2210475905.0000022290081000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.2210475905.0000022290081000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2210475905.0000022290081000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000000.00000002.2179521473.0000022280C28000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2179521473.0000022280001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2179521473.0000022280001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2179521473.0000022280228000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000000.00000002.2179521473.0000022280C28000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.113.106.180	deadmunky.nl	Russian Federation		208861	RACKTECHRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1511451
Start date and time:	2024-09-15 15:01:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GsrDwm0DJG.ps1 renamed because original name is a hash value
Original Sample Name:	9dda3ea193bf9e411bee70975424487b2a6728636e9837dfac6530b44edf48af.ps1
Detection:	MAL
Classification:	mal100.troj.evad.winPS1@8/7@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 60% Number of executed functions: 39 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.75, 20.190.159.71, 20.190.159.0, 20.190.159.4, 20.190.159.68, 40.126.31.73, 40.126.31.67, 20.190.159.73
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ocsp.edge.digicert.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target khle.exe, PID 7904 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7296 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:02:11	API Interceptor	5x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://nnwdryn4me2.typeform.com/to/vzxAdnuI?utm_source=www.thedeepview.co&utm_medium=newsletter&utm_campaign=u-s-hospital-teams-up-with-suki-for-an-ai-assistant&_bhlid=899a446fb8590c3f4dab42c864907d7822828cad	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	Clipboard Hijacker, Raccoon Stealer v2	Browse	192.229.221.95
	http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://antai-gouv-fr.troliga.sk/3dsec.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://urlz.fr/s6ZW	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://saltlakeinsider.com/wp-content/themes/travel/ghgh/red.html	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://antai-gouv-fr.troliga.sk/paiement.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://metamisklogus.gitbook.io/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://qrco.de/bfOaLJ	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://lkjkqklqsd.vercel.app/	Get hash	malicious	Unknown	Browse	192.229.221.95
deadmunky.nl	rsDymE.vbs	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	ji2OQQH0ei.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	Wg2icM1Vjd.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	mz4hWuLng5.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	3fFuN58APW.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	C6hvgnDXwW.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	drZ7xATGIg.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	zaD1vaze6V.ps1	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKTECHRU	b2J6hgvd51.elf	Get hash	malicious	Unknown	Browse	45.128.232.191
	TbFoReHi2v.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	gmA11dfzc2.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	naoen3DFXE.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	BrKoH01YHR.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	JV1eMPUdHV.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	O1OSOtRYWN.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	EuK5PNhZyK.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	i1Z6us4dFg.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	cLtcKcdR8Q.elf	Get hash	malicious	Mirai	Browse	45.128.232.235

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\Public\Documents\khle.exe (copy)	zaD1vaze6V.ps1	Get hash	malicious	RHADAMANTHYS	Browse
C:\Users\Public\Documents\khle.mp3	zaD1vaze6V.ps1	Get hash	malicious	RHADAMANTHYS	Browse

Created / dropped Files

C:\Users\Public\Documents\khle.exe (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	448512
Entropy (8bit):	5.530525551421984
Encrypted:	false
SSDEEP:	12288:6uZZani4FaYkizhRpfX54K+uiE8XZzhzJ:6+ZIi4Z95/54K+uiE8Jd
MD5:	EC0F07CB1F1F5B4DD1BD94958C20A5AD
SHA1:	84718EFB03C2AE32AA2C5800BF135F97275F9A74
SHA-256:	34918278F6EB6B5E3AFA8DA406EB3C5A4CC3B7C4A1CEE55320FECDBEF4E0A463
SHA-512:	58AF6D13D8C43970CC9E964F8418ECB054E177D40F966D2D9E318F540370D219028C4694DAF09BA8B101206D54B482F66CE3A2B29EC4716119A21644A899F3D7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 78%, Browse
Joe Sandbox View:	Filename: zaD1vaze6V.ps1, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........MV.y#..y#..y#...'..y#... ..y#...&..y#...&..y#...'..y#... ..y#..."..y#..y".ey#.o.'..y#..y#..y#.o....y#.o.!..y#.Rich.y#.........PE..d...^{_d.........."..................^.........@............................. ............`................................................. ...................D...............8.......................................8............................................text...P........................... ..`.textbss.................................rdata..,...........................@..@.data...............................@....pdata..D...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................

C:\Users\Public\Documents\khle.mp3

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	448512
Entropy (8bit):	5.530525551421984
Encrypted:	false
SSDEEP:	12288:6uZZani4FaYkizhRpfX54K+uiE8XZzhzJ:6+ZIi4Z95/54K+uiE8Jd
MD5:	EC0F07CB1F1F5B4DD1BD94958C20A5AD
SHA1:	84718EFB03C2AE32AA2C5800BF135F97275F9A74
SHA-256:	34918278F6EB6B5E3AFA8DA406EB3C5A4CC3B7C4A1CEE55320FECDBEF4E0A463
SHA-512:	58AF6D13D8C43970CC9E964F8418ECB054E177D40F966D2D9E318F540370D219028C4694DAF09BA8B101206D54B482F66CE3A2B29EC4716119A21644A899F3D7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 78%, Browse
Joe Sandbox View:	Filename: zaD1vaze6V.ps1, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........MV.y#..y#..y#...'..y#... ..y#...&..y#...&..y#...'..y#... ..y#..."..y#..y".ey#.o.'..y#..y#..y#.o....y#.o.!..y#.Rich.y#.........PE..d...^{_d.........."..................^.........@............................. ............`................................................. ...................D...............8.......................................8............................................text...P........................... ..`.textbss.................................rdata..,...........................@..@.data...............................@....pdata..D...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3tal/Z:NllUE
MD5:	C155E815DDAFEDCAA0305D9D1FD4C6AF
SHA1:	91D373895CC08546557E675D51815ACBE23CDC40
SHA-256:	B09EA222DC02D5D1608A195DF72BC0C2A6349AC11507E8B06CF61D4B9122C3A8
SHA-512:	CF84739C4C15C2EB66042195490DAF0E898424064E032F89F9ECE50351128342EED60E12AC2B5479E6928073A11740AF649A66155356676D0992621FAAB86B55
Malicious:	false
Reputation:	low
Preview:	@...e.................................f.+............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dsnsq2pv.bku.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llv1kkhq.xsk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.6897709923104456
Encrypted:	false
SSDEEP:	96:PlrfZC7ovkvhkvCCto0kRYEbH30kRYEwHN:NrfuMo0kRJ0kRm
MD5:	01D090A4CE45B2B15E91514570572E3B
SHA1:	302C9E33A645C09AC027B6DA86F1930CE9A41628
SHA-256:	DED359BB736B7557F59771F72020F8E7DAAC844D3A9345425C864780B2B93528
SHA-512:	A057C3692CC3978CF6F89F6BB5BFC7C00B88A6FC4DB3856243A860349B4C405F0FAADD46345D283C767E22D47469C2745839ED0672965594A61D828E97DE7303
Malicious:	false
Preview:	...................................FL..................F.".. ...d.......4.wo...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....n.Zso......wo.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl/Y<h....B.....................Bdg.A.p.p.D.a.t.a...B.V.1...../Y@h..Roaming.@......DWSl/Y@h....C.......................8.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl/Y<h....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW#r..Windows.@......DWSl/Y<h....E......................dX.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl/Y<h....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl/Y<h....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl/YDh....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SMTBJQZLG74HWJYWL8MR.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.6897709923104456
Encrypted:	false
SSDEEP:	96:PlrfZC7ovkvhkvCCto0kRYEbH30kRYEwHN:NrfuMo0kRJ0kRm
MD5:	01D090A4CE45B2B15E91514570572E3B
SHA1:	302C9E33A645C09AC027B6DA86F1930CE9A41628
SHA-256:	DED359BB736B7557F59771F72020F8E7DAAC844D3A9345425C864780B2B93528
SHA-512:	A057C3692CC3978CF6F89F6BB5BFC7C00B88A6FC4DB3856243A860349B4C405F0FAADD46345D283C767E22D47469C2745839ED0672965594A61D828E97DE7303
Malicious:	false
Preview:	...................................FL..................F.".. ...d.......4.wo...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....n.Zso......wo.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl/Y<h....B.....................Bdg.A.p.p.D.a.t.a...B.V.1...../Y@h..Roaming.@......DWSl/Y@h....C.......................8.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl/Y<h....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW#r..Windows.@......DWSl/Y<h....E......................dX.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl/Y<h....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl/Y<h....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl/YDh....q...........

Static File Info

General

File type:	ASCII text, with very long lines (65534), with CRLF line terminators
Entropy (8bit):	3.219589370944477
TrID:
File name:	GsrDwm0DJG.ps1
File size:	897'543 bytes
MD5:	bb8b708e6cf1915492af5dcb677a2cdd
SHA1:	9547df0fd4e67dd321da10359f5eb2161790df42
SHA256:	9dda3ea193bf9e411bee70975424487b2a6728636e9837dfac6530b44edf48af
SHA512:	5efdc65e053e7da47acc2af1f0bf1ac68be344397bedb392d5bc171520958b3e1c46f4b0269b67353a5b70da943d7cefd0e8f29a66cce7437b2c4650bdde2818
SSDEEP:	12288:Kem6ChShBS+75NRaX6RhwCmV1Fk2bH3rHOad8jnlz:KIhBJHRaPF1FNr2jd
TLSH:	F715671206BF0051F99238F45D4CB7D2BCBEB8C799F28CB14A6E5B7619259E7A4F1038
File Content Preview:	..$encodedData = '4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000000100000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0

File Icon


Icon Hash:	3270d6baae77db44

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2024 15:02:20.507742882 CEST	49725	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:20.512584925 CEST	3715	49725	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:20.512685061 CEST	49725	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:20.513031960 CEST	49725	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:20.520469904 CEST	3715	49725	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:25.501147032 CEST	49725	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:25.549175978 CEST	3715	49725	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:30.497490883 CEST	49727	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:30.503638029 CEST	3715	49727	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:30.503726006 CEST	49727	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:30.503931999 CEST	49727	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:30.509217024 CEST	3715	49727	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:35.516598940 CEST	49727	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:35.565155029 CEST	3715	49727	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:40.528856039 CEST	49730	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:40.537264109 CEST	3715	49730	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:40.537374020 CEST	49730	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:40.537457943 CEST	49730	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:40.542304039 CEST	3715	49730	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:41.883660078 CEST	3715	49725	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:41.883758068 CEST	49725	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:45.550553083 CEST	49730	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:45.856443882 CEST	49730	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:46.465828896 CEST	49730	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:46.528969049 CEST	3715	49730	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:46.530338049 CEST	3715	49730	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:50.559966087 CEST	49731	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:50.564816952 CEST	3715	49731	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:50.564909935 CEST	49731	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:50.565005064 CEST	49731	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:50.570031881 CEST	3715	49731	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:51.871069908 CEST	3715	49727	194.113.106.180	192.168.2.5
Sep 15, 2024 15:02:51.871130943 CEST	49727	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:55.701136112 CEST	49731	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:02:55.749113083 CEST	3715	49731	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:00.591247082 CEST	49733	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:00.596112967 CEST	3715	49733	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:00.596188068 CEST	49733	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:00.596343040 CEST	49733	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:00.601190090 CEST	3715	49733	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:01.899379015 CEST	3715	49730	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:01.899450064 CEST	49730	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:05.610332966 CEST	49733	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:05.657155037 CEST	3715	49733	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:10.622575045 CEST	49736	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:10.627527952 CEST	3715	49736	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:10.627667904 CEST	49736	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:10.627759933 CEST	49736	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:10.632484913 CEST	3715	49736	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:11.945956945 CEST	3715	49731	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:11.946058989 CEST	49731	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:15.641930103 CEST	49736	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:15.693388939 CEST	3715	49736	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:20.654093027 CEST	49738	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:20.658931017 CEST	3715	49738	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:20.659003019 CEST	49738	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:20.659096003 CEST	49738	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:20.663861036 CEST	3715	49738	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:22.151743889 CEST	3715	49733	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:22.151850939 CEST	49733	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:25.658314943 CEST	49738	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:25.705322027 CEST	3715	49738	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:30.669593096 CEST	49740	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:30.674637079 CEST	3715	49740	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:30.674750090 CEST	49740	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:30.674858093 CEST	49740	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:30.679857016 CEST	3715	49740	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:31.993488073 CEST	3715	49736	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:31.993774891 CEST	49736	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:35.673023939 CEST	49740	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:35.981698036 CEST	49740	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:36.052244902 CEST	3715	49740	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:40.669791937 CEST	49741	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:40.675163984 CEST	3715	49741	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:40.675405025 CEST	49741	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:40.675924063 CEST	49741	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:40.680927992 CEST	3715	49741	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:42.024507999 CEST	3715	49738	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:42.024709940 CEST	49738	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:45.689238071 CEST	49741	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:45.737351894 CEST	3715	49741	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:50.685256958 CEST	49742	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:50.690099955 CEST	3715	49742	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:50.690372944 CEST	49742	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:50.690606117 CEST	49742	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:50.696546078 CEST	3715	49742	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:52.057791948 CEST	3715	49740	194.113.106.180	192.168.2.5
Sep 15, 2024 15:03:52.057861090 CEST	49740	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:55.704138994 CEST	49742	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:03:55.753577948 CEST	3715	49742	194.113.106.180	192.168.2.5
Sep 15, 2024 15:04:00.716541052 CEST	49744	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:04:00.721568108 CEST	3715	49744	194.113.106.180	192.168.2.5
Sep 15, 2024 15:04:00.721657991 CEST	49744	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:04:00.721750975 CEST	49744	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:04:00.726475000 CEST	3715	49744	194.113.106.180	192.168.2.5
Sep 15, 2024 15:04:02.058043957 CEST	3715	49741	194.113.106.180	192.168.2.5
Sep 15, 2024 15:04:02.058092117 CEST	49741	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:04:05.719921112 CEST	49744	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:04:05.765671015 CEST	3715	49744	194.113.106.180	192.168.2.5
Sep 15, 2024 15:04:10.716547012 CEST	49745	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:04:10.721512079 CEST	3715	49745	194.113.106.180	192.168.2.5
Sep 15, 2024 15:04:10.721671104 CEST	49745	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:04:10.721750021 CEST	49745	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:04:10.726550102 CEST	3715	49745	194.113.106.180	192.168.2.5
Sep 15, 2024 15:04:12.071703911 CEST	3715	49742	194.113.106.180	192.168.2.5
Sep 15, 2024 15:04:12.071831942 CEST	49742	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:04:15.716557026 CEST	49745	3715	192.168.2.5	194.113.106.180
Sep 15, 2024 15:04:15.761538029 CEST	3715	49745	194.113.106.180	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2024 15:02:20.490523100 CEST	65110	53	192.168.2.5	1.1.1.1
Sep 15, 2024 15:02:20.504023075 CEST	53	65110	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 15, 2024 15:02:20.490523100 CEST	192.168.2.5	1.1.1.1	0xa4ea	Standard query (0)	deadmunky.nl	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 15, 2024 15:02:03.005342007 CEST	1.1.1.1	192.168.2.5	0x6982	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 15, 2024 15:02:03.005342007 CEST	1.1.1.1	192.168.2.5	0x6982	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Sep 15, 2024 15:02:20.504023075 CEST	1.1.1.1	192.168.2.5	0xa4ea	No error (0)	deadmunky.nl		194.113.106.180	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:02:07
Start date:	15/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\GsrDwm0DJG.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:02:07
Start date:	15/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:02:11
Start date:	15/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:02:11
Start date:	15/09/2024
Path:	C:\Users\Public\Documents\khle.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Documents\khle.exe
Imagebase:	0x7ff79cd20000
File size:	448'512 bytes
MD5 hash:	EC0F07CB1F1F5B4DD1BD94958C20A5AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000009.00000003.2213215790.0000020C80000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.2219039554.0000020C80B30000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000003.2217949508.0000020C80850000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:02:16
Start date:	15/09/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\openwith.exe"
Imagebase:	0x7ff637050000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.2221017960.0000016653D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.2229840318.00000166561B0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.2228942878.0000016655ED0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF848B31AD6 Relevance: 1.1, Instructions: 1120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232713072.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447e088ec4eefd596a3adba376de17ab6ed444eb3460917c86c852975b3e84ee
Instruction ID: b6dd90ea8104b93e5f203ce7879835b6ab28e4d9cc80f9eedfd130641f3f2c60
Opcode Fuzzy Hash: 447e088ec4eefd596a3adba376de17ab6ed444eb3460917c86c852975b3e84ee
Instruction Fuzzy Hash: 0482EE31E0DA898FEB99EA28885467877E1FF55345F5801BED00DCB282DF29EC46C745

Function 00007FF848B32569 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232713072.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae70dbdd34cae818f8c3745576aa9c4327c2799cd047fe315d43c4802ce4478
Instruction ID: f98f68f76767a0b53f4de2ddbefa9362a991562ead4b7660599cba5dc6e9cd89
Opcode Fuzzy Hash: bae70dbdd34cae818f8c3745576aa9c4327c2799cd047fe315d43c4802ce4478
Instruction Fuzzy Hash: 1FC12531E0DA4A9FE795EA2CA4556B57BE2FF98362F0401BBC40CC3692DF24AC468745

Function 00007FF848B305D0 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232713072.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e028cb8ae880950556a938ffcf561541c8ef7346218f7afb527ab0cf14371f
Instruction ID: 613384da30d5d5d16b8e89579ce530b3fc41bda177f1d95d0c52f385eebb2bf3
Opcode Fuzzy Hash: 98e028cb8ae880950556a938ffcf561541c8ef7346218f7afb527ab0cf14371f
Instruction Fuzzy Hash: 96813532E1DE894FE795FA2868596F57BE1EF99250F0800BBD04DC7587EE18AC06C385

Function 00007FF848B303B6 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232713072.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e08788b2046c1110cc67e16ff4cf5a8439e9a561b0aececbe22fb122391b4a
Instruction ID: 409cda996fef93c62392e90cc611395d191098eadc4ca81c58fe96dc60636df3
Opcode Fuzzy Hash: b5e08788b2046c1110cc67e16ff4cf5a8439e9a561b0aececbe22fb122391b4a
Instruction Fuzzy Hash: B241BF6284E7C20FD34397B898696A13FF09F5B220B0E40EBC4C8CF4A7D60D591AD722

Function 00007FF848B3019C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232713072.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c087514797190f68bf8f70c58db81c963b39c50bf6ce4e150583d97653f862
Instruction ID: 40d5a59a7db92e77da6785c3fc8abb717e16a633f3d607cbd6d5195a9dda35c6
Opcode Fuzzy Hash: d2c087514797190f68bf8f70c58db81c963b39c50bf6ce4e150583d97653f862
Instruction Fuzzy Hash: BB31C16284E7C24FD34397B898696A03FF0DF57220B0D00EBC488CF5A3D60C691AD762

Function 00007FF848B301D0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232713072.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6798cb3c87bd00bc792a982cfd68987592c066133955fa5cc5b9b138158d5f
Instruction ID: b4ea7d1925c01e06430c011143b936076e68dc485a2c86bc523c61a3a4f8ff00
Opcode Fuzzy Hash: ce6798cb3c87bd00bc792a982cfd68987592c066133955fa5cc5b9b138158d5f
Instruction Fuzzy Hash: 8731D462C0D7C64FD343EBB898696A07FF0EF5B250B0D04EBC489CB5A3D6086916D716

Function 00007FF848B32DE8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2232713072.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4cd8cf3da6fee0915267e3504f26a55fd61e23140ce3637ddc0baf1acd1e2e
Instruction ID: baa4803fdceb14feb2d0f64d0ff75c002ab79275eac585984114b9400e60b92c
Opcode Fuzzy Hash: 3f4cd8cf3da6fee0915267e3504f26a55fd61e23140ce3637ddc0baf1acd1e2e
Instruction Fuzzy Hash: 7701F932E0D9165FE2A8F61C74471B962D1FF44361F9805F6D12DC3A87CF156C028389

Function 00007FF848A65BF5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2231859569.00007FF848A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848a60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344ae550aa189cfee030fe5dad0be6a80d281401a7062d5ced25e02183c3b3df
Instruction ID: b993c3fc9fef864ab82b0db4840de8f0cffafccd29ff5a181c3da7e4d1a28f62
Opcode Fuzzy Hash: 344ae550aa189cfee030fe5dad0be6a80d281401a7062d5ced25e02183c3b3df
Instruction Fuzzy Hash: A901447115CB084FDB44EF0CE451AA9B7E0FB95364F10056DE58AC3655D626E881CB46

Analysis Process: khle.exePID: 7904, Parent PID: 7884COMMON

Executed Functions

Function 0000020C800156A8 Relevance: 7.8, APIs: 5, Instructions: 253nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000020C8001571C
NtQuerySystemInformation.NTDLL ref: 0000020C80015743

Part of subcall function 0000020C800151B4: NtQueryInformationProcess.NTDLL ref: 0000020C80015223

GetTokenInformation.KERNELBASE ref: 0000020C80015853
CloseHandle.KERNELBASE ref: 0000020C80015867
CloseHandle.KERNELBASE ref: 0000020C80015878

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: Information$Query$CloseHandleSystem$ProcessToken
String ID:
API String ID: 2024103940-0
Opcode ID: b9a3c4ba72519c8822dfc57c731493710fdc37b3db7567c16f04e989f1c331f2
Instruction ID: 8cff84183d2012fceddefb8a66252d275aac6937c8e844b53d796f9d3aed40bb
Opcode Fuzzy Hash: b9a3c4ba72519c8822dfc57c731493710fdc37b3db7567c16f04e989f1c331f2
Instruction Fuzzy Hash: D671B970218B05CBEBD6EB24985976A73D5FB94321F708729E487C7193EF34D9018786

Function 0000020C80014FD4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 0000020C80015010

Strings

@, xrefs: 0000020C8001505F

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID: @
API String ID: 31276548-2766056989
Opcode ID: 7df665d085f366cb99ab2ed896b311d25e2371bb223fb157703b8fcce2dda1a5
Instruction ID: 8c1cc1f4934353f0674ba8d183ec8aed80e7916768e1bf4bee62979e8a448ee5
Opcode Fuzzy Hash: 7df665d085f366cb99ab2ed896b311d25e2371bb223fb157703b8fcce2dda1a5
Instruction Fuzzy Hash: 8521567061CB088FEB96EB58D884B5A73E1FB98361F204729B087C3156DB78E94487C6

Function 0000020C80014A54 Relevance: 1.6, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0000020C80014B46

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e53356f1062cacf861271dc336240a7330d37cd7133727a4fd0f385aae3edfcc
Instruction ID: 78540753dbccea6797c2ca2d59d6692395cc1e3a2350492a591d53420f1f2eda
Opcode Fuzzy Hash: e53356f1062cacf861271dc336240a7330d37cd7133727a4fd0f385aae3edfcc
Instruction Fuzzy Hash: BA917D72608A488BE7AD9B18C8893B977D1F785315F34832EE48BC6193DB34D507C785

Function 0000020C800151B4 Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0000020C80015223

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 5cd943b8ec8f82312c43e3a2f06d1ea5450dc20cd0d98dd920086ada27a54906
Instruction ID: 2eb1c0855e7b16ad813ade8e4e22849946df8b9aca7ef8b983d9ede4adde1d53
Opcode Fuzzy Hash: 5cd943b8ec8f82312c43e3a2f06d1ea5450dc20cd0d98dd920086ada27a54906
Instruction Fuzzy Hash: BC01B171328B098FEB8AEB689858BA673E1F795311F204729E09BC2193EB78C5018745

Function 0000020C80016F40 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 188registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE ref: 0000020C80016FC9
RegCreateKeyExW.KERNELBASE ref: 0000020C80017001
RegSetValueExW.KERNELBASE ref: 0000020C800170C4
RegCloseKey.KERNELBASE ref: 0000020C800170DE

Strings

@, xrefs: 0000020C80017051
@, xrefs: 0000020C800170B7

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenValue
String ID: @$@
API String ID: 776291540-149943524
Opcode ID: d0f705a3185ad35ba5479375eab81183ddc54abaa6c67952c2e0273967de8d7a
Instruction ID: 5f67b2315e496ab0a3b1527e7718bab2e154f049c268af38ca2914369db603ae
Opcode Fuzzy Hash: d0f705a3185ad35ba5479375eab81183ddc54abaa6c67952c2e0273967de8d7a
Instruction Fuzzy Hash: 16519071608B0C4FE755EF6898897AAB3E1F794311F204B2EE48BC3262DF7498458746

Function 00007FF79CD814D4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF79CD8153B

Part of subcall function 00007FF79CD810F0: VirtualAlloc.KERNELBASE ref: 00007FF79CD81143
Part of subcall function 00007FF79CD810F0: VirtualFree.KERNELBASE ref: 00007FF79CD813AB

VirtualAlloc.KERNELBASE ref: 00007FF79CD81599
VirtualProtect.KERNELBASE ref: 00007FF79CD81603
VirtualFree.KERNELBASE ref: 00007FF79CD81645

Strings

,, xrefs: 00007FF79CD8157A

Memory Dump Source

Source File: 00000009.00000003.2213313332.00007FF79CD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF79CD81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_7ff79cd81000_khle.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 8a57ff5ef109ebab1fcadb133502250ce132c3a796e799e615fc61f91456b295
Instruction ID: 22f60d1aa4a307364d828ceab160d82705bf33250d883d653cc44cac86eeda11
Opcode Fuzzy Hash: 8a57ff5ef109ebab1fcadb133502250ce132c3a796e799e615fc61f91456b295
Instruction Fuzzy Hash: E051C53060CB094BDB54EF2CD886679B7E1FB88310F50563EE88EC3245DA74E8468BD1

Function 0000020C800180A8 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0000020C80018191
CloseHandle.KERNELBASE ref: 0000020C8001824A
free.MSVCRT ref: 0000020C80018266

Strings

,, xrefs: 0000020C80018109

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: free$CloseHandle
String ID: ,
API String ID: 4080011421-3772416878
Opcode ID: 5797dcfcb43276d353d1c4b34606bb2198c28a6318ae347a702950fb364732a2
Instruction ID: 737c1fbbb0f9434926c76fd6fe8ab7919d13d7c6aea85ee9e471b2f9dc763120
Opcode Fuzzy Hash: 5797dcfcb43276d353d1c4b34606bb2198c28a6318ae347a702950fb364732a2
Instruction Fuzzy Hash: 8551C97060CB448FD795EB68D8897AA77E1FB94320F24871DE48AC3293DB74D942C785

Function 0000020C800139F8 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 0000020C80013B0E

Strings

@, xrefs: 0000020C80013AD4
0, xrefs: 0000020C80013AB4

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: calloc
String ID: 0$@
API String ID: 2635317215-1545510068
Opcode ID: 594431a24205e52c40ea0963e4db5182c8664f3d2c16e5dd9bfc22cb73e7d0d0
Instruction ID: 2a385d929597cf0e914dc892d2c42981d80a71910031be452048e1341da4d3bb
Opcode Fuzzy Hash: 594431a24205e52c40ea0963e4db5182c8664f3d2c16e5dd9bfc22cb73e7d0d0
Instruction Fuzzy Hash: 8F51F67061CB084FEB95EB28D49D7AA77D1FB98351F20872DD48AC3292EF74C8458782

Function 0000020C80016858 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

NJI@, xrefs: 0000020C8001688F

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID: NJI@
API String ID: 0-1894075864
Opcode ID: b44a22c076ccd1acb9e2f8e5ba2d76a45960d7bbffd51b82d392d0dff46be180
Instruction ID: 977768276129bb90ab2fea6ecdb2fe00ca3b04b4eeb38d6192fc18fa5b19483f
Opcode Fuzzy Hash: b44a22c076ccd1acb9e2f8e5ba2d76a45960d7bbffd51b82d392d0dff46be180
Instruction Fuzzy Hash: 49E1417051C7D48BD7769B2598953EBBBE0FB89702F108A2EE4CBC2252DB349501DB83

Function 0000020C80017358 Relevance: 3.4, APIs: 2, Instructions: 392fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE ref: 0000020C800175FB
MapViewOfFile.KERNELBASE ref: 0000020C80017620

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: File$CreateMappingView
String ID:
API String ID: 3452162329-0
Opcode ID: 5fec29907ddb1701cf10de724f589e78f00012b775457189f3dd736ffc916fed
Instruction ID: 8e703bb71b3f377323bb9e92b14da9eb436544d644563cd36b33b5a9aedda701
Opcode Fuzzy Hash: 5fec29907ddb1701cf10de724f589e78f00012b775457189f3dd736ffc916fed
Instruction Fuzzy Hash: 61C19470618B084FDB9AEF6898897EA73D1EB94311F20872DE44BC3297EF34D5468785

Function 0000020C800182F4 Relevance: 3.1, APIs: 2, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000020C8001B6B8: RtlAddFunctionTable.KERNEL32 ref: 0000020C8001B6E5

Part of subcall function 0000020C8001B6FC: VirtualFree.KERNELBASE(?,?,?,?,?,?,?,0000020C80018387), ref: 0000020C8001B794

SetErrorMode.KERNELBASE ref: 0000020C800183EC
VirtualProtect.KERNELBASE ref: 0000020C8001840A

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: Virtual$ErrorFreeFunctionModeProtectTable
String ID:
API String ID: 3431440644-0
Opcode ID: b9fa2546218daecafac8371862f5133473872b13f594cfe74a88cb58fc4cacee
Instruction ID: ef6ada675f89dcba031c126740821522f2fbf8917905be1a4d2bd7edd9bc4257
Opcode Fuzzy Hash: b9fa2546218daecafac8371862f5133473872b13f594cfe74a88cb58fc4cacee
Instruction Fuzzy Hash: 09317270218B484FEB8AFB68D889BAA73D5EB94311F704719B44BC7193DF24DA418749

Function 0000020C80014148 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE ref: 0000020C8001417F
GetTokenInformation.KERNELBASE ref: 0000020C800141C0

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: f2a1e79b7b26677e822afdf5a4e6683d0756c7f32a7c3fa8149006c40cea31b1
Instruction ID: a087e39c42794a0c245018a93c1bb5b1cd167ff7fb8a7b22461c63e22db76081
Opcode Fuzzy Hash: f2a1e79b7b26677e822afdf5a4e6683d0756c7f32a7c3fa8149006c40cea31b1
Instruction Fuzzy Hash: 8511B4342086499FDB85EF64D8D8A6A77E2FB98305F204A29E847C7261DB78E944CB41

Function 00007FF79CD810F0 Relevance: 2.7, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF79CD81143
VirtualFree.KERNELBASE ref: 00007FF79CD813AB

Memory Dump Source

Source File: 00000009.00000003.2213313332.00007FF79CD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF79CD81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_7ff79cd81000_khle.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction ID: e87f29f08954a852e30c78c8f70d20385d07e75640c53fd901a686c0cd8d9864
Opcode Fuzzy Hash: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction Fuzzy Hash: 3D91B07061C7828FD7A0DB28C581B2ABBF0FF8A308F54193EF589C7291D635E8449B16

Function 0000020C80017B14 Relevance: 1.6, APIs: 1, Instructions: 111processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0000020C80017C24

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c382783190e2699510103071945f14469c23df6a9e14ed2142866911cb1ccdc2
Instruction ID: 8f38fcd9b526c0a6f25053100a2d11f0ef10b767ceac62116bb509c999dedad8
Opcode Fuzzy Hash: c382783190e2699510103071945f14469c23df6a9e14ed2142866911cb1ccdc2
Instruction Fuzzy Hash: D131B3B1608B4C8FF7A6EF28D44879BB7E1FB94315F604A2DA18AC3152DB348544CB86

Function 0000020C8001B808 Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000020C8001B85F

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fd13a936f88e8be3d3c1b5e1ebd4b6078f4080b08cf0cb1db8c120c48f9afd6e
Instruction ID: abe6092001185098652f8424a48657f7cdc58dd888076b78c1f3717195af57ed
Opcode Fuzzy Hash: fd13a936f88e8be3d3c1b5e1ebd4b6078f4080b08cf0cb1db8c120c48f9afd6e
Instruction Fuzzy Hash: BB01A460224B484BE795E72884897BA73D9FB54315F708729E48BC3193EF24C6448747

Function 0000020C8001B6B8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 0000020C8001B6E5

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: bc689134c4cfe8144a64a4e0970b0539573de333fb4e1730050f8c92ab09a126
Instruction ID: 9c7b3e000e8e8cd7b41bcbb5f8156e1f967effbe99272255ce8140de1b6f5426
Opcode Fuzzy Hash: bc689134c4cfe8144a64a4e0970b0539573de333fb4e1730050f8c92ab09a126
Instruction Fuzzy Hash: C9E012741109055BEBA8D71DC81D3A036D0E76831AF74836DA401C6292CB7DC497CE42

Function 0000020C8001B6FC Relevance: 1.4, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?,?,?,?,?,0000020C80018387), ref: 0000020C8001B794

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 1c01f51b02100d5787d3c740cd9cf9adac7cf30a888cb21a2aefd7a5d9ca2737
Instruction ID: f8fc97274ffe29934821be141a78bc4c626c19fe8df8e5b8784327c9e7dfe54c
Opcode Fuzzy Hash: 1c01f51b02100d5787d3c740cd9cf9adac7cf30a888cb21a2aefd7a5d9ca2737
Instruction Fuzzy Hash: 87318370214A094FFB89EF29D499B7673E5FB98351F218269E81AC72A7DB34D841CB40

Function 0000020C80013BC8 Relevance: 1.3, APIs: 1, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE ref: 0000020C80013BF0

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 227dcba3b2cb73bb29811a929ed74bd779d041a6fbe6ede9585de0365d398b59
Instruction ID: 471ebe16174f34f6fec284ba17dd8f9973fee488354e9245a3b6f71fbc604433
Opcode Fuzzy Hash: 227dcba3b2cb73bb29811a929ed74bd779d041a6fbe6ede9585de0365d398b59
Instruction Fuzzy Hash: 52213270714A098FFBEBA778A95E3A636D1FB94221F74C3659047C71ABEF24C9048744

Non-executed Functions

Function 0000020C80015BC0 Relevance: 3.7, Strings: 2, Instructions: 1155COMMON

Download Yara Rule

Strings

,, xrefs: 0000020C80015EEC
,, xrefs: 0000020C80016448

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID: ,$,
API String ID: 1778838933-220654547
Opcode ID: a0299abcad1f0eeb53ce8430316abf2ed11eb634f56fbeef89e460d6d348ee9f
Instruction ID: 7ae9a4440ff3c391f06810fda382e7fa1bfbc4be66ab9518b2e4248f76f8e4e9
Opcode Fuzzy Hash: a0299abcad1f0eeb53ce8430316abf2ed11eb634f56fbeef89e460d6d348ee9f
Instruction Fuzzy Hash: F0827270618B088FD7AAEF64988979A73D1FB98311F20872DD49BC3293DF34D9458B85

Function 00007FF79CD818D7 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

+Y0+, xrefs: 00007FF79CD8199B

Memory Dump Source

Source File: 00000009.00000003.2213313332.00007FF79CD81000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF79CD81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_7ff79cd81000_khle.jbxd

Similarity

API ID:
String ID: +Y0+
API String ID: 0-1189096879
Opcode ID: 700d9b7284bfbab16c442717931a76e877bd874bda736dc46fcea473d1972563
Instruction ID: e0d31dd33efd7fe12e200a721431a6a19798a02f0500b3b65c3c78917e3a819f
Opcode Fuzzy Hash: 700d9b7284bfbab16c442717931a76e877bd874bda736dc46fcea473d1972563
Instruction Fuzzy Hash: BD31472580C6C68FDB276B3489651E1BFB0EF2736474D22FDC8D55F8A3CA146589C741

Function 0000020C80011500 Relevance: .7, Instructions: 737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96607074e16f4868b5be774e877e5912d3aaae97ba57364b39b2a72336f57c8b
Instruction ID: 58ac177b776485b371a5874644189c0c1dc9b001381070387281a73ac3ec71c1
Opcode Fuzzy Hash: 96607074e16f4868b5be774e877e5912d3aaae97ba57364b39b2a72336f57c8b
Instruction Fuzzy Hash: B22246A01183558EFBAF8B6880A93F13BC1EB56726F38A35DC9E7871C3D71984078759

Function 0000020C80012F00 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7508843e0d615cd037e1ec8aa7846b8b8c4448116137d463d462d581942205d
Instruction ID: c31774bc59e939b2f78d650e67f31fca5948dba2b7429ebe022c3dc7f1813150
Opcode Fuzzy Hash: f7508843e0d615cd037e1ec8aa7846b8b8c4448116137d463d462d581942205d
Instruction Fuzzy Hash: 4512D260358A2407EB5E5A2C999F37832C2E385326F34933DDDC7C15CBE928D5A385CA

Function 0000020C80023E95 Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80022000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80022000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80022000_khle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31879db383ebb8d5dde9c040e419a0f231d7ef384da0a7eea47c253b5ee4a878
Instruction ID: f44a30486c767db3e09b12a4da2ce9e6eddfda4ab4efa971aedc6772a41b00c4
Opcode Fuzzy Hash: 31879db383ebb8d5dde9c040e419a0f231d7ef384da0a7eea47c253b5ee4a878
Instruction Fuzzy Hash: 2F62689284E7C29FD7138B344CBA284BFB06E23214B6D86DFC4C14B4E3E249955AD767

Function 0000020C80013CEC Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f99f4912cc1f7b5290a762f61ca7177c15b4b468f00e92ea1a3a253ec1089c
Instruction ID: 3b92a833984696aef6fac6f38834fc80f7e5222d84c76a0836dfd9a41a5e6a7d
Opcode Fuzzy Hash: 11f99f4912cc1f7b5290a762f61ca7177c15b4b468f00e92ea1a3a253ec1089c
Instruction Fuzzy Hash: C79181B1A6C3444BD35CCE189C861BAB3D5F7C6215F24953DE9CBC3302EA31E5078A8A

Function 0000020C8001870C Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97ef2a92983f2fd7f4c0e136ef4c983bbffc174d00ebbc24951b3730f05a3cb
Instruction ID: b4567796fd33695ba9687d6d32588d322c0b1d555ee228d1a898d887f36773d6
Opcode Fuzzy Hash: a97ef2a92983f2fd7f4c0e136ef4c983bbffc174d00ebbc24951b3730f05a3cb
Instruction Fuzzy Hash: 63A18FB26687448BD35CDE1CDC82666B3D5FB8A319F14457DE4CBC3242DA34E8478A86

Function 0000020C8001710C Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0da2dc336cb695c55fe7557c083638bce03003c3af981621f0897e44abfbe7
Instruction ID: 015f4afd605f5d9870bc06dbcbbd565906004c0a7b49f90de311cbe7ae4c87e0
Opcode Fuzzy Hash: ef0da2dc336cb695c55fe7557c083638bce03003c3af981621f0897e44abfbe7
Instruction Fuzzy Hash: D661273011CB884FE76BE72884997EAB7E1FB95310F74876DE48BC31C3CA2585068786

Function 0000020C80018A58 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442b0520738e8f0b26db511281fac152362a0c0e853cfc2e2b038376264e2d07
Instruction ID: deaf14328648b22888cebcb385940640b83346a6dda6ca2be32c69e73a751e7e
Opcode Fuzzy Hash: 442b0520738e8f0b26db511281fac152362a0c0e853cfc2e2b038376264e2d07
Instruction Fuzzy Hash: A541D970719A494BEB49DB2C48C975477D1EB9A220F6443AAEC46CB287CA14D985C3D1

Function 0000020C80019FFC Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7480ddab4bcce6f18969b185a19d6807d5f220cd067d20dfcfaf6ebbcfae67
Instruction ID: 6300347f79594979333ab494b5635e83848432fb27311e865bef73749de1bcd8
Opcode Fuzzy Hash: 6b7480ddab4bcce6f18969b185a19d6807d5f220cd067d20dfcfaf6ebbcfae67
Instruction Fuzzy Hash: 88418E1521DAC59EC70ACF6C4490095FFB0EBAA100B1C83DEE8D9CB747C204E65AC7B6

Function 0000020C800110BC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000003.2220822901.0000020C80011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020C80011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_20c80011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b50c900da5022cad283dbc281507a62b1ab019ef7b026ae36db7c57b1c850c6
Instruction ID: 029fcb978df3219ad2c740e6e2b4b54a2f40df6ea8edb9ba315ed67093adb35b
Opcode Fuzzy Hash: 6b50c900da5022cad283dbc281507a62b1ab019ef7b026ae36db7c57b1c850c6
Instruction Fuzzy Hash: 1F11B9E584E7C15FD39787789C247A17FF16F13226F2E41EAC4C14E0A3E2684846CBA6

Analysis Process: OpenWith.exePID: 7932, Parent PID: 5316COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.2%
Total number of Nodes:	206
Total number of Limit Nodes:	6

Executed Functions

Function 0000016655EDB374 Relevance: 3.1, APIs: 2, Instructions: 93
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(?,?,?,?,?,?,?,?,0000006B,0000006A,-00000002,0000016655EDB495), ref: 0000016655EDB3A1

Part of subcall function 0000016655EDAF84: ioctlsocket.WS2_32 ref: 0000016655EDAFB0

bind.WS2_32(?,?,?,?,?,?,?,?,0000006B,0000006A,-00000002,0000016655EDB495), ref: 0000016655EDB426

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: bindioctlsocketsocket
String ID:
API String ID: 3555158474-0
Opcode ID: 7bf22dbbf28290d007348e7a12ca3bc168bbabb4c51e94198c4e520b8ad4573a
Instruction ID: 81870bf59410112695991ac16542a3efa36836f2b44623489a04a5708e13a5d7
Opcode Fuzzy Hash: 7bf22dbbf28290d007348e7a12ca3bc168bbabb4c51e94198c4e520b8ad4573a
Instruction Fuzzy Hash: B321A3307049044FEB58AF78AC8E3A573D5EB99366F20467DE82BC62D1EF258C458652

Function 0000016655EDB80C Relevance: 1.7, APIs: 1, Instructions: 167
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSARecv.WS2_32 ref: 0000016655EDB8AB

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 932363085a07e36dce123b02b0fe941d250780e13aa2ee6933dafb70be2f9976
Instruction ID: 7f0e2af5794a270d4b3583bf8a399933e4897b6c39fd65bf9e04380da6fbb181
Opcode Fuzzy Hash: 932363085a07e36dce123b02b0fe941d250780e13aa2ee6933dafb70be2f9976
Instruction Fuzzy Hash: 2E517B70204A898FEBA4EF2DC8897D6B7E4FB98354F50065ED44BC31A1EB36E944CB41

Function 0000016653BC04E0 Relevance: 10.8, APIs: 7, Instructions: 252memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000016653BC054E

Part of subcall function 0000016653BC00FC: VirtualAlloc.KERNELBASE ref: 0000016653BC014F
Part of subcall function 0000016653BC00FC: VirtualFree.KERNELBASE ref: 0000016653BC03B7

VirtualAlloc.KERNELBASE ref: 0000016653BC05AD
VirtualProtect.KERNELBASE ref: 0000016653BC0626
VirtualFree.KERNELBASE ref: 0000016653BC064D
MapViewOfFile.KERNELBASE ref: 0000016653BC0686
VirtualAlloc.KERNELBASE ref: 0000016653BC06B4
CloseHandle.KERNELBASE ref: 0000016653BC06E1

Memory Dump Source

Source File: 0000000A.00000003.2221158708.0000016653BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016653BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_16653bc0000_OpenWith.jbxd

Similarity

API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
String ID:
API String ID: 3867569247-0
Opcode ID: ff9d2ba7a0c9f70c7bdc5bf2a784896198b97f8e626e79ac36cfea1478692e2c
Instruction ID: 91781e79c25b2b607787cf778d430f8c1b75c75f5365c2b067db62a4abf2aa16
Opcode Fuzzy Hash: ff9d2ba7a0c9f70c7bdc5bf2a784896198b97f8e626e79ac36cfea1478692e2c
Instruction Fuzzy Hash: E2716731618F0E5BD768EF28D8457AAB7D1FB94750F10462EE58BD3281EB35E8418BC1

Function 0000016655ED4464 Relevance: 6.1, APIs: 4, Instructions: 138
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 0000016655ED44C8
RegQueryValueExW.KERNELBASE ref: 0000016655ED4503
RegCloseKey.KERNELBASE ref: 0000016655ED4529
GetVolumeInformationW.KERNELBASE ref: 0000016655ED458D

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: CloseInformationOpenQueryValueVolume
String ID:
API String ID: 4069062851-0
Opcode ID: b8ed43a9571b0f7ebccdd3b637c35a9fe59a110f66f9ab18e4e522b35e9dadd7
Instruction ID: 261b979d822b275f2d41601c45e514506687031421cc209d85b4a706c01dc4d6
Opcode Fuzzy Hash: b8ed43a9571b0f7ebccdd3b637c35a9fe59a110f66f9ab18e4e522b35e9dadd7
Instruction Fuzzy Hash: 7B413D312187888BE765EF64C899BDBB7E1FBE8340F404A2DA48BC3190DF759505CB82

Function 0000016655EDA940 Relevance: 6.1, APIs: 4, Instructions: 130
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0000016655EDA949
socket.WS2_32 ref: 0000016655EDDD03
getsockopt.WS2_32 ref: 0000016655EDDD37
socket.WS2_32 ref: 0000016655EDDD6C

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: socket$ErrorModegetsockopt
String ID:
API String ID: 552242919-0
Opcode ID: ee64cecfa65e257842176328bb5ab6283e8bc2b376064c12f5c8ade0442f0951
Instruction ID: 4007454f61865fcb5698099c43afe545c4ed9c3056127bd511fa0f19f9f8fa8e
Opcode Fuzzy Hash: ee64cecfa65e257842176328bb5ab6283e8bc2b376064c12f5c8ade0442f0951
Instruction Fuzzy Hash: AF418370618B498FE758EF28DC9D6AA77E1FB99300F50862DE05BC32A1DF388645CB41

Function 0000016655EDAF84 Relevance: 4.6, APIs: 3, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ioctlsocket.WS2_32 ref: 0000016655EDAFB0
CreateIoCompletionPort.KERNELBASE ref: 0000016655EDAFE6
SetFileCompletionNotificationModes.KERNEL32 ref: 0000016655EDB02C

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: Completion$CreateFileModesNotificationPortioctlsocket
String ID:
API String ID: 1455841399-0
Opcode ID: 65ed2c9e0bfc7037adb16992d663b78e44cbe33570810552ad04d6a2963fe0a5
Instruction ID: c2db220c03a25dfd6cd18da20a62c94db8101a00487c5e2c4859c717c7c78fca
Opcode Fuzzy Hash: 65ed2c9e0bfc7037adb16992d663b78e44cbe33570810552ad04d6a2963fe0a5
Instruction Fuzzy Hash: EC3194303045588FFBA89F289C8F3B572D9F798395F60106DE857C21D2EB27CD818A95

Function 0000016655EDC770 Relevance: 3.1, APIs: 2, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

shutdown.WS2_32(?,?,?,?,00000001,?,?,0000016655ED9FFE), ref: 0000016655EDC79C
closesocket.WS2_32(?,?,?,?,00000001,?,?,0000016655ED9FFE), ref: 0000016655EDC885

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: closesocketshutdown
String ID:
API String ID: 572888783-0
Opcode ID: 10782efffb6bb4c42faa2620b59e14120107728f6cfe316cb657f0d951cab143
Instruction ID: 684a23f4f9e6da7b767f2daab15fe193833aeb20fe466e554dea43244c6ef428
Opcode Fuzzy Hash: 10782efffb6bb4c42faa2620b59e14120107728f6cfe316cb657f0d951cab143
Instruction Fuzzy Hash: 1B518D755106858FEB98CF18C8CABA03795FB943E4F5012D9D86BEA1C6D726E881CB80

Function 0000016653BC00FC Relevance: 2.7, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000016653BC014F
VirtualFree.KERNELBASE ref: 0000016653BC03B7

Memory Dump Source

Source File: 0000000A.00000003.2221158708.0000016653BC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000016653BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_16653bc0000_OpenWith.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction ID: f2b636883fa7399ae11ebc5cce8c91c73e66e325e14a65ea6db9f7987d7d7ea1
Opcode Fuzzy Hash: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction Fuzzy Hash: 3291CE70618B858FE3A0DB18C481B6ABBF0FB99748F54092DF1CAD7291E736D940DB06

Function 0000016655EDF1EC Relevance: 2.6, APIs: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT(?,?,?,?,?,?,?,0000016655ED58B9,?,?,?,?,?,?,?,0000016655ED595B), ref: 0000016655EDF23D
free.MSVCRT(?,?,?,?,?,?,?,0000016655ED58B9), ref: 0000016655EDF280

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ed78e059cc3bfed3b258e1737c439938a1c021539ed4627a6dbabb7bd182a94a
Instruction ID: 3979d1c08101a1e3aff40c51533cb7b2be8527c261bc6b38daf964980bad7c84
Opcode Fuzzy Hash: ed78e059cc3bfed3b258e1737c439938a1c021539ed4627a6dbabb7bd182a94a
Instruction Fuzzy Hash: 0E31CC342149468BEF88EB69DCAA7E93391FF95341F44407C581BCA6DBCE26DC45CB40

Function 0000016655EDBE14 Relevance: 1.7, APIs: 1, Instructions: 227
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32 ref: 0000016655EDBECB

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: afd922a78396e696f6d15eef1fd042df83d9ab22cc0fc1654582db5b6017f80d
Instruction ID: 483c4d6591db568aff975ee0b4fbe5500565eec90d9e389cf31fc80c4d5e14a3
Opcode Fuzzy Hash: afd922a78396e696f6d15eef1fd042df83d9ab22cc0fc1654582db5b6017f80d
Instruction Fuzzy Hash: CD818D70604B498FEB98DF28C889BA5B7E4FB98354F10426DD84EC7691EB32D854CF81

Function 0000016655ED42B8 Relevance: 1.6, APIs: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0000016655ED4353

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: a500b73e25499eaa65d5b84535ebddc4b37412dbff4cd7b7c791b878b57fc104
Instruction ID: bb24db3d5d23229aee1efa8dc208ad8b54191d24fde589b4cf6ab56039fa9091
Opcode Fuzzy Hash: a500b73e25499eaa65d5b84535ebddc4b37412dbff4cd7b7c791b878b57fc104
Instruction Fuzzy Hash: D841B5302149488FDB68EF2CDC896E9B3E1FBA8350F50835EE84BCB195DA71D985C781

Function 0000016655EDC5BC Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32 ref: 0000016655EDC630

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 6ee79d1b67084b77555383ea072f899fd601fabc88a06dee2947375c0305650d
Instruction ID: 7ff24bce5833cefe2fa9fb82df1204299c15d1042b0d0c3b36f5f85a82abef67
Opcode Fuzzy Hash: 6ee79d1b67084b77555383ea072f899fd601fabc88a06dee2947375c0305650d
Instruction Fuzzy Hash: 0C3160705046458FEB98DF18C48979077E0FB983A8F2412ADD86EDB2D6DB31C881CB41

Function 0000016655ED42FC Relevance: 1.6, APIs: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0000016655ED4353

Memory Dump Source

Source File: 0000000A.00000002.3398178483.0000016655ED1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000016655ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16655ed1000_OpenWith.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: cd81e3bf29ab49c02dca13648c0c9cc34c5d817db0fb04804eda45a9c7d0a72f
Instruction ID: cce335c06f6fe173b0300d20abf2fd01a4c70bf44f83284c1f85701ed2693e68
Opcode Fuzzy Hash: cd81e3bf29ab49c02dca13648c0c9cc34c5d817db0fb04804eda45a9c7d0a72f
Instruction Fuzzy Hash: A821B33021458D8BDF64EF18DC8A6E977D2FBE8390F54822DD80BCB146D671C945C781

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GsrDwm0DJG.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Documents\khle.exe (copy)

C:\Users\Public\Documents\khle.mp3

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dsnsq2pv.bku.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llv1kkhq.xsk.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SMTBJQZLG74HWJYWL8MR.temp

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

Windows Analysis Report
GsrDwm0DJG.ps1