Edit tour

Windows Analysis Report
HeggBkMoYE.ps1

Overview

General Information

Sample name:	HeggBkMoYE.ps1 renamed because original name is a hash value
Original sample name:	0cd2a12c0298dac1776a103c5e83ea8eb786b6a2130f86ab08cc9a05c2e2d34d.ps1
Analysis ID:	1511452
MD5:	944dbf47ac9caf336c2285d3939ebdb8
SHA1:	574d7da3edf63bf475b27957222a8bf9fa3355ac
SHA256:	0cd2a12c0298dac1776a103c5e83ea8eb786b6a2130f86ab08cc9a05c2e2d34d
Tags:	deadmunky-nlps1
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected RHADAMANTHYS Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Powershell drops PE file

Sigma detected: Execution from Suspicious Folder

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6988 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\HeggBkMoYE.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 3564 cmdline: "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

khle.exe (PID: 6588 cmdline: C:\Users\Public\Documents\khle.exe MD5: EC0F07CB1F1F5B4DD1BD94958C20A5AD)

OpenWith.exe (PID: 3740 cmdline: "C:\Windows\system32\openwith.exe" MD5: E4A834784FA08C17D47A1E72429C5109)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Rhdamanthys/Rhadamanthys-EN.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000003.1466104020.00000127131F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000004.00000003.1463300756.0000013600000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000005.00000003.1467609808.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000003.1467978667.0000012713DB0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000003.1465044506.0000013600850000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000003.1465246626.0000013600B30000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 6988	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1d01d0:$b1: ::WriteAllBytes( 0x322fd5:$b1: ::WriteAllBytes( 0x8960:$s1: -join 0x899b:$s1: -join 0x8a62:$s1: -join 0x8a90:$s1: -join 0x8c29:$s1: -join 0x8c4c:$s1: -join 0x8eff:$s1: -join 0x8f20:$s1: -join 0x8f52:$s1: -join 0x8f9a:$s1: -join 0x8fc7:$s1: -join 0x8fee:$s1: -join 0x9019:$s1: -join 0x9035:$s1: -join 0x909e:$s1: -join 0x9532:$s1: -join 0x9554:$s1: -join 0x95ac:$s1: -join 0x95d6:$s1: -join
Process Memory Space: khle.exe PID: 6588	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: OpenWith.exe PID: 3740	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
4.3.khle.exe.13600850000.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.3.OpenWith.exe.12713db0000.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.3.OpenWith.exe.12713ad0000.4.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.3.khle.exe.13600b30000.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.3.khle.exe.13600b30000.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.3.OpenWith.exe.12713db0000.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.3.OpenWith.exe.12713ad0000.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.3.khle.exe.13600850000.4.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Documents\khle.exe, CommandLine: C:\Users\Public\Documents\khle.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\khle.exe, NewProcessName: C:\Users\Public\Documents\khle.exe, OriginalFileName: C:\Users\Public\Documents\khle.exe, ParentCommandLine: "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe , ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 3564, ParentProcessName: conhost.exe, ProcessCommandLine: C:\Users\Public\Documents\khle.exe, ProcessId: 6588, ProcessName: khle.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6988, TargetFilename: C:\Users\Public\Documents\khle.mp3

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\HeggBkMoYE.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\HeggBkMoYE.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\HeggBkMoYE.ps1", ProcessId: 6988, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\HeggBkMoYE.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\HeggBkMoYE.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\HeggBkMoYE.ps1", ProcessId: 6988, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\khle.mp3

Avira: detection malicious, Label: TR/AVI.Rhadamanthys.xgajh

Found malware configuration

Source: 00000004.00000000.1428528206.00007FF6775A1000.00000020.00000001.01000000.00000008.sdmp

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7"}

Multi AV Scanner detection for domain / URL

Source: deadmunky.nl	Virustotal: Detection: 12%			Perma Link
Source: https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Documents\khle.exe (copy)	ReversingLabs: Detection: 60%
Source: C:\Users\Public\Documents\khle.exe (copy)	Virustotal: Detection: 78%	Perma Link
Source: C:\Users\Public\Documents\khle.mp3	ReversingLabs: Detection: 60%
Source: C:\Users\Public\Documents\khle.mp3	Virustotal: Detection: 78%	Perma Link

Multi AV Scanner detection for submitted file

Source: HeggBkMoYE.ps1

Virustotal: Detection: 7%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source:	Binary string: kernel32.pdbUGP source: khle.exe, 00000004.00000003.1464865104.0000013600910000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1464799631.0000013600850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467324059.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467418865.0000012713B90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: khle.exe, 00000004.00000003.1465044506.0000013600850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1465246626.0000013600B30000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467609808.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467978667.0000012713DB0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: khle.exe, 00000004.00000003.1464334765.0000013600850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1464543285.0000013600A40000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1466835141.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467032992.0000012713CC0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: khle.exe, 00000004.00000003.1464334765.0000013600850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1464543285.0000013600A40000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1466835141.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467032992.0000012713CC0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: khle.exe, 00000004.00000003.1464865104.0000013600910000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1464799631.0000013600850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467324059.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467418865.0000012713B90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: khle.exe, 00000004.00000003.1465044506.0000013600850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1465246626.0000013600B30000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467609808.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467978667.0000012713DB0000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7

Source: global traffic

TCP traffic: 192.168.2.9:49706 -> 194.113.106.180:3715

Source: Joe Sandbox View

ASN Name: RACKTECHRU RACKTECHRU

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\System32\OpenWith.exe

Code function: 5_2_0000012713ADB80C WSARecv,

5_2_0000012713ADB80C

Source: global traffic

DNS traffic detected: DNS query: deadmunky.nl

Source: powershell.exe, 00000000.00000002.1430806086.0000020728610000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1464203614.00000207378A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1430806086.0000020727A58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1430806086.0000020727831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1430806086.0000020728458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.1430806086.0000020727A58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1430806086.0000020727831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1464203614.00000207378A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1464203614.00000207378A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1464203614.00000207378A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: OpenWith.exe, 00000005.00000002.2648465633.0000001D6BA7B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7
Source: powershell.exe, 00000000.00000002.1430806086.0000020727A58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1430806086.0000020728610000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1464203614.00000207378A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1430806086.0000020728458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.1430806086.0000020728458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: khle.exe, 00000004.00000003.1465044506.0000013600850000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_05a6de92-4

Source: khle.exe, 00000004.00000003.1465044506.0000013600850000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_ca4b6bb4-6

Source: Yara match	File source: 4.3.khle.exe.13600850000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.OpenWith.exe.12713db0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.OpenWith.exe.12713ad0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.khle.exe.13600b30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.khle.exe.13600b30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.OpenWith.exe.12713db0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.OpenWith.exe.12713ad0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.khle.exe.13600850000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1467609808.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1467978667.0000012713DB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1465044506.0000013600850000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1465246626.0000013600B30000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: khle.exe PID: 6588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OpenWith.exe PID: 3740, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 6988, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\khle.mp3			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\khle.exe (copy)			Jump to dropped file

Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00000136000156A8 NtQuerySystemInformation,NtQuerySystemInformation,GetTokenInformation,CloseHandle,CloseHandle,		4_3_00000136000156A8
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00000136000151B4 NtQueryInformationProcess,		4_3_00000136000151B4

Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF6776018D7	4_3_00007FF6776018D7
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600014A54	4_3_0000013600014A54
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600013CEC	4_3_0000013600013CEC
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600011500	4_3_0000013600011500
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600012F00	4_3_0000013600012F00
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_000001360001870C	4_3_000001360001870C
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_000001360001710C	4_3_000001360001710C
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600015BC0	4_3_0000013600015BC0
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600019FFC	4_3_0000013600019FFC
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600018A58	4_3_0000013600018A58
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600023E95	4_3_0000013600023E95
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_3_00000127117F0967	5_3_00000127117F0967
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AF1FF8	5_2_0000012713AF1FF8
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AEC040	5_2_0000012713AEC040
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AD943C	5_2_0000012713AD943C
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AEC34C	5_2_0000012713AEC34C
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AD9788	5_2_0000012713AD9788
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AEE788	5_2_0000012713AEE788
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AF22F4	5_2_0000012713AF22F4
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AE5AE0	5_2_0000012713AE5AE0
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AEBB28	5_2_0000012713AEBB28
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AF2720	5_2_0000012713AF2720
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AF2E90	5_2_0000012713AF2E90
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AE1A98	5_2_0000012713AE1A98
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AEF9CC	5_2_0000012713AEF9CC
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AF1DE0	5_2_0000012713AF1DE0
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AD3618	5_2_0000012713AD3618
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AE556C	5_2_0000012713AE556C
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AD8194	5_2_0000012713AD8194
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AF4CD8	5_2_0000012713AF4CD8
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AE9C54	5_2_0000012713AE9C54
Source: C:\Windows\System32\OpenWith.exe	Code function: 5_2_0000012713AEBCA8	5_2_0000012713AEBCA8

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Documents\khle.exe (copy) 34918278F6EB6B5E3AFA8DA406EB3C5A4CC3B7C4A1CEE55320FECDBEF4E0A463
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Documents\khle.mp3 34918278F6EB6B5E3AFA8DA406EB3C5A4CC3B7C4A1CEE55320FECDBEF4E0A463

Source: Process Memory Space: powershell.exe PID: 6988, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.evad.winPS1@8/7@1/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\khle.mp3

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqkrmem2.y4p.ps1

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: HeggBkMoYE.ps1

Virustotal: Detection: 7%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\HeggBkMoYE.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\Public\Documents\khle.exe C:\Users\Public\Documents\khle.exe
Source: C:\Users\Public\Documents\khle.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\Public\Documents\khle.exe C:\Users\Public\Documents\khle.exe	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wudfplatform.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: kernel32.pdbUGP source: khle.exe, 00000004.00000003.1464865104.0000013600910000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1464799631.0000013600850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467324059.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467418865.0000012713B90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: khle.exe, 00000004.00000003.1465044506.0000013600850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1465246626.0000013600B30000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467609808.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467978667.0000012713DB0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: khle.exe, 00000004.00000003.1464334765.0000013600850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1464543285.0000013600A40000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1466835141.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467032992.0000012713CC0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: khle.exe, 00000004.00000003.1464334765.0000013600850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1464543285.0000013600A40000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1466835141.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467032992.0000012713CC0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: khle.exe, 00000004.00000003.1464865104.0000013600910000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1464799631.0000013600850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467324059.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467418865.0000012713B90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: khle.exe, 00000004.00000003.1465044506.0000013600850000.00000004.00000001.00020000.00000000.sdmp, khle.exe, 00000004.00000003.1465246626.0000013600B30000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467609808.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000005.00000003.1467978667.0000012713DB0000.00000004.00000001.00020000.00000000.sdmp

Source: khle.mp3.0.dr	Static PE information: section name: .textbss
Source: khle.mp3.0.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF886CA5D04 push eax; iretd	0_2_00007FF886CA5D11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF886D71BF5 push ecx; ret	0_2_00007FF886D71BF6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF886D7195A push ebx; ret	0_2_00007FF886D7195B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF886D70566 push esi; retf	0_2_00007FF886D70567
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF677604EB2 pushad ; retf	4_3_00007FF677604EB3
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF677601865 push cs; ret	4_3_00007FF6776018C4
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF677605643 push eax; retf	4_3_00007FF677605645
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF6776040F7 push eax; ret	4_3_00007FF6776040FB
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF67760430B push eax; retf	4_3_00007FF67760430C
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF6776062E3 push ebx; ret	4_3_00007FF6776062E6
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF677605ED9 push esi; ret	4_3_00007FF677605EDD
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF6776048BE push eax; retf	4_3_00007FF6776048BF
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF677604427 pushad ; ret	4_3_00007FF677604428
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF677606C12 push edx; retf	4_3_00007FF677606C26
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF67760220B push eax; iretd	4_3_00007FF677602224
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF6776059E3 push esi; retf	4_3_00007FF6776059E6
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF6776035EC push esi; ret	4_3_00007FF6776035ED
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00007FF6776017D5 push cs; ret	4_3_00007FF6776018C4
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_000001360001C220 pushad ; retf	4_3_000001360001C221
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600023E95 push ebp; retf	4_3_0000013600023E94
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00000136000274C6 push esi; ret	4_3_00000136000274CA
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_000001360002BACB pushad ; iretd	4_3_0000013600352EB3
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_00000136000256D9 push ecx; ret	4_3_0000013600025700
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600024B35 push ss; iretd	4_3_000001360031919F
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600028560 push ds; retf	4_3_0000013600028577
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600025C06 push esi; ret	4_3_0000013600025C07
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_000001360002B627 push ebp; iretd	4_3_000001360002B628
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_3_0000013600023E70 push ebp; retf	4_3_0000013600023E94
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_2_00007FF6775A96B5 push FFFFFF81h; retf	4_2_00007FF6775A96B7
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_2_00007FF6775A4918 push rsi; retf	4_2_00007FF6775A4923
Source: C:\Users\Public\Documents\khle.exe	Code function: 4_2_00007FF6775AA778 pushfq ; iretd	4_2_00007FF6775AA779

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\khle.mp3			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\khle.exe (copy)			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\khle.mp3

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTO
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ON.EXEREGMON.EXEWINDANR.EXEWINDBG.EXE
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3882			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2490			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3340	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6184	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Documents\khle.exe

Code function: 4_3_0000013600014FD4 GetSystemInfo,

4_3_0000013600014FD4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior

Source: OpenWith.exe, 00000005.00000003.1467978667.0000012713DB0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000005.00000002.2648543108.0000012711955000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 00000005.00000003.1467978667.0000012713DB0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\Public\Documents\khle.exe C:\Users\Public\Documents\khle.exe	Jump to behavior
Source: C:\Users\Public\Documents\khle.exe	Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\Documents\khle.exe

Code function: 4_2_00007FF6775F615C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF6775F615C

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: OpenWith.exe, 00000005.00000002.2648777133.0000012713386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000005.00000003.1466104020.00000127131F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1463300756.0000013600000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000005.00000003.1466104020.00000127131F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1463300756.0000013600000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\OpenWith.exe

Code function: 5_2_0000012713ADB374 socket,bind,

5_2_0000012713ADB374

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Masquerading	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	15 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HeggBkMoYE.ps1	5%	ReversingLabs	Win32.Trojan.Generic
HeggBkMoYE.ps1	8%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Documents\khle.mp3	100%	Avira	TR/AVI.Rhadamanthys.xgajh
C:\Users\Public\Documents\khle.exe (copy)	61%	ReversingLabs	Win64.Spyware.Rhadamanthys
C:\Users\Public\Documents\khle.exe (copy)	78%	Virustotal		Browse
C:\Users\Public\Documents\khle.mp3	61%	ReversingLabs	Win64.Spyware.Rhadamanthys
C:\Users\Public\Documents\khle.mp3	78%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
deadmunky.nl	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7	0%	Avira URL Cloud	safe
https://oneget.orgX	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://oneget.org	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7	7%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://oneget.org	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
deadmunky.nl	194.113.106.180	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://deadmunky.nl:3715/b607677f1d5be7bf651f2/q1bwmeni.33ap7	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1430806086.0000020728610000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1464203614.00000207378A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.1430806086.0000020728458000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1430806086.0000020727A58000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1430806086.0000020727A58000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000000.00000002.1464203614.00000207378A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1430806086.0000020728610000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1464203614.00000207378A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.1464203614.00000207378A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1464203614.00000207378A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000000.00000002.1430806086.0000020728458000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1430806086.0000020727831000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1430806086.0000020727831000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1430806086.0000020727A58000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000000.00000002.1430806086.0000020728458000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.113.106.180	deadmunky.nl	Russian Federation		208861	RACKTECHRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1511452
Start date and time:	2024-09-15 15:01:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HeggBkMoYE.ps1 renamed because original name is a hash value
Original Sample Name:	0cd2a12c0298dac1776a103c5e83ea8eb786b6a2130f86ab08cc9a05c2e2d34d.ps1
Detection:	MAL
Classification:	mal100.troj.evad.winPS1@8/7@1/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 60% Number of executed functions: 40 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, 6.d.a.8.b.e.f.b.0.0.0.0.0.0.0.0.4.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target khle.exe, PID 6588 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6988 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:02:12	API Interceptor	4x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
deadmunky.nl	rsDymE.vbs	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	ji2OQQH0ei.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	Wg2icM1Vjd.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	mz4hWuLng5.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	3fFuN58APW.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	C6hvgnDXwW.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	drZ7xATGIg.exe	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2
	zaD1vaze6V.ps1	Get hash	malicious	RHADAMANTHYS	Browse	63.141.252.2

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKTECHRU	b2J6hgvd51.elf	Get hash	malicious	Unknown	Browse	45.128.232.191
	TbFoReHi2v.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	gmA11dfzc2.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	naoen3DFXE.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	BrKoH01YHR.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	JV1eMPUdHV.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	O1OSOtRYWN.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	EuK5PNhZyK.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	i1Z6us4dFg.elf	Get hash	malicious	Mirai	Browse	45.128.232.235
	cLtcKcdR8Q.elf	Get hash	malicious	Mirai	Browse	45.128.232.235

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\Public\Documents\khle.exe (copy)	zaD1vaze6V.ps1	Get hash	malicious	RHADAMANTHYS	Browse
C:\Users\Public\Documents\khle.mp3	zaD1vaze6V.ps1	Get hash	malicious	RHADAMANTHYS	Browse

Created / dropped Files

C:\Users\Public\Documents\khle.exe (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	448512
Entropy (8bit):	5.530525551421984
Encrypted:	false
SSDEEP:	12288:6uZZani4FaYkizhRpfX54K+uiE8XZzhzJ:6+ZIi4Z95/54K+uiE8Jd
MD5:	EC0F07CB1F1F5B4DD1BD94958C20A5AD
SHA1:	84718EFB03C2AE32AA2C5800BF135F97275F9A74
SHA-256:	34918278F6EB6B5E3AFA8DA406EB3C5A4CC3B7C4A1CEE55320FECDBEF4E0A463
SHA-512:	58AF6D13D8C43970CC9E964F8418ECB054E177D40F966D2D9E318F540370D219028C4694DAF09BA8B101206D54B482F66CE3A2B29EC4716119A21644A899F3D7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 78%, Browse
Joe Sandbox View:	Filename: zaD1vaze6V.ps1, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........MV.y#..y#..y#...'..y#... ..y#...&..y#...&..y#...'..y#... ..y#..."..y#..y".ey#.o.'..y#..y#..y#.o....y#.o.!..y#.Rich.y#.........PE..d...^{_d.........."..................^.........@............................. ............`................................................. ...................D...............8.......................................8............................................text...P........................... ..`.textbss.................................rdata..,...........................@..@.data...............................@....pdata..D...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................

C:\Users\Public\Documents\khle.mp3

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	448512
Entropy (8bit):	5.530525551421984
Encrypted:	false
SSDEEP:	12288:6uZZani4FaYkizhRpfX54K+uiE8XZzhzJ:6+ZIi4Z95/54K+uiE8Jd
MD5:	EC0F07CB1F1F5B4DD1BD94958C20A5AD
SHA1:	84718EFB03C2AE32AA2C5800BF135F97275F9A74
SHA-256:	34918278F6EB6B5E3AFA8DA406EB3C5A4CC3B7C4A1CEE55320FECDBEF4E0A463
SHA-512:	58AF6D13D8C43970CC9E964F8418ECB054E177D40F966D2D9E318F540370D219028C4694DAF09BA8B101206D54B482F66CE3A2B29EC4716119A21644A899F3D7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 78%, Browse
Joe Sandbox View:	Filename: zaD1vaze6V.ps1, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........MV.y#..y#..y#...'..y#... ..y#...&..y#...&..y#...'..y#... ..y#..."..y#..y".ey#.o.'..y#..y#..y#.o....y#.o.!..y#.Rich.y#.........PE..d...^{_d.........."..................^.........@............................. ............`................................................. ...................D...............8.......................................8............................................text...P........................... ..`.textbss.................................rdata..,...........................@..@.data...............................@....pdata..D...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulriAz:NllU2A
MD5:	88CD010331786B5B0D8F925A7B5EFE73
SHA1:	47B913E734AACA1331C5E8561FC01340D899A2DF
SHA-256:	58BC41921E8386AF7B31594E38A11BC63533D8D2B9D3803C640C3AAD8BD3CFF4
SHA-512:	437792D19577187888FC54489B47D34506E6275910DD03690A9BC746D23A906329251B2DBA227F82B39686C54A4E37A366DF5B5566F2387D57C882706B8D4E45
Malicious:	false
Reputation:	low
Preview:	@...e.................................:.%............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqkrmem2.y4p.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qyzoqgey.22c.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\40MUW6ODZIQMP2BN74LI.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6220
Entropy (8bit):	3.7086935818891034
Encrypted:	false
SSDEEP:	96:FXqrCRQlgkvhkvCCtmue60kxHZue60klHR:FXqaKsmuepguepC
MD5:	98D8868891D8A2E172F4E20F1104CC5F
SHA1:	4826A0FE5095C520211A02ACBE1B3C400AC80DC9
SHA-256:	82EA1CEC176414AA2C0CA7E4A7D750766565EAAE968F65AFA4FFA7EC32BD1704
SHA-512:	C9F476BCE9DA76F243C9257FAF69598BD327C0579F98BD5B8C368B29DC06C1B8A648F414E173BD8BCB47F9560EE75FE4368BCEDDF72478DBE3489B0797512F4D
Malicious:	false
Preview:	...................................FL..................F.".. ....'GDj...T.Wyo...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj......to.....hyo.......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG/YDh..........................=...A.p.p.D.a.t.a...B.V.1...../YBh..Roaming.@......EWsG/YBh..............................R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG/Y<h..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG/Y<h............................M.W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG/Y<h....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG/Y<h....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG/YEh................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\590aee7bdd69b59b.customDesusertions-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6220
Entropy (8bit):	3.7086935818891034
Encrypted:	false
SSDEEP:	96:FXqrCRQlgkvhkvCCtmue60kxHZue60klHR:FXqaKsmuepguepC
MD5:	98D8868891D8A2E172F4E20F1104CC5F
SHA1:	4826A0FE5095C520211A02ACBE1B3C400AC80DC9
SHA-256:	82EA1CEC176414AA2C0CA7E4A7D750766565EAAE968F65AFA4FFA7EC32BD1704
SHA-512:	C9F476BCE9DA76F243C9257FAF69598BD327C0579F98BD5B8C368B29DC06C1B8A648F414E173BD8BCB47F9560EE75FE4368BCEDDF72478DBE3489B0797512F4D
Malicious:	false
Preview:	...................................FL..................F.".. ....'GDj...T.Wyo...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj......to.....hyo.......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG/YDh..........................=...A.p.p.D.a.t.a...B.V.1...../YBh..Roaming.@......EWsG/YBh..............................R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG/Y<h..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG/Y<h............................M.W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG/Y<h....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG/Y<h....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG/YEh................

Static File Info

General

File type:	ASCII text, with very long lines (65534), with CRLF line terminators
Entropy (8bit):	3.219617666659534
TrID:
File name:	HeggBkMoYE.ps1
File size:	897'545 bytes
MD5:	944dbf47ac9caf336c2285d3939ebdb8
SHA1:	574d7da3edf63bf475b27957222a8bf9fa3355ac
SHA256:	0cd2a12c0298dac1776a103c5e83ea8eb786b6a2130f86ab08cc9a05c2e2d34d
SHA512:	1146051455181953f05428f7c6d67e2d5ee2a26e3e880f16fd3a06663eb4b5c9f7685508d390c2a263d432e0d190f82be33d59c83e81bf99f2c50c0d9e84d57c
SSDEEP:	12288:Kem6ChShBS+75NRaX6RhwCmV1Fk2bH3rHOad8jnlG:KIhBJHRaPF1FNr2jU
TLSH:	5115671206BF0051F99238F45D4CB7D2BCBEB8C799F28CB14A6E5B7619259E7A4F1038
File Content Preview:	..$encodedData = '4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000000100000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0

File Icon


Icon Hash:	3270d6baae77db44

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2024 15:02:20.709295034 CEST	49706	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:20.714431047 CEST	3715	49706	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:20.714569092 CEST	49706	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:20.718692064 CEST	49706	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:20.723898888 CEST	3715	49706	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:25.532824039 CEST	49706	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:25.585177898 CEST	3715	49706	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:30.527723074 CEST	49708	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:30.532632113 CEST	3715	49708	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:30.532771111 CEST	49708	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:30.532865047 CEST	49708	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:30.537641048 CEST	3715	49708	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:35.546627998 CEST	49708	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:35.593101025 CEST	3715	49708	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:40.558531046 CEST	49709	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:40.563571930 CEST	3715	49709	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:40.563677073 CEST	49709	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:40.563874960 CEST	49709	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:40.568789005 CEST	3715	49709	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:42.106180906 CEST	3715	49706	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:42.106322050 CEST	49706	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:45.565413952 CEST	49709	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:45.870666981 CEST	49709	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:46.480034113 CEST	49709	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:46.528981924 CEST	3715	49709	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:46.530349016 CEST	3715	49709	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:50.558554888 CEST	49710	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:50.563523054 CEST	3715	49710	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:50.563672066 CEST	49710	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:50.564083099 CEST	49710	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:50.568975925 CEST	3715	49710	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:51.902196884 CEST	3715	49708	194.113.106.180	192.168.2.9
Sep 15, 2024 15:02:51.902261019 CEST	49708	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:55.578597069 CEST	49710	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:02:55.625267982 CEST	3715	49710	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:00.574156046 CEST	53805	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:00.584930897 CEST	3715	53805	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:00.585005045 CEST	53805	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:00.585114956 CEST	53805	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:00.590004921 CEST	3715	53805	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:01.950337887 CEST	3715	49709	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:01.950452089 CEST	49709	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:05.578087091 CEST	53805	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:05.625155926 CEST	3715	53805	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:10.590130091 CEST	53806	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:10.595010042 CEST	3715	53806	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:10.595148087 CEST	53806	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:10.595305920 CEST	53806	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:10.600044012 CEST	3715	53806	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:11.934109926 CEST	3715	49710	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:11.934226990 CEST	49710	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:15.685326099 CEST	53806	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:15.737277031 CEST	3715	53806	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:20.589971066 CEST	53807	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:20.594885111 CEST	3715	53807	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:20.594999075 CEST	53807	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:20.595119953 CEST	53807	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:20.599922895 CEST	3715	53807	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:21.946125031 CEST	3715	53805	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:21.946227074 CEST	53805	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:25.609560013 CEST	53807	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:25.657286882 CEST	3715	53807	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:30.621332884 CEST	53808	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:30.626477003 CEST	3715	53808	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:30.626586914 CEST	53808	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:30.626645088 CEST	53808	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:30.631582022 CEST	3715	53808	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:31.945909023 CEST	3715	53806	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:31.946054935 CEST	53806	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:35.627929926 CEST	53808	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:35.933612108 CEST	53808	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:36.052232027 CEST	3715	53808	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:40.637509108 CEST	53809	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:40.642405033 CEST	3715	53809	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:40.642543077 CEST	53809	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:40.642615080 CEST	53809	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:40.647834063 CEST	3715	53809	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:41.950082064 CEST	3715	53807	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:41.950161934 CEST	53807	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:45.645020962 CEST	53809	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:45.693451881 CEST	3715	53809	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:50.652740955 CEST	53810	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:50.657677889 CEST	3715	53810	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:50.657840014 CEST	53810	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:50.657929897 CEST	53810	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:50.662735939 CEST	3715	53810	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:51.993609905 CEST	3715	53808	194.113.106.180	192.168.2.9
Sep 15, 2024 15:03:51.993691921 CEST	53808	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:55.657144070 CEST	53810	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:03:55.705503941 CEST	3715	53810	194.113.106.180	192.168.2.9
Sep 15, 2024 15:04:00.668595076 CEST	53811	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:04:00.674083948 CEST	3715	53811	194.113.106.180	192.168.2.9
Sep 15, 2024 15:04:00.674222946 CEST	53811	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:04:00.674372911 CEST	53811	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:04:00.679126978 CEST	3715	53811	194.113.106.180	192.168.2.9
Sep 15, 2024 15:04:02.025146961 CEST	3715	53809	194.113.106.180	192.168.2.9
Sep 15, 2024 15:04:02.025223017 CEST	53809	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:04:05.688122988 CEST	53811	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:04:05.733660936 CEST	3715	53811	194.113.106.180	192.168.2.9
Sep 15, 2024 15:04:10.684519053 CEST	53812	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:04:10.689476013 CEST	3715	53812	194.113.106.180	192.168.2.9
Sep 15, 2024 15:04:10.689596891 CEST	53812	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:04:10.689718008 CEST	53812	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:04:10.694690943 CEST	3715	53812	194.113.106.180	192.168.2.9
Sep 15, 2024 15:04:12.025125980 CEST	3715	53810	194.113.106.180	192.168.2.9
Sep 15, 2024 15:04:12.025348902 CEST	53810	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:04:15.703097105 CEST	53812	3715	192.168.2.9	194.113.106.180
Sep 15, 2024 15:04:15.749567032 CEST	3715	53812	194.113.106.180	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2024 15:02:20.533420086 CEST	49681	53	192.168.2.9	1.1.1.1
Sep 15, 2024 15:02:20.547714949 CEST	53	49681	1.1.1.1	192.168.2.9
Sep 15, 2024 15:02:53.049815893 CEST	53	53699	162.159.36.2	192.168.2.9
Sep 15, 2024 15:02:53.606292009 CEST	53	60776	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 15, 2024 15:02:20.533420086 CEST	192.168.2.9	1.1.1.1	0x68c3	Standard query (0)	deadmunky.nl	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 15, 2024 15:02:20.547714949 CEST	1.1.1.1	192.168.2.9	0x68c3	No error (0)	deadmunky.nl		194.113.106.180	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:02:09
Start date:	15/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\HeggBkMoYE.ps1"
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:02:09
Start date:	15/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:02:13
Start date:	15/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\conhost.exe" C:\Users\Public\Documents\khle.exe
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:02:13
Start date:	15/09/2024
Path:	C:\Users\Public\Documents\khle.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Documents\khle.exe
Imagebase:	0x7ff6775a0000
File size:	448'512 bytes
MD5 hash:	EC0F07CB1F1F5B4DD1BD94958C20A5AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000004.00000003.1463300756.0000013600000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000003.1465044506.0000013600850000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000003.1465246626.0000013600B30000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:02:16
Start date:	15/09/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\openwith.exe"
Imagebase:	0x7ff71ac50000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000005.00000003.1466104020.00000127131F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000003.1467609808.0000012713AD0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000003.1467978667.0000012713DB0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF886D71CC7 Relevance: 1.1, Instructions: 1130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475898561.00007FF886D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff886d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2ffb8e3663aeb9e25cf79b40d49debf24bf4be4f3ab19ef600616876ef8f37
Instruction ID: a2527a35036d7ebd4959eeab9409cb917083265f35b62cffa765be9cd658ac5c
Opcode Fuzzy Hash: ba2ffb8e3663aeb9e25cf79b40d49debf24bf4be4f3ab19ef600616876ef8f37
Instruction Fuzzy Hash: D782F331D1CA898FE799DB6888556787BE1FF55360B5802BEC00EC7292DF26EC46C742

Function 00007FF886D728B6 Relevance: 1.1, Instructions: 1051COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475898561.00007FF886D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff886d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08437be6ad08ae88cbc777fdd2307e2d25b4386c2e09ec8427c0fec682812c4
Instruction ID: e4d5c14895ff1def5f13730e499f1f9c1f92ad011d97f52960d6cfd8ac764f4a
Opcode Fuzzy Hash: f08437be6ad08ae88cbc777fdd2307e2d25b4386c2e09ec8427c0fec682812c4
Instruction Fuzzy Hash: FB621421E0DBC98FE7A6973858566B57FE1FF56260B0901FBD08ECB193D919AC06C342

Function 00007FF886D70589 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475898561.00007FF886D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff886d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba4f176010d66a1f9fd1301af36a22e856df69acad3cd5d4dd97dec9ea470ca
Instruction ID: 1dd17dce1029fe2f46eb9a6b93ae8a8d71aaa6aaaffe52ae8938f8eeb9e0b47d
Opcode Fuzzy Hash: 1ba4f176010d66a1f9fd1301af36a22e856df69acad3cd5d4dd97dec9ea470ca
Instruction Fuzzy Hash: 230225A2D0DB894FE7929B6858542F57BE0FF9A260F0801BBD04EC71D3DE199D45C382

Function 00007FF886D72427 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475898561.00007FF886D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff886d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c164ab49e66a553efcd3b60a410dcb552c0914ea4d0e019fc14872f63e0b2e7
Instruction ID: b93ef9cd17794f1979fddecd8786fd026ab21f2cec9a4ff80459e9b4107ec133
Opcode Fuzzy Hash: 7c164ab49e66a553efcd3b60a410dcb552c0914ea4d0e019fc14872f63e0b2e7
Instruction Fuzzy Hash: 8102F432D0DAC98FE3569B6858566B57BE0FF56274B0801FFC08AC71A3DD1AAC46C742

Function 00007FF886D72DA7 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475898561.00007FF886D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff886d70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c84e192f5d32c6537674834b8d27d4699c34c3abe3407f3e132a3bc7a2469f
Instruction ID: ffb91cbe888760b6ee0938083e0413a2329f65badc325f97625a1473d7090bdf
Opcode Fuzzy Hash: b1c84e192f5d32c6537674834b8d27d4699c34c3abe3407f3e132a3bc7a2469f
Instruction Fuzzy Hash: FD11CD22E1D98ACBF2A8912C65972B962C1FF847B4F980279D44FC75C6DD0EAC118187

Function 00007FF886CA5C68 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475418180.00007FF886CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff886ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd479bdc153b7e72ab5059aea556bf56e49704eb05ba7586af87b730301db8e
Instruction ID: 3cc8bbfe87d350b77dae028beef9ac91478de6d0eeb476763668ccc741958df6
Opcode Fuzzy Hash: 8fd479bdc153b7e72ab5059aea556bf56e49704eb05ba7586af87b730301db8e
Instruction Fuzzy Hash: 8C11E56290D3C14FE3179728A8624A4BFF1EF1727474D82EBD0CACB4A7E51A6847C741

Function 00007FF886CA5BF5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475418180.00007FF886CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff886ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c6427f2826d6888aa91ea7b3466f9f81bfffab2e5510da4f46a2ee4ae78c3c
Instruction ID: d87a843360816b582508d787c4d55e3b4185df1d53af7a27b15b0289fcbe3395
Opcode Fuzzy Hash: a6c6427f2826d6888aa91ea7b3466f9f81bfffab2e5510da4f46a2ee4ae78c3c
Instruction Fuzzy Hash: 7F01677111CB0C8FD744EF0CE451AA5B7E0FB99364F50056DE58AC3655D636E881CB46

Function 00007FF886CA5D12 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475418180.00007FF886CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff886ca0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a757cd031ea30b7a45ce99e3c57e71f3bdc299070b97f634c16a8fe1744ad9
Instruction ID: b4e7a077bd0a47a2a7165d73bcdd71a46cbeeaa29f7ce3de290f87e6acc68aca
Opcode Fuzzy Hash: 14a757cd031ea30b7a45ce99e3c57e71f3bdc299070b97f634c16a8fe1744ad9
Instruction Fuzzy Hash: 93F0E57210C6098FDB589F0CE8925B4B790FF05234B6046AED18B85492E622B893D785

Analysis Process: khle.exePID: 6588, Parent PID: 3564COMMON

Executed Functions

Function 00000136000156A8 Relevance: 7.8, APIs: 5, Instructions: 253nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001360001571C
NtQuerySystemInformation.NTDLL ref: 0000013600015743

Part of subcall function 00000136000151B4: NtQueryInformationProcess.NTDLL ref: 0000013600015223

GetTokenInformation.KERNELBASE ref: 0000013600015853
CloseHandle.KERNELBASE ref: 0000013600015867
CloseHandle.KERNELBASE ref: 0000013600015878

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: Information$Query$CloseHandleSystem$ProcessToken
String ID:
API String ID: 2024103940-0
Opcode ID: b9a3c4ba72519c8822dfc57c731493710fdc37b3db7567c16f04e989f1c331f2
Instruction ID: babf58cb652b10e343534769caf5b9ad9f4451fb643ae2ab3880b1f0da489c09
Opcode Fuzzy Hash: b9a3c4ba72519c8822dfc57c731493710fdc37b3db7567c16f04e989f1c331f2
Instruction Fuzzy Hash: 9271B630218E09EBEB59EB289D967EA73D1FBD4315F408529F847C7191EF34DA018782

Function 0000013600014FD4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 0000013600015010

Strings

@, xrefs: 000001360001505F

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID: @
API String ID: 31276548-2766056989
Opcode ID: 7df665d085f366cb99ab2ed896b311d25e2371bb223fb157703b8fcce2dda1a5
Instruction ID: 17214e5c2d220fb577f5d0488392273b2e5e131704e013f093ab8083e2cccbb1
Opcode Fuzzy Hash: 7df665d085f366cb99ab2ed896b311d25e2371bb223fb157703b8fcce2dda1a5
Instruction Fuzzy Hash: CF21243061CE089FEB55EB58DD85BDA73E1F7D8355F004629B086C7154DA78EA4487C2

Function 0000013600014A54 Relevance: 1.6, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0000013600014B46

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e53356f1062cacf861271dc336240a7330d37cd7133727a4fd0f385aae3edfcc
Instruction ID: 91ad476af1aa0b9b097f54434298d1a3213906222db59c4477e0a3baa0113a59
Opcode Fuzzy Hash: e53356f1062cacf861271dc336240a7330d37cd7133727a4fd0f385aae3edfcc
Instruction Fuzzy Hash: 5E9139316189484BE76C9B28CC963F9B7D5F785309F14822EF49BC2292EA38D607C785

Function 00000136000151B4 Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0000013600015223

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 5cd943b8ec8f82312c43e3a2f06d1ea5450dc20cd0d98dd920086ada27a54906
Instruction ID: 31b2c8ba7a22df92af2bcea6b9780c164f02393d57a3ec33450f27a29a7fb8a1
Opcode Fuzzy Hash: 5cd943b8ec8f82312c43e3a2f06d1ea5450dc20cd0d98dd920086ada27a54906
Instruction Fuzzy Hash: 80017C35328A099BEB8DEB689C56BE673E1F7A5309F004929E55BC21A1EB78C6018741

Function 0000013600016F40 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 188registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE ref: 0000013600016FC9
RegCreateKeyExW.KERNELBASE ref: 0000013600017001
RegSetValueExW.KERNELBASE ref: 00000136000170C4
RegCloseKey.KERNELBASE ref: 00000136000170DE

Strings

@, xrefs: 00000136000170B7
@, xrefs: 0000013600017051

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenValue
String ID: @$@
API String ID: 776291540-149943524
Opcode ID: d0f705a3185ad35ba5479375eab81183ddc54abaa6c67952c2e0273967de8d7a
Instruction ID: 30b8fb89c334427b02cef82efbef55b8a712b12ce10341b5b2f5999187cbf7ea
Opcode Fuzzy Hash: d0f705a3185ad35ba5479375eab81183ddc54abaa6c67952c2e0273967de8d7a
Instruction Fuzzy Hash: 3A518071608B0C4FE758EF6898866EAB7E1F794305F004A2EF58BC3261DF7499458742

Function 00007FF6776014D4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF67760153B

Part of subcall function 00007FF6776010F0: VirtualAlloc.KERNELBASE ref: 00007FF677601143
Part of subcall function 00007FF6776010F0: VirtualFree.KERNELBASE ref: 00007FF6776013AB

VirtualAlloc.KERNELBASE ref: 00007FF677601599
VirtualProtect.KERNELBASE ref: 00007FF677601603
VirtualFree.KERNELBASE ref: 00007FF677601645

Strings

,, xrefs: 00007FF67760157A

Memory Dump Source

Source File: 00000004.00000003.1463450252.00007FF677601000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF677601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_7ff677601000_khle.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 8a57ff5ef109ebab1fcadb133502250ce132c3a796e799e615fc61f91456b295
Instruction ID: 2cb2136b6784a4884bc23693b6ba566f05a012af90bbcc9600c308461eccef0f
Opcode Fuzzy Hash: 8a57ff5ef109ebab1fcadb133502250ce132c3a796e799e615fc61f91456b295
Instruction Fuzzy Hash: 4D51867162CA094BDB58EF1CD885A7A77E1FB94350F14462EE88EC7245EE74E842C7C1

Function 00000136000180A8 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0000013600018191
CloseHandle.KERNELBASE ref: 000001360001824A
free.MSVCRT ref: 0000013600018266

Strings

,, xrefs: 0000013600018109

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: free$CloseHandle
String ID: ,
API String ID: 4080011421-3772416878
Opcode ID: 5797dcfcb43276d353d1c4b34606bb2198c28a6318ae347a702950fb364732a2
Instruction ID: 6e074a6926a88c8ae7816da81d12896681809fad3d1d4fff821e319f84dd36c4
Opcode Fuzzy Hash: 5797dcfcb43276d353d1c4b34606bb2198c28a6318ae347a702950fb364732a2
Instruction Fuzzy Hash: E351A43060CB489FD759EB68D9867EAB7E1FB94314F04851DF48AC3291DE74DA42CB81

Function 00000136000139F8 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 0000013600013B0E

Strings

@, xrefs: 0000013600013AD4
0, xrefs: 0000013600013AB4

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: calloc
String ID: 0$@
API String ID: 2635317215-1545510068
Opcode ID: 594431a24205e52c40ea0963e4db5182c8664f3d2c16e5dd9bfc22cb73e7d0d0
Instruction ID: 050dfe2d7822908d5ecc4f70d1b2f6a0473af9abd625b49b3cecbe88b51bceee
Opcode Fuzzy Hash: 594431a24205e52c40ea0963e4db5182c8664f3d2c16e5dd9bfc22cb73e7d0d0
Instruction Fuzzy Hash: A351D43061CB484FEB98EB28D4997EA77D1FB98345F10852EE48AC7291EF74C9458782

Function 0000013600016858 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

NJI@, xrefs: 000001360001688F

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID: NJI@
API String ID: 0-1894075864
Opcode ID: b44a22c076ccd1acb9e2f8e5ba2d76a45960d7bbffd51b82d392d0dff46be180
Instruction ID: 26d9bb79f2424811e7dbb7617dc521ef5cd746a453b8abf0f1bdbb71011d9e11
Opcode Fuzzy Hash: b44a22c076ccd1acb9e2f8e5ba2d76a45960d7bbffd51b82d392d0dff46be180
Instruction Fuzzy Hash: 13E13E7051C7D48BD7799B2998963EBBBE0FB89705F00892EE4CBC2291DB349501DB83

Function 0000013600017358 Relevance: 3.4, APIs: 2, Instructions: 392fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE ref: 00000136000175FB
MapViewOfFile.KERNELBASE ref: 0000013600017620

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: File$CreateMappingView
String ID:
API String ID: 3452162329-0
Opcode ID: 5fec29907ddb1701cf10de724f589e78f00012b775457189f3dd736ffc916fed
Instruction ID: 604612ac71eb36757a00e117f5f7b62b2539c42c8996bd8b5fd105c6b1e66d0b
Opcode Fuzzy Hash: 5fec29907ddb1701cf10de724f589e78f00012b775457189f3dd736ffc916fed
Instruction Fuzzy Hash: 7EC1A530618A085BDB5DEF68D8867EA77E1FB98304F00862DF44BC3296EF34D6468785

Function 00000136000182F4 Relevance: 3.1, APIs: 2, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000001360001B6B8: RtlAddFunctionTable.KERNEL32 ref: 000001360001B6E5

Part of subcall function 000001360001B6FC: VirtualFree.KERNELBASE(?,?,?,?,?,?,?,0000013600018387), ref: 000001360001B794

SetErrorMode.KERNELBASE ref: 00000136000183EC
VirtualProtect.KERNELBASE ref: 000001360001840A

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: Virtual$ErrorFreeFunctionModeProtectTable
String ID:
API String ID: 3431440644-0
Opcode ID: b9fa2546218daecafac8371862f5133473872b13f594cfe74a88cb58fc4cacee
Instruction ID: fd54dcece69e0ad818129cfca971ac602903ec83fce22f1eae873d4fe91bf885
Opcode Fuzzy Hash: b9fa2546218daecafac8371862f5133473872b13f594cfe74a88cb58fc4cacee
Instruction Fuzzy Hash: A8317431218A485BEB4DFB68D992BEA73D5FB94304F408519F44BC7192DF24DB418741

Function 0000013600014148 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE ref: 000001360001417F
GetTokenInformation.KERNELBASE ref: 00000136000141C0

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: f2a1e79b7b26677e822afdf5a4e6683d0756c7f32a7c3fa8149006c40cea31b1
Instruction ID: 078b16543f83f597a80870c3489a31cc5b07f5a484fe2a348a776b5f19b8c55a
Opcode Fuzzy Hash: f2a1e79b7b26677e822afdf5a4e6683d0756c7f32a7c3fa8149006c40cea31b1
Instruction Fuzzy Hash: 1411E9342086499FDB44EF64D8D89AA77E2FB98305F104929E847C3270DB78EE44CB41

Function 00007FF6776010F0 Relevance: 2.7, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF677601143
VirtualFree.KERNELBASE ref: 00007FF6776013AB

Memory Dump Source

Source File: 00000004.00000003.1463450252.00007FF677601000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF677601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_7ff677601000_khle.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction ID: 66503933c6a81fa3ce8fed20de9187456d6a232d4a3c2a8a2ddc5a29489ec886
Opcode Fuzzy Hash: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction Fuzzy Hash: 7A91B17162C7818FD7A8CB18C491A2EBBE0FF89308F54096DF589C7291DA35E841DB06

Function 0000013600017B14 Relevance: 1.6, APIs: 1, Instructions: 111processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0000013600017C24

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c382783190e2699510103071945f14469c23df6a9e14ed2142866911cb1ccdc2
Instruction ID: d1195fda4a83fb94f5e7f72860ea6448789bf5bb79b4eeac4f2c4dedb02995d3
Opcode Fuzzy Hash: c382783190e2699510103071945f14469c23df6a9e14ed2142866911cb1ccdc2
Instruction Fuzzy Hash: B1318F71508F489FE769EF28D9457DAB7E1FB94309F40492EB14AC3151DB748644CB82

Function 000001360001B808 Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001360001B85F

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fd13a936f88e8be3d3c1b5e1ebd4b6078f4080b08cf0cb1db8c120c48f9afd6e
Instruction ID: c4d3d31f0c97a0b1148e2e9dd3dd9c680897cdd56b7b97ad24366bb499af18d4
Opcode Fuzzy Hash: fd13a936f88e8be3d3c1b5e1ebd4b6078f4080b08cf0cb1db8c120c48f9afd6e
Instruction Fuzzy Hash: 5C014F31624A485BE758EB2894867FA73D6FB98309F508529F48BC3191EF28CB448743

Function 000001360001B6B8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RtlAddFunctionTable.KERNEL32 ref: 000001360001B6E5

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: FunctionTable
String ID:
API String ID: 1252446317-0
Opcode ID: bc689134c4cfe8144a64a4e0970b0539573de333fb4e1730050f8c92ab09a126
Instruction ID: 7d5fbef96a4c7ae4a40cc68a66749d6849191ff69e76a48d244400d580b218ad
Opcode Fuzzy Hash: bc689134c4cfe8144a64a4e0970b0539573de333fb4e1730050f8c92ab09a126
Instruction Fuzzy Hash: CFE012341108055BEB6CD61DC9193E036D0E76830AF64816DA401C6291CB7DC597CE42

Function 000001360001B6FC Relevance: 1.4, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?,?,?,?,?,0000013600018387), ref: 000001360001B794

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 1c01f51b02100d5787d3c740cd9cf9adac7cf30a888cb21a2aefd7a5d9ca2737
Instruction ID: f842e6473a3003695351402f8c01082ea58a7a8565b56d1b3271e4d93564c803
Opcode Fuzzy Hash: 1c01f51b02100d5787d3c740cd9cf9adac7cf30a888cb21a2aefd7a5d9ca2737
Instruction Fuzzy Hash: DB318130214A094FFB8CEF29D595BB673E1FB98345F118169E81AC72A6DB34D941CB80

Function 0000013600013BC8 Relevance: 1.3, APIs: 1, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE ref: 0000013600013BF0

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 227dcba3b2cb73bb29811a929ed74bd779d041a6fbe6ede9585de0365d398b59
Instruction ID: 4991128ef17ff1916cc545f2a86aa03470b0502b64b5d34f733a3e45d362e8e0
Opcode Fuzzy Hash: 227dcba3b2cb73bb29811a929ed74bd779d041a6fbe6ede9585de0365d398b59
Instruction Fuzzy Hash: B12153307149099FFBAEE778AE5A3E636D2FB94315F54C269A047C71A9EF348B048740

Non-executed Functions

Function 0000013600015BC0 Relevance: 3.7, Strings: 2, Instructions: 1155COMMON

Download Yara Rule

Strings

,, xrefs: 0000013600015EEC
,, xrefs: 0000013600016448

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID: ,$,
API String ID: 1778838933-220654547
Opcode ID: a0299abcad1f0eeb53ce8430316abf2ed11eb634f56fbeef89e460d6d348ee9f
Instruction ID: cdcb0101c115f7e324713bfc95ffb75cc8393dbd2435bab09c98a3bf824215d3
Opcode Fuzzy Hash: a0299abcad1f0eeb53ce8430316abf2ed11eb634f56fbeef89e460d6d348ee9f
Instruction Fuzzy Hash: 7E825030618B089FDB68EF68D9967EA73D1FB98304F10862DE45BC3291DF34DA458B81

Function 00007FF6776018D7 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

+Y0+, xrefs: 00007FF67760199B

Memory Dump Source

Source File: 00000004.00000003.1463450252.00007FF677601000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF677601000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_7ff677601000_khle.jbxd

Similarity

API ID:
String ID: +Y0+
API String ID: 0-1189096879
Opcode ID: 700d9b7284bfbab16c442717931a76e877bd874bda736dc46fcea473d1972563
Instruction ID: d60def2a0a3fbf5a280c73a968297de4ba9d31e3a92f8631fdad9cea96afcb7b
Opcode Fuzzy Hash: 700d9b7284bfbab16c442717931a76e877bd874bda736dc46fcea473d1972563
Instruction Fuzzy Hash: 9531A92682C6C68FDB2B4B3488256F5BFA0EF2732470C16EDC8C49F8A7DE146985C701

Function 0000013600011500 Relevance: .7, Instructions: 737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96607074e16f4868b5be774e877e5912d3aaae97ba57364b39b2a72336f57c8b
Instruction ID: 1d5a0f8ee11ed9c42a3097a83f109f9ce81751c56528365e1c26b1ebb1aa296a
Opcode Fuzzy Hash: 96607074e16f4868b5be774e877e5912d3aaae97ba57364b39b2a72336f57c8b
Instruction Fuzzy Hash: 6B2276301182559AFB2D8E6882A73F13BC2FB5670CF38A25DEBE7871C3D51986078761

Function 0000013600012F00 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7508843e0d615cd037e1ec8aa7846b8b8c4448116137d463d462d581942205d
Instruction ID: 57d20bca18c3b296189107d189d005b6f48f19fa0287905965b7ba124d79d146
Opcode Fuzzy Hash: f7508843e0d615cd037e1ec8aa7846b8b8c4448116137d463d462d581942205d
Instruction Fuzzy Hash: CB12F62075882457EB1E552C9E9B3F832C2E3C531AF34923DEDC7C15CAE828976785CA

Function 0000013600023E95 Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600022000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600022000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600022000_khle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31879db383ebb8d5dde9c040e419a0f231d7ef384da0a7eea47c253b5ee4a878
Instruction ID: 4d09f2aca58a213552c9826e94a82d5eaa412dc98337ac1b0926ba2d10b1e536
Opcode Fuzzy Hash: 31879db383ebb8d5dde9c040e419a0f231d7ef384da0a7eea47c253b5ee4a878
Instruction Fuzzy Hash: 2C629CA284E7C29FD7178B304DBA184BFB0AE2320475D89DFC4C24B4E3E249955AD767

Function 0000013600013CEC Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f99f4912cc1f7b5290a762f61ca7177c15b4b468f00e92ea1a3a253ec1089c
Instruction ID: fe452284d98e2fb04b266395edc07d2088e1d86419b3b0808765214e278f6d99
Opcode Fuzzy Hash: 11f99f4912cc1f7b5290a762f61ca7177c15b4b468f00e92ea1a3a253ec1089c
Instruction Fuzzy Hash: E6919271A6C3444BD35CCE189C861BAB3D5F7C6219F14953DF9CBC3302EA31A9078A86

Function 000001360001870C Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97ef2a92983f2fd7f4c0e136ef4c983bbffc174d00ebbc24951b3730f05a3cb
Instruction ID: b21c19925c60b2bdeefa8d23f5657bc2dca1604ee7fc9b9e5f171bed4e5a4a19
Opcode Fuzzy Hash: a97ef2a92983f2fd7f4c0e136ef4c983bbffc174d00ebbc24951b3730f05a3cb
Instruction Fuzzy Hash: 62A18FB26687448BD35CDE1CDC826A6B3D5FB8A319F14457DE4CBC3242DA34E8478A86

Function 000001360001710C Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0da2dc336cb695c55fe7557c083638bce03003c3af981621f0897e44abfbe7
Instruction ID: 8d99271441005b8ff96b8050caf02fd7120f222b3e8a7ba350183bfe84d104ed
Opcode Fuzzy Hash: ef0da2dc336cb695c55fe7557c083638bce03003c3af981621f0897e44abfbe7
Instruction Fuzzy Hash: 7E612A3111CA885BE72EE72884967EAB7E1FB95308F54866DF48BC31C3DD658606C782

Function 0000013600018A58 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442b0520738e8f0b26db511281fac152362a0c0e853cfc2e2b038376264e2d07
Instruction ID: 7aca2dde44552a52bd6388374588607b7933aae8c8969083c803aaee3a99ef66
Opcode Fuzzy Hash: 442b0520738e8f0b26db511281fac152362a0c0e853cfc2e2b038376264e2d07
Instruction Fuzzy Hash: D841EB30715E494FEB4DDB2C49C56D477D1EB9A314B4482AAEC46CB287C914DA85C3D1

Function 0000013600019FFC Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.1465848474.0000013600011000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013600011000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_13600011000_khle.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7480ddab4bcce6f18969b185a19d6807d5f220cd067d20dfcfaf6ebbcfae67
Instruction ID: 5614a7c1ae6cfffd3b9c7c421c8417cab0e8447c42c43a95b40057e6eb09e125
Opcode Fuzzy Hash: 6b7480ddab4bcce6f18969b185a19d6807d5f220cd067d20dfcfaf6ebbcfae67
Instruction Fuzzy Hash: 70416A1521DAC59EC70ACF6C4490095FFB0EBAA204B0C92DEE8D9DB747C504EA5AC7B6

Analysis Process: OpenWith.exePID: 3740, Parent PID: 5356COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.9%
Total number of Nodes:	213
Total number of Limit Nodes:	7

Executed Functions

Function 0000012713ADB374 Relevance: 3.1, APIs: 2, Instructions: 93
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(?,?,?,?,?,?,?,?,0000006B,0000006A,-00000002,0000012713ADB495), ref: 0000012713ADB3A1

Part of subcall function 0000012713ADAF84: ioctlsocket.WS2_32 ref: 0000012713ADAFB0

bind.WS2_32(?,?,?,?,?,?,?,?,0000006B,0000006A,-00000002,0000012713ADB495), ref: 0000012713ADB426

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: bindioctlsocketsocket
String ID:
API String ID: 3555158474-0
Opcode ID: 7bf22dbbf28290d007348e7a12ca3bc168bbabb4c51e94198c4e520b8ad4573a
Instruction ID: 62c27833029a7e5d4b37fb9415359a41a95702b3896e7733ef832d6508cffd2d
Opcode Fuzzy Hash: 7bf22dbbf28290d007348e7a12ca3bc168bbabb4c51e94198c4e520b8ad4573a
Instruction Fuzzy Hash: 3921B5307089044FEB58EF78A8883E673D1EF59326F204669F82BC76D1EB34CC659656

Function 0000012713ADB80C Relevance: 1.7, APIs: 1, Instructions: 167
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSARecv.WS2_32 ref: 0000012713ADB8AB

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 932363085a07e36dce123b02b0fe941d250780e13aa2ee6933dafb70be2f9976
Instruction ID: df36e0e0b282d5a79a323c1689554304dffb82fefcbf6cc11b89a91fc70d7f5c
Opcode Fuzzy Hash: 932363085a07e36dce123b02b0fe941d250780e13aa2ee6933dafb70be2f9976
Instruction Fuzzy Hash: 30515A70208A898FEBA4EF2DC8887D6B7E0FF58314F50065AE44AC31E1DB35E964CB45

Function 00000127117F04E0 Relevance: 10.8, APIs: 7, Instructions: 252memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000127117F054E

Part of subcall function 00000127117F00FC: VirtualAlloc.KERNELBASE ref: 00000127117F014F
Part of subcall function 00000127117F00FC: VirtualFree.KERNELBASE ref: 00000127117F03B7

VirtualAlloc.KERNELBASE ref: 00000127117F05AD
VirtualProtect.KERNELBASE ref: 00000127117F0626
VirtualFree.KERNELBASE ref: 00000127117F064D
MapViewOfFile.KERNELBASE ref: 00000127117F0686
VirtualAlloc.KERNELBASE ref: 00000127117F06B4
CloseHandle.KERNELBASE ref: 00000127117F06E1

Memory Dump Source

Source File: 00000005.00000003.1466177482.00000127117F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000127117F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_127117f0000_OpenWith.jbxd

Similarity

API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
String ID:
API String ID: 3867569247-0
Opcode ID: ff9d2ba7a0c9f70c7bdc5bf2a784896198b97f8e626e79ac36cfea1478692e2c
Instruction ID: acb75cf700bac454076426a24309e50dd8bd48161093f3c9d986994582648de2
Opcode Fuzzy Hash: ff9d2ba7a0c9f70c7bdc5bf2a784896198b97f8e626e79ac36cfea1478692e2c
Instruction Fuzzy Hash: D071643160CB0A5BD759EB28E4457ABB3D1FF98310F50466EE49AC7381DA30E86287C2

Function 0000012713AD4464 Relevance: 6.1, APIs: 4, Instructions: 138
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 0000012713AD44C8
RegQueryValueExW.KERNELBASE ref: 0000012713AD4503
RegCloseKey.KERNELBASE ref: 0000012713AD4529
GetVolumeInformationW.KERNELBASE ref: 0000012713AD458D

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: CloseInformationOpenQueryValueVolume
String ID:
API String ID: 4069062851-0
Opcode ID: b8ed43a9571b0f7ebccdd3b637c35a9fe59a110f66f9ab18e4e522b35e9dadd7
Instruction ID: bbe58b65412095fab821f1072a9f2d9cd72aa1dd4b3f489b790c1b60eab0d20c
Opcode Fuzzy Hash: b8ed43a9571b0f7ebccdd3b637c35a9fe59a110f66f9ab18e4e522b35e9dadd7
Instruction Fuzzy Hash: 8C41293121CB488BE765EF64D495BDBB7E5FB98300F404A2EA08AC31D0EF75D9158B86

Function 0000012713ADA940 Relevance: 6.1, APIs: 4, Instructions: 130
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0000012713ADA949
socket.WS2_32 ref: 0000012713ADDD03
getsockopt.WS2_32 ref: 0000012713ADDD37
socket.WS2_32 ref: 0000012713ADDD6C

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: socket$ErrorModegetsockopt
String ID:
API String ID: 552242919-0
Opcode ID: ee64cecfa65e257842176328bb5ab6283e8bc2b376064c12f5c8ade0442f0951
Instruction ID: 1aaa6e15c3fdcc32b393c71cbdf251c6bfa9ef421701a4b6af478268ec034042
Opcode Fuzzy Hash: ee64cecfa65e257842176328bb5ab6283e8bc2b376064c12f5c8ade0442f0951
Instruction Fuzzy Hash: 74415370618B498FE758EF28D89869A77E1FB99300F50862DE097C32E1DF38C655CB45

Function 0000012713ADAF84 Relevance: 4.6, APIs: 3, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ioctlsocket.WS2_32 ref: 0000012713ADAFB0
CreateIoCompletionPort.KERNELBASE ref: 0000012713ADAFE6
SetFileCompletionNotificationModes.KERNEL32 ref: 0000012713ADB02C

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: Completion$CreateFileModesNotificationPortioctlsocket
String ID:
API String ID: 1455841399-0
Opcode ID: 65ed2c9e0bfc7037adb16992d663b78e44cbe33570810552ad04d6a2963fe0a5
Instruction ID: 975975ffc9485ba0382407df5b88d2c00d86b556e3dbe7fa0199dfcf3e290452
Opcode Fuzzy Hash: 65ed2c9e0bfc7037adb16992d663b78e44cbe33570810552ad04d6a2963fe0a5
Instruction Fuzzy Hash: 3731743030C5188FFBA89B28A8993B632D5FF58315F600169F857C21D6DF25CC718799

Function 0000012713ADC770 Relevance: 3.1, APIs: 2, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

shutdown.WS2_32(?,?,?,?,00000001,?,?,0000012713AD9FFE), ref: 0000012713ADC79C
closesocket.WS2_32(?,?,?,?,00000001,?,?,0000012713AD9FFE), ref: 0000012713ADC885

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: closesocketshutdown
String ID:
API String ID: 572888783-0
Opcode ID: 10782efffb6bb4c42faa2620b59e14120107728f6cfe316cb657f0d951cab143
Instruction ID: 6918fbc87b55fc75df916544e239c528f1d43a2d181e9f9ff559b25c7b0d7c98
Opcode Fuzzy Hash: 10782efffb6bb4c42faa2620b59e14120107728f6cfe316cb657f0d951cab143
Instruction Fuzzy Hash: 74518B705186058FEF98CF28C4C4BEA77A5FF15364F901299EC6ACA1C6D724C8B1CB88

Function 00000127117F00FC Relevance: 2.7, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000127117F014F
VirtualFree.KERNELBASE ref: 00000127117F03B7

Memory Dump Source

Source File: 00000005.00000003.1466177482.00000127117F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000127117F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_127117f0000_OpenWith.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction ID: f31e744fc78fca315b4404b3d24fbebea7fb4bb37fad509847bf4fcb655242e5
Opcode Fuzzy Hash: abb3666d5f0e7e3691c5e241d5b349d303e7c196ced747a2022f8ae30c0d6593
Instruction Fuzzy Hash: 9A918A7421C7828FE7A1CB18C481B6BBBE1FF8A308F54096DF599CA391D635D8619B06

Function 0000012713ADF1EC Relevance: 2.6, APIs: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT(?,?,?,?,?,?,?,0000012713AD58B9,?,?,?,?,?,?,?,0000012713AD595B), ref: 0000012713ADF23D
free.MSVCRT(?,?,?,?,?,?,?,0000012713AD58B9), ref: 0000012713ADF280

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ed78e059cc3bfed3b258e1737c439938a1c021539ed4627a6dbabb7bd182a94a
Instruction ID: 687e0169613dced4a812ca4e63bc6a105ccfb509beb903feca129fb5b4e1a1c0
Opcode Fuzzy Hash: ed78e059cc3bfed3b258e1737c439938a1c021539ed4627a6dbabb7bd182a94a
Instruction Fuzzy Hash: 1E3101342189058FEF8CEF69D8A87EA33A5FF58301F444078681ACA6DBCE25DC65C714

Function 0000012713ADBE14 Relevance: 1.7, APIs: 1, Instructions: 227
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32 ref: 0000012713ADBECB

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: afd922a78396e696f6d15eef1fd042df83d9ab22cc0fc1654582db5b6017f80d
Instruction ID: c4833fccb884b7614e7d3d6eae78dcd5ccae9475d604ea27230edbcf7b3254e5
Opcode Fuzzy Hash: afd922a78396e696f6d15eef1fd042df83d9ab22cc0fc1654582db5b6017f80d
Instruction Fuzzy Hash: 9581AF70608B099FEB98DF28C488BA6B7E0FF58314F50426DE45ACB6D1DB31D864CB85

Function 0000012713AD42B8 Relevance: 1.6, APIs: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0000012713AD4353

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: a500b73e25499eaa65d5b84535ebddc4b37412dbff4cd7b7c791b878b57fc104
Instruction ID: ab2b9f28aa3f20f0e44b490196b9d88996a5a10cf7320c70ce0b327764661195
Opcode Fuzzy Hash: a500b73e25499eaa65d5b84535ebddc4b37412dbff4cd7b7c791b878b57fc104
Instruction Fuzzy Hash: 2E419F302189488FDB68EF2CD8856EAB7E1FF98310F90825AF44BC75D5DA30D9A5C785

Function 0000012713ADC5BC Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32 ref: 0000012713ADC630

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 6ee79d1b67084b77555383ea072f899fd601fabc88a06dee2947375c0305650d
Instruction ID: 1eb51406563832a1dd8724132486887b5b389cad9b95078af93a26af57816f5c
Opcode Fuzzy Hash: 6ee79d1b67084b77555383ea072f899fd601fabc88a06dee2947375c0305650d
Instruction Fuzzy Hash: 90313070608A058FEF98DF18C4C87A577E1FF54325F6452A9E86ACB2D6DB34C8A1CB44

Function 0000012713AD42FC Relevance: 1.6, APIs: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0000012713AD4353

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: cd81e3bf29ab49c02dca13648c0c9cc34c5d817db0fb04804eda45a9c7d0a72f
Instruction ID: 8d10d84779b3122ab1f5ef88edb51f1c3868e158d8447e7fb25e3c67cf3340cf
Opcode Fuzzy Hash: cd81e3bf29ab49c02dca13648c0c9cc34c5d817db0fb04804eda45a9c7d0a72f
Instruction Fuzzy Hash: C221D43021854D8FDF64EF18D8856EAB7E2FFD8310F948229E40ACB5C6DA30C965CB85

Function 0000012713AD46D4 Relevance: 1.4, APIs: 1, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.MSVCRT ref: 0000012713AD46F9

Memory Dump Source

Source File: 00000005.00000002.2648839132.0000012713AD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000012713AD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12713ad1000_OpenWith.jbxd

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: ca35b799a0cda78a6bb107b16f267c82c44f6607980c7d41b11517072355ea04
Instruction ID: fabf86fd52546bbd9c4ad098c12545f9b6c54894e519784fb2f6f4b5dd568cc2
Opcode Fuzzy Hash: ca35b799a0cda78a6bb107b16f267c82c44f6607980c7d41b11517072355ea04
Instruction Fuzzy Hash: D2514D30608A499FE798EF68D4557EAB7E1FF98300F40062EA05EC36D1DF34E9658B85

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HeggBkMoYE.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Documents\khle.exe (copy)

C:\Users\Public\Documents\khle.mp3

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqkrmem2.y4p.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qyzoqgey.22c.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\40MUW6ODZIQMP2BN74LI.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\590aee7bdd69b59b.customDesusertions-ms (copy)

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
HeggBkMoYE.ps1