Edit tour

Windows Analysis Report
LH27WS7BVJ.exe

Overview

General Information

Sample name:	LH27WS7BVJ.exe renamed because original name is a hash value
Original sample name:	367c8f95ea1174ed018dcb362bd5e61d.exe
Analysis ID:	1447093
MD5:	367c8f95ea1174ed018dcb362bd5e61d
SHA1:	d8228f30aff54f959bc5f6b172d4c2c97875f5b7
SHA256:	778df7488b659a15b38e07eb9ce521f48df15258eed4512b762adcf2173402f8
Tags:	32exe
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LH27WS7BVJ.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\LH27WS7BVJ.exe" MD5: 367C8F95EA1174ED018DCB362BD5E61D)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

wtftrbr (PID: 2004 cmdline: C:\Users\user\AppData\Roaming\wtftrbr MD5: 367C8F95EA1174ED018DCB362BD5E61D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["https://airwide-land.com/calcroom.php", "https://summerwaterhall.com/calcroom.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1941515606.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7183:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000002.1941400771.0000000002CDB000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6bdb:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\wtftrbr, CommandLine: C:\Users\user\AppData\Roaming\wtftrbr, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wtftrbr, NewProcessName: C:\Users\user\AppData\Roaming\wtftrbr, OriginalFileName: C:\Users\user\AppData\Roaming\wtftrbr, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\wtftrbr, ProcessId: 2004, ProcessName: wtftrbr

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LH27WS7BVJ.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://summerwaterhall.com/calcroom.php	Avira URL Cloud: Label: malware
Source: https://airwide-land.com/calcroom.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\wtftrbr

Avira: detection malicious, Label: HEUR/AGEN.1311176

Found malware configuration

Source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["https://airwide-land.com/calcroom.php", "https://summerwaterhall.com/calcroom.php"]}

Multi AV Scanner detection for domain / URL

Source: summerwaterhall.com	Virustotal: Detection: 15%			Perma Link
Source: airwide-land.com	Virustotal: Detection: 17%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wtftrbr	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\wtftrbr	Virustotal: Detection: 42%			Perma Link

Multi AV Scanner detection for submitted file

Source: LH27WS7BVJ.exe	ReversingLabs: Detection: 34%
Source: LH27WS7BVJ.exe	Virustotal: Detection: 42%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\wtftrbr

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LH27WS7BVJ.exe

Joe Sandbox ML: detected

Source: LH27WS7BVJ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.227.203.30 443			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 146.70.41.146 443			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://airwide-land.com/calcroom.php
Source: Malware configuration extractor	URLs: https://summerwaterhall.com/calcroom.php

Source: Joe Sandbox View	ASN Name: TENET-1ZA TENET-1ZA
Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: airwide-land.com
Source: global traffic	DNS traffic detected: DNS query: summerwaterhall.com

Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1681678254.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1683344877.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1682067799.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1684715130.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.1684715130.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680269665.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1682612462.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1682612462.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1684715130.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.1941515606.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.1941400771.0000000002CDB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_004015A5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015A5
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_00402446 NtQueryInformationProcess,	0_2_00402446
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_00402464 NtQuerySystemInformation,	0_2_00402464
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_00402421 NtQuerySystemInformation,	0_2_00402421
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_004015CD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015CD
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_004015D1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015D1
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_004015D4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015D4
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_004015BB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015BB
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_004015BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015BF

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe

Code function: 0_2_00402141

0_2_00402141

Source: LH27WS7BVJ.exe, 00000000.00000000.1624078836.0000000002C8C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesFilezera2 vs LH27WS7BVJ.exe
Source: LH27WS7BVJ.exe	Binary or memory string: OriginalFilenamesFilezera2 vs LH27WS7BVJ.exe

Source: LH27WS7BVJ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000003.00000002.1941515606.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.1941400771.0000000002CDB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/2@2/2

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe

Code function: 0_2_02E621B1 CreateToolhelp32Snapshot,Module32First,

0_2_02E621B1

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wtftrbr

Jump to behavior

Source: LH27WS7BVJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LH27WS7BVJ.exe	ReversingLabs: Detection: 34%
Source: LH27WS7BVJ.exe	Virustotal: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\LH27WS7BVJ.exe "C:\Users\user\Desktop\LH27WS7BVJ.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wtftrbr C:\Users\user\AppData\Roaming\wtftrbr

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: LH27WS7BVJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Unpacked PE file: 0.2.LH27WS7BVJ.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\wtftrbr	Unpacked PE file: 3.2.wtftrbr.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_0040284F push eax; ret	0_2_00402883
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_00403353 push eax; ret	0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_0040330C push eax; ret	0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_00403313 push eax; ret	0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_00403320 push eax; ret	0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_0040322D push eax; ret	0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_00403338 push eax; ret	0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_004032C3 push eax; ret	0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_00403388 push eax; ret	0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_0040328F push eax; ret	0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E22FA5 push esp; iretd	0_2_02E22FC0
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E228B6 push eax; ret	0_2_02E228EA
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E22F9D push esp; ret	0_2_02E22FA4
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E23000 push esp; iretd	0_2_02E22FC0
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E697CA pushfd ; retf	0_2_02E697CB
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E64AC8 push eax; ret	0_2_02E64AE9
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E64132 push eax; ret	0_2_02E64166
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E6381F push ebp; ret	0_2_02E63829
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E6471B pushad ; iretd	0_2_02E6472F
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_02CE3B8A push eax; ret	3_2_02CE3BBE
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_02CE3277 push ebp; ret	3_2_02CE3281
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_02CE4173 pushad ; iretd	3_2_02CE4187
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_02CE9222 pushfd ; retf	3_2_02CE9223
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_02CE4520 push eax; ret	3_2_02CE4541
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_048C2F9D push esp; ret	3_2_048C2FA4
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_048C2FA5 push esp; iretd	3_2_048C2FC0
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_048C28B6 push eax; ret	3_2_048C28EA
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_048C3000 push esp; iretd	3_2_048C2FC0

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wtftrbr

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wtftrbr

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\lh27ws7bvj.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\wtftrbr:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LH27WS7BVJ.exe, 00000000.00000002.1694316140.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 409	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1183	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 808	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 372	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 389	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3712	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 871	Jump to behavior

Source: C:\Windows\explorer.exe TID: 6264	Thread sleep count: 409 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6232	Thread sleep count: 1183 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6232	Thread sleep time: -118300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6284	Thread sleep count: 808 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6284	Thread sleep time: -80800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1508	Thread sleep count: 281 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5900	Thread sleep count: 372 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5900	Thread sleep time: -37200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1740	Thread sleep count: 389 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1740	Thread sleep time: -38900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6232	Thread sleep count: 3712 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6232	Thread sleep time: -371200s >= -30000s	Jump to behavior

Source: explorer.exe, 00000001.00000000.1683181405.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1682612462.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1680935365.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1683181405.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1683181405.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1682612462.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1683181405.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1680935365.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1682612462.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E20D90 mov eax, dword ptr fs:[00000030h]	0_2_02E20D90
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E2092B mov eax, dword ptr fs:[00000030h]	0_2_02E2092B
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Code function: 0_2_02E61A8E push dword ptr fs:[00000030h]	0_2_02E61A8E
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_02CE14E6 push dword ptr fs:[00000030h]	3_2_02CE14E6
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_048C0D90 mov eax, dword ptr fs:[00000030h]	3_2_048C0D90
Source: C:\Users\user\AppData\Roaming\wtftrbr	Code function: 3_2_048C092B mov eax, dword ptr fs:[00000030h]	3_2_048C092B

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: wtftrbr.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.227.203.30 443			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 146.70.41.146 443			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Thread created: C:\Windows\explorer.exe EIP: 3401970			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Thread created: unknown EIP: 3421970			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1680806640.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1682612462.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680005074.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1680005074.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1680005074.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1680005074.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	411 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LH27WS7BVJ.exe	34%	ReversingLabs
LH27WS7BVJ.exe	42%	Virustotal		Browse
LH27WS7BVJ.exe	100%	Avira	HEUR/AGEN.1311176
LH27WS7BVJ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\wtftrbr	100%	Avira	HEUR/AGEN.1311176
C:\Users\user\AppData\Roaming\wtftrbr	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wtftrbr	34%	ReversingLabs
C:\Users\user\AppData\Roaming\wtftrbr	42%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
summerwaterhall.com	16%	Virustotal		Browse
airwide-land.com	18%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://aka.ms/odirmr	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	0%	URL Reputation	safe
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	URL Reputation	safe
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	0%	URL Reputation	safe
https://api.msn.com/q	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	0%	URL Reputation	safe
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	0%	URL Reputation	safe
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	URL Reputation	safe
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
https://wns.windows.com/L	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	URL Reputation	safe
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	0%	URL Reputation	safe
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	0%	URL Reputation	safe
https://aka.ms/Vh5j3k	0%	URL Reputation	safe
https://aka.ms/Vh5j3k	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?&	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	URL Reputation	safe
https://www.rd.com/list/polite-habits-campers-dislike/	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	0%	URL Reputation	safe
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	URL Reputation	safe
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	0%	URL Reputation	safe
https://outlook.com_	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://www.msn.com:443/en-us/feed	0%	URL Reputation	safe
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	URL Reputation	safe
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	0%	URL Reputation	safe
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	0%	URL Reputation	safe
https://summerwaterhall.com/calcroom.php	100%	Avira URL Cloud	malware
https://airwide-land.com/calcroom.php	100%	Avira URL Cloud	malware
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
https://summerwaterhall.com/calcroom.php	4%	Virustotal		Browse
https://airwide-land.com/calcroom.php	4%	Virustotal		Browse
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
summerwaterhall.com	146.70.41.146	true	true	16%, Virustotal, Browse	unknown
airwide-land.com	23.227.203.30	true	true	18%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://summerwaterhall.com/calcroom.php	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://airwide-land.com/calcroom.php	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1681678254.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1683344877.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1682067799.0000000008720000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1684715130.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.1684715130.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1684715130.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1682612462.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
146.70.41.146	summerwaterhall.com	United Kingdom		2018	TENET-1ZA	true
23.227.203.30	airwide-land.com	United States		29802	HVC-ASUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447093
Start date and time:	2024-05-24 11:22:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LH27WS7BVJ.exe renamed because original name is a hash value
Original Sample Name:	367c8f95ea1174ed018dcb362bd5e61d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 22 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:23:21	API Interceptor	442922x Sleep call for process: explorer.exe modified
10:23:21	Task Scheduler	Run new task: Firefox Default Browser Agent 2D5C42E0D0495C8A path: C:\Users\user\AppData\Roaming\wtftrbr

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
146.70.41.146	I4xf8XRF2Y.exe	Get hash	malicious	SmokeLoader	Browse
146.70.41.146	ym9ms0ZhCr.exe	Get hash	malicious	SmokeLoader	Browse
23.227.203.30	I4xf8XRF2Y.exe	Get hash	malicious	SmokeLoader	Browse
	ym9ms0ZhCr.exe	Get hash	malicious	SmokeLoader	Browse
	5ded80193e96c1d11f9694fa793bd7005864abd8668e3c997617b8e10e9ecb04_payload.exe	Get hash	malicious	SmokeLoader	Browse
	eQZQYR38eg.exe	Get hash	malicious	SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
airwide-land.com	I4xf8XRF2Y.exe	Get hash	malicious	SmokeLoader	Browse	23.227.203.30
	ym9ms0ZhCr.exe	Get hash	malicious	SmokeLoader	Browse	23.227.203.30
	5ded80193e96c1d11f9694fa793bd7005864abd8668e3c997617b8e10e9ecb04_payload.exe	Get hash	malicious	SmokeLoader	Browse	23.227.203.30
	eQZQYR38eg.exe	Get hash	malicious	SmokeLoader	Browse	23.227.203.30
summerwaterhall.com	I4xf8XRF2Y.exe	Get hash	malicious	SmokeLoader	Browse	146.70.41.146
summerwaterhall.com	ym9ms0ZhCr.exe	Get hash	malicious	SmokeLoader	Browse	146.70.41.146

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HVC-ASUS	doc-r25-210341853.vbs	Get hash	malicious	GuLoader, Remcos	Browse	45.74.19.43
	RFQ#120-C-Link-EE-PRODUCTION-V1110FIL001-G03230-1005-INQ.com.exe	Get hash	malicious	GuLoader	Browse	23.227.202.187
	I4xf8XRF2Y.exe	Get hash	malicious	SmokeLoader	Browse	23.227.203.30
	ym9ms0ZhCr.exe	Get hash	malicious	SmokeLoader	Browse	23.227.203.30
	http://marketplace.marcelasejas.com/	Get hash	malicious	Unknown	Browse	69.46.6.202
	51 Electronic Invoicing .pdf.exe	Get hash	malicious	AgentTesla	Browse	66.232.107.36
	5ded80193e96c1d11f9694fa793bd7005864abd8668e3c997617b8e10e9ecb04_payload.exe	Get hash	malicious	SmokeLoader	Browse	23.227.203.30
	eQZQYR38eg.exe	Get hash	malicious	SmokeLoader	Browse	23.227.203.30
	S6hCRsyPaN.elf	Get hash	malicious	Mirai	Browse	107.155.88.187
	fKfXkNYfLY.elf	Get hash	malicious	Mirai	Browse	107.155.88.148
TENET-1ZA	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	146.70.56.165
	SecuriteInfo.com.Win64.PWSX-gen.29347.28297.exe	Get hash	malicious	Neoreklami, PureLog Stealer	Browse	146.70.56.165
	http://alladvcdn.com	Get hash	malicious	Unknown	Browse	146.70.118.226
	I4xf8XRF2Y.exe	Get hash	malicious	SmokeLoader	Browse	146.70.41.146
	ym9ms0ZhCr.exe	Get hash	malicious	SmokeLoader	Browse	146.70.41.146
	qwmLv2FcgD.elf	Get hash	malicious	Unknown	Browse	155.238.0.64
	dn7MMSZM9O.elf	Get hash	malicious	Unknown	Browse	152.112.206.126
	e2V8h6PN2L.elf	Get hash	malicious	Unknown	Browse	163.200.166.95
	h1lOPck8Jr.elf	Get hash	malicious	Mirai	Browse	152.116.148.50
	zsIELy6nuP.elf	Get hash	malicious	Mirai	Browse	168.172.107.8

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	224768
Entropy (8bit):	6.958402674103171
Encrypted:	false
SSDEEP:	3072:luzCfm7An+c1jkFgRRdrcv+eEl+XkaatVPTAbxSHsSBPn5Rv94uy:BfmcnNj6gRLry4rSIN5R
MD5:	367C8F95EA1174ED018DCB362BD5E61D
SHA1:	D8228F30AFF54F959BC5F6B172D4C2C97875F5B7
SHA-256:	778DF7488B659A15B38E07EB9CE521F48DF15258EED4512B762ADCF2173402F8
SHA-512:	A903C19A0C68F4DAF00A63CC90F13841D9199E0B774C9DC70D9239D4F3608359BDFB1F4AC4517CB36D2F3605A337804FC049EC2A193A034A411B85465C9CA7C3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 42%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...............................................N.............N......Rich............................PE..L.....Md.....................T.......>............@..........................`...............................................i..P...................................i..............................@_..@...............d............................text.../........................... ..`.rdata...q.......r..................@..@.data....7.......\|...\..............@....rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wtftrbr:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.958402674103171
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LH27WS7BVJ.exe
File size:	224'768 bytes
MD5:	367c8f95ea1174ed018dcb362bd5e61d
SHA1:	d8228f30aff54f959bc5f6b172d4c2c97875f5b7
SHA256:	778df7488b659a15b38e07eb9ce521f48df15258eed4512b762adcf2173402f8
SHA512:	a903c19a0c68f4daf00a63cc90f13841d9199e0b774c9dc70d9239d4f3608359bdfb1f4ac4517cb36d2f3605a337804fc049ec2a193a034a411b85465c9ca7c3
SSDEEP:	3072:luzCfm7An+c1jkFgRRdrcv+eEl+XkaatVPTAbxSHsSBPn5Rv94uy:BfmcnNj6gRLry4rSIN5R
TLSH:	6224AF4176D3CCB5F9A3C63248349AB05B3EFCA2CE65899B3348374F28751835A66772
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n.....................................................N...............N.......Rich............................PE..L.....Md...

File Icon


Icon Hash:	754541095342404b

Static PE Info

General

Entrypoint:	0x403e87
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x644DE691 [Sun Apr 30 03:54:57 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	33f81c7ff4ccf89214031bfba22b6609

Entrypoint Preview

Instruction
call 00007F82ECF935CBh
jmp 00007F82ECF8E054h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
and dword ptr [esi+04h], 00000000h
mov dword ptr [esi], 00411258h
mov byte ptr [esi+08h], 00000000h
push dword ptr [eax]
call 00007F82ECF8E27Dh
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov dword ptr [ecx], 00411258h
mov eax, dword ptr [eax]
mov dword ptr [ecx+04h], eax
mov eax, ecx
mov byte ptr [ecx+08h], 00000000h
pop ebp
retn 0008h
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
and dword ptr [esi+04h], 00000000h
mov dword ptr [esi], 00411258h
mov byte ptr [esi+08h], 00000000h
call 00007F82ECF8E1E7h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov dword ptr [ecx], 00411258h
jmp 00007F82ECF8E26Bh
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov esi, ecx
cmp esi, edi
je 00007F82ECF8E1EFh
call 00007F82ECF8E258h
cmp byte ptr [edi+08h], 00000000h
je 00007F82ECF8E1DEh
push dword ptr [edi+04h]
mov ecx, esi
call 00007F82ECF8E20Ah
jmp 00007F82ECF8E1D8h
mov eax, dword ptr [edi+04h]
mov dword ptr [esi+04h], eax
pop edi
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 00411258h
call 00007F82ECF8E227h
test byte ptr [ebp+08h], 00000001h
je 00007F82ECF8E1D9h
push esi
call 00007F82ECF8C563h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[C++] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1699c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x288c000	0x94f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x169ec	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x15f40	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10000	0x164	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe52f	0xe600	33e433034c8651ad9509a244c1f41176	False	0.6064877717391305	data	6.742836347368745	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x10000	0x71a0	0x7200	583fa24f9b3b372fc554a39d40b7805d	False	0.3847313596491228	data	4.873553410459634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18000	0x2873700	0x17c00	77f55324c5b5820fbd2335e52a0bdc4a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x288c000	0x94f0	0x9600	3707dfcb8a84c8e868f1857e2f36f856	False	0.4317708333333333	data	4.769251172338811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x2892390	0x2	data			5.0
RT_CURSOR	0x2892398	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x28926c8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_CURSOR	0x2892820	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x28936c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x2893f70	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_ICON	0x288c4f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Japanese	Japan	0.43576759061833686
RT_ICON	0x288d398	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Japanese	Japan	0.5505415162454874
RT_ICON	0x288dc40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Japanese	Japan	0.5887096774193549
RT_ICON	0x288e308	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Japanese	Japan	0.6040462427745664
RT_ICON	0x288e870	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Japanese	Japan	0.4450207468879668
RT_ICON	0x2890e18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Japanese	Japan	0.49577861163227016
RT_ICON	0x2891ec0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Japanese	Japan	0.5221631205673759
RT_DIALOG	0x2894798	0x5a	data			0.8666666666666667
RT_STRING	0x28947f8	0x3dc	data	Japanese	Japan	0.4676113360323887
RT_STRING	0x2894bd8	0x686	data	Japanese	Japan	0.4347305389221557
RT_STRING	0x2895260	0x28a	data	Japanese	Japan	0.4846153846153846
RT_GROUP_CURSOR	0x28927f8	0x22	data			1.0294117647058822
RT_GROUP_CURSOR	0x28944d8	0x30	data			0.9375
RT_GROUP_ICON	0x2892328	0x68	data	Japanese	Japan	0.6826923076923077
RT_VERSION	0x2894508	0x28c	PGP symmetric key encrypted data - Plaintext or unencrypted data			0.5138036809815951

Imports

DLL	Import
KERNEL32.dll	VirtualProtect, GetLastError, SetLastError, GetThreadContext, GetCommTimeouts, GetTickCount, CreateEventW, LoadLibraryA, LoadLibraryExA, GetModuleFileNameA, GetSystemDirectoryW, RemoveDirectoryA, GlobalAlloc, CopyFileExW, GetVolumeInformationW, IsBadStringPtrW, BuildCommDCBW, SetComputerNameExW, GetLocaleInfoW, GetNumberFormatW, WriteConsoleA, WriteConsoleW, AddConsoleAliasW, GetStringTypeW, OutputDebugStringW, SetFilePointerEx, SetFileAttributesW, GetProcAddress, EncodePointer, DecodePointer, IsProcessorFeaturePresent, RaiseException, RtlUnwind, GetCommandLineW, HeapAlloc, HeapFree, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, HeapSize, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, CloseHandle, ReadFile, GetConsoleMode, ReadConsoleW, GetCurrentThreadId, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameW, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, LCMapStringW, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, HeapReAlloc, SetStdHandle, FlushFileBuffers, GetConsoleCP, CreateFileW
USER32.dll	GetSysColorBrush, DdeFreeStringHandle
GDI32.dll	GetCharWidthA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 11:23:21.245887995 CEST	49736	443	192.168.2.4	23.227.203.30
May 24, 2024 11:23:21.245920897 CEST	443	49736	23.227.203.30	192.168.2.4
May 24, 2024 11:23:21.245990992 CEST	49736	443	192.168.2.4	23.227.203.30
May 24, 2024 11:23:21.246306896 CEST	49736	443	192.168.2.4	23.227.203.30
May 24, 2024 11:23:21.246315956 CEST	443	49736	23.227.203.30	192.168.2.4
May 24, 2024 11:23:49.701447964 CEST	49736	443	192.168.2.4	23.227.203.30
May 24, 2024 11:23:50.188666105 CEST	49737	443	192.168.2.4	146.70.41.146
May 24, 2024 11:23:50.188724041 CEST	443	49737	146.70.41.146	192.168.2.4
May 24, 2024 11:23:50.188790083 CEST	49737	443	192.168.2.4	146.70.41.146
May 24, 2024 11:23:50.189070940 CEST	49737	443	192.168.2.4	146.70.41.146
May 24, 2024 11:23:50.189078093 CEST	443	49737	146.70.41.146	192.168.2.4
May 24, 2024 11:23:54.693851948 CEST	49737	443	192.168.2.4	146.70.41.146
May 24, 2024 11:25:04.952814102 CEST	49739	443	192.168.2.4	23.227.203.30
May 24, 2024 11:25:04.952861071 CEST	443	49739	23.227.203.30	192.168.2.4
May 24, 2024 11:25:04.952938080 CEST	49739	443	192.168.2.4	23.227.203.30
May 24, 2024 11:25:04.953557968 CEST	49739	443	192.168.2.4	23.227.203.30
May 24, 2024 11:25:04.953573942 CEST	443	49739	23.227.203.30	192.168.2.4
May 24, 2024 11:25:47.840656996 CEST	443	49739	23.227.203.30	192.168.2.4
May 24, 2024 11:25:47.840851068 CEST	49739	443	192.168.2.4	23.227.203.30
May 24, 2024 11:25:47.841240883 CEST	49739	443	192.168.2.4	23.227.203.30
May 24, 2024 11:25:47.841275930 CEST	443	49739	23.227.203.30	192.168.2.4
May 24, 2024 11:25:47.841444016 CEST	49740	443	192.168.2.4	23.227.203.30
May 24, 2024 11:25:47.841530085 CEST	443	49740	23.227.203.30	192.168.2.4
May 24, 2024 11:25:47.841614962 CEST	49740	443	192.168.2.4	23.227.203.30
May 24, 2024 11:25:47.842005968 CEST	49740	443	192.168.2.4	23.227.203.30
May 24, 2024 11:25:47.842044115 CEST	443	49740	23.227.203.30	192.168.2.4
May 24, 2024 11:26:30.765202045 CEST	443	49740	23.227.203.30	192.168.2.4
May 24, 2024 11:26:30.765571117 CEST	49740	443	192.168.2.4	23.227.203.30
May 24, 2024 11:26:30.765571117 CEST	49740	443	192.168.2.4	23.227.203.30
May 24, 2024 11:26:30.766427040 CEST	49741	443	192.168.2.4	23.227.203.30
May 24, 2024 11:26:30.766514063 CEST	443	49741	23.227.203.30	192.168.2.4
May 24, 2024 11:26:30.766618967 CEST	49741	443	192.168.2.4	23.227.203.30
May 24, 2024 11:26:30.768019915 CEST	49741	443	192.168.2.4	23.227.203.30
May 24, 2024 11:26:30.768086910 CEST	443	49741	23.227.203.30	192.168.2.4
May 24, 2024 11:26:30.768165112 CEST	49741	443	192.168.2.4	23.227.203.30
May 24, 2024 11:26:30.781303883 CEST	49742	443	192.168.2.4	146.70.41.146
May 24, 2024 11:26:30.781341076 CEST	443	49742	146.70.41.146	192.168.2.4
May 24, 2024 11:26:30.781435013 CEST	49742	443	192.168.2.4	146.70.41.146
May 24, 2024 11:26:30.781743050 CEST	49742	443	192.168.2.4	146.70.41.146
May 24, 2024 11:26:30.781755924 CEST	443	49742	146.70.41.146	192.168.2.4
May 24, 2024 11:26:31.070147038 CEST	49740	443	192.168.2.4	23.227.203.30
May 24, 2024 11:26:31.070211887 CEST	443	49740	23.227.203.30	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 11:23:21.178940058 CEST	49551	53	192.168.2.4	1.1.1.1
May 24, 2024 11:23:21.245054960 CEST	53	49551	1.1.1.1	192.168.2.4
May 24, 2024 11:23:49.935079098 CEST	50707	53	192.168.2.4	1.1.1.1
May 24, 2024 11:23:50.052978992 CEST	53	50707	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 11:23:21.178940058 CEST	192.168.2.4	1.1.1.1	0x6512	Standard query (0)	airwide-land.com	A (IP address)	IN (0x0001)	false
May 24, 2024 11:23:49.935079098 CEST	192.168.2.4	1.1.1.1	0x306d	Standard query (0)	summerwaterhall.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 24, 2024 11:23:21.245054960 CEST	1.1.1.1	192.168.2.4	0x6512	No error (0)	airwide-land.com		23.227.203.30	A (IP address)	IN (0x0001)	false
May 24, 2024 11:23:50.052978992 CEST	1.1.1.1	192.168.2.4	0x306d	No error (0)	summerwaterhall.com		146.70.41.146	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:22:55
Start date:	24/05/2024
Path:	C:\Users\user\Desktop\LH27WS7BVJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LH27WS7BVJ.exe"
Imagebase:	0x400000
File size:	224'768 bytes
MD5 hash:	367C8F95EA1174ED018DCB362BD5E61D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:23:01
Start date:	24/05/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:23:21
Start date:	24/05/2024
Path:	C:\Users\user\AppData\Roaming\wtftrbr
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wtftrbr
Imagebase:	0x400000
File size:	224'768 bytes
MD5 hash:	367C8F95EA1174ED018DCB362BD5E61D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000003.00000002.1941515606.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.1941400771.0000000002CDB000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs Detection: 42%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	53.3%
Signature Coverage:	40%
Total number of Nodes:	90
Total number of Limit Nodes:	3

Executed Functions

Function 004015A5 Relevance: 10.7, APIs: 7, Instructions: 200
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016CC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040170D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040173E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401760

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6e5378c6e07f8f1cfc11ef4e8baac81da528770591f7bb82d03212312d780794
Instruction ID: 41bad0b44a30b648fd10ec653759f3e2d4f26d0064c4360c6bd1617af4920333
Opcode Fuzzy Hash: 6e5378c6e07f8f1cfc11ef4e8baac81da528770591f7bb82d03212312d780794
Instruction Fuzzy Hash: 99614EB4A04205FBEB209F91CC48FAF7BB8EF85750F10012AF912BA2E5D6749901DB65

Function 004015BB Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016CC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040170D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040173E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401760

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 712a80f5aae2f7d8a46131d98638aea49a70ef3eb832348ca5647a83a678c73c
Instruction ID: fb9b55fee49d42ff48ca3b7d0c17e272d11f9292fbe7058d838162974b4c5ad2
Opcode Fuzzy Hash: 712a80f5aae2f7d8a46131d98638aea49a70ef3eb832348ca5647a83a678c73c
Instruction Fuzzy Hash: 1951F9B5900245BFEB208F91CC48FEFBBB8EF85750F14016AF912BA2E5D6749941CB24

Function 004015CD Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016CC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040170D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040173E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401760

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2194d91dc2ac066401799d55ae4b1dd12daa1b3840c623e6e516d835a0887258
Instruction ID: 42c8c2fc3c6054e0d1c1d833daf51e3b22f51847d611e1bc0fff35a5321be168
Opcode Fuzzy Hash: 2194d91dc2ac066401799d55ae4b1dd12daa1b3840c623e6e516d835a0887258
Instruction Fuzzy Hash: 6251F9B5900245BBEB208F91CC48FEFBBB8FF85750F140169F911BA2E5D6749941CB24

Function 004015BF Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016CC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040170D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040173E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401760

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 49cbe3f764e7595b40ecd91b6a7c17dc4f7c8351402c6df9df78a0938f6c63f8
Instruction ID: bfc0d8d868b6e02101869f07f4f74d86685854826d872acaeea2d8960c9d924e
Opcode Fuzzy Hash: 49cbe3f764e7595b40ecd91b6a7c17dc4f7c8351402c6df9df78a0938f6c63f8
Instruction Fuzzy Hash: 9351F9B5900249BBEB208F91CC48FEFBBB8EF85B50F140169F911BA2A5D6749941CB64

Function 004015D1 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016CC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040170D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040173E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401760

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9d300ef8bd84aee41b4e0b1ff288b8da3af8c63dbcddcc92868984b9c9f960c5
Instruction ID: f30c3e3a6cc1f72b44209514c820a6db446ed36b75355faf060f16350dcf6eca
Opcode Fuzzy Hash: 9d300ef8bd84aee41b4e0b1ff288b8da3af8c63dbcddcc92868984b9c9f960c5
Instruction Fuzzy Hash: AF51F8B5900249BBEB208F91CC48FEFBBB8EF85B50F140159F911BA2A5D6749941CB24

Function 004015D4 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016CC
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040170D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040173E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401760

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2d7fdb25284bcc8ab5e3784c4571b5c01e63ed33f79af924ad018a85a7239317
Instruction ID: 56582155fd1d66f70974beedeeaed2f840c918c3938996436a0ad6123946e001
Opcode Fuzzy Hash: 2d7fdb25284bcc8ab5e3784c4571b5c01e63ed33f79af924ad018a85a7239317
Instruction Fuzzy Hash: 395108B5900249BBEB208F91CC88FEFBBB8EF85B50F140159F911AA2A5D7709945CB24

Function 02E621B1 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02E621D9
Module32First.KERNEL32(00000000,00000224), ref: 02E621F9

Memory Dump Source

Source File: 00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E5B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e5b000_LH27WS7BVJ.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 80774046262e657044a0c5bbe61224384e19d5ab18c60cf7e272e4aefee07cbc
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 81F0F6312807106BD7203BF8A88CB7E76ECAF493A8F106528FB56D50C0DBB0E8454A71

Function 02E2003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02E2024D

Strings

kernel32.dll, xrefs: 02E2008F, 02E20095
cess, xrefs: 02E2018D

Memory Dump Source

Source File: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e20000_LH27WS7BVJ.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: bf7558aa261c7e9f0bf3ab8e2195609813a6ede93c7c4eb9cfb164d9dfac32cf
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 13526B75A41229DFDB64CF58C984BACBBB1BF09314F1480D9E54DAB391DB30AA89CF14

Function 02E20E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02E20223,?,?), ref: 02E20E19
SetErrorMode.KERNELBASE(00000000,?,?,02E20223,?,?), ref: 02E20E1E

Memory Dump Source

Source File: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e20000_LH27WS7BVJ.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 00dfb41ce48c535117d73a9952129246be58987ed129c26202745da8aced8991
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D5D0123114512877DB002A94DC09BCD7B1CDF05B66F008011FB0DD9080C770954046E5

Function 00401971 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019C5

Part of subcall function 004015A5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
Part of subcall function 004015A5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
Part of subcall function 004015A5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2e95684dc8b5410d2eca61f9e064cce7de645e321735a1764ac2a390b7614860
Instruction ID: 7dcee170f8aadddd500080ebcf8028d664774791e86c047af75ed4c3a1e846e4
Opcode Fuzzy Hash: 2e95684dc8b5410d2eca61f9e064cce7de645e321735a1764ac2a390b7614860
Instruction Fuzzy Hash: 481108B170C204E7E7009A949D52E7A32689B41314F300137B643791F1D67D9913FBAF

Function 0040197C Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019C5

Part of subcall function 004015A5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
Part of subcall function 004015A5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
Part of subcall function 004015A5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: f35fbf5d9835a8e1d59ca2ec59d9971422495a2d1a1711f92afe40ee99f95285
Instruction ID: 1a6437e2a7af3611ac2357d91b17f6bbe402c23fd9b2aff2567646cef7d18b24
Opcode Fuzzy Hash: f35fbf5d9835a8e1d59ca2ec59d9971422495a2d1a1711f92afe40ee99f95285
Instruction Fuzzy Hash: CD11ED7170D204EBEB009A90CD82EAA3364AB41310F30017BF243791F2D63D9813AB6B

Function 0040199F Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019C5

Part of subcall function 004015A5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
Part of subcall function 004015A5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
Part of subcall function 004015A5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: d49bf211624a183c5aff3b88ff5f11e2d7e095bfb9322cb2fab4da2a0e61e233
Instruction ID: ff0b4a9e70c304bd1845563b614ead501f8dd9594f44597b8e492f65dbeff281
Opcode Fuzzy Hash: d49bf211624a183c5aff3b88ff5f11e2d7e095bfb9322cb2fab4da2a0e61e233
Instruction Fuzzy Hash: 90017C71709204EBEB009A94DD81EAA32249B45314F300277B653791F2D67D9912AB6F

Function 00401996 Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019C5

Part of subcall function 004015A5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
Part of subcall function 004015A5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
Part of subcall function 004015A5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 4de80b9f47e4ae29d6088a074243e7a574dd56949fbda982d12fbc508f47ad66
Instruction ID: eda55832a2cd0e161a97d7c97da9d7ff7d7a6918e5766964519d6ff9cad9236d
Opcode Fuzzy Hash: 4de80b9f47e4ae29d6088a074243e7a574dd56949fbda982d12fbc508f47ad66
Instruction Fuzzy Hash: B6018F71709204EBEB009A94DD82EAA32659B45314F300177F613791F2D67D9913BBAF

Function 02E61E70 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02E61EC1

Memory Dump Source

Source File: 00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E5B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e5b000_LH27WS7BVJ.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: dc3e70a462c0b423b17dafe4a3346388c83f7926ccf958271e520d8b78cb7e7a
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: C6112B79A40208EFDB01DF98C989E99BBF5AF08351F058094FA489B361D771EA50DF90

Function 004019A3 Relevance: 1.3, APIs: 1, Instructions: 48
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019C5

Part of subcall function 004015A5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
Part of subcall function 004015A5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
Part of subcall function 004015A5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 1a364d6effcc40ac0042f1280a119f868f134fd00aec2be3b257fd846209b8b3
Instruction ID: a8714c2cc8ba5922cfbb26050d9e99a74f1c083600e6ebc9bd06535745241c55
Opcode Fuzzy Hash: 1a364d6effcc40ac0042f1280a119f868f134fd00aec2be3b257fd846209b8b3
Instruction Fuzzy Hash: FD01AD71309204EBEB00AA94DD82EAE3224AB44314F300177B613781F2D67D9913AB6B

Function 004019A6 Relevance: 1.3, APIs: 1, Instructions: 48
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 004019C5

Part of subcall function 004015A5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
Part of subcall function 004015A5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
Part of subcall function 004015A5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 375e26b3f1008080540ece03d3bea115b2c347d3cb02d6489650221769795c4a
Instruction ID: c6fc76c5dd42ca33e043e4988469126da4fcf1a5840464efe1596a2944423f63
Opcode Fuzzy Hash: 375e26b3f1008080540ece03d3bea115b2c347d3cb02d6489650221769795c4a
Instruction Fuzzy Hash: C601A271309204EBDB00AA94DD82EAE3364AB44314F200577B603791F2D77D9912BB6B

Function 004019B3 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019C5

Part of subcall function 004015A5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
Part of subcall function 004015A5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
Part of subcall function 004015A5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2565b0cbe1ac7d43ab51b008bab1316dfb5d716e876b8911521e383b75e23e13
Instruction ID: 6c880233279e19fad1767462897a4b434f8fa4fb9d4e96048f9b74d24772d314
Opcode Fuzzy Hash: 2565b0cbe1ac7d43ab51b008bab1316dfb5d716e876b8911521e383b75e23e13
Instruction Fuzzy Hash: E701AD71309204EBDB00AA94DC82EAA3324AB44324F300177F613780F2D73D9912AB6B

Function 004019B7 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019C5

Part of subcall function 004015A5: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040165E
Part of subcall function 004015A5: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040168B
Part of subcall function 004015A5: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016AE

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 9249e6c347c39a1a4aad0e95f3c462ef6fd912f79b1e24989119bbd061585ab0
Instruction ID: 75a91e03726f7b8b34843d6799eba71702c3b088b969b1c3ca419d2ba2141a13
Opcode Fuzzy Hash: 9249e6c347c39a1a4aad0e95f3c462ef6fd912f79b1e24989119bbd061585ab0
Instruction Fuzzy Hash: 1AF0A431309204FBDB00ABD4DC42DAE3364AB44314F200177B613781F2D67D9912AF6B

Non-executed Functions

Function 02E2092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 02E209DC, 02E209DF, 02E209E4
l, xrefs: 02E20966
., xrefs: 02E2095F

Memory Dump Source

Source File: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e20000_LH27WS7BVJ.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 0622ab01cf25bf12907810ddac50a8e0dcdeee675db74ab547301bf2114fc0e0
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 583149B6901619DFDB10CF99C880AAEBBF5FF58328F14904AD442B7250D771EA49CFA4

Function 00402141 Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

^;^p, xrefs: 00402260

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID:
String ID: ^;^p
API String ID: 0-1452649498
Opcode ID: 2f11579ed6ecaccfbb963cba8e838083dd8515e3939fbe8604e56738683dcb24
Instruction ID: f02c42c73d2da16e4c2a2424d711713793af7c30c079d87c28513edff295cc0b
Opcode Fuzzy Hash: 2f11579ed6ecaccfbb963cba8e838083dd8515e3939fbe8604e56738683dcb24
Instruction Fuzzy Hash: 4E71B532149760DBC761FF7CE6C55C6BBA0FE0972431449AFD1C69A982C2B6A042CBD5

Function 02E61A8E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E5B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e5b000_LH27WS7BVJ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: e1dd99d247e8577da62bf735995334762f612eb0d38ac0965925a9a2d5e92a1a
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 82118E72780100AFDB54DF59DC94FA673EAFB89264B19C169ED08CF315E676E802CB60

Function 02E20D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e20000_LH27WS7BVJ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: d2a9083595d6ee6a256dc2e8d6a0012d07527aa321de95ca19ac6d920076e272
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: B701F7766516108FDF21CF20C804BAA33F5EB96309F0590A4D507972C1E370A9458B80

Function 00402446 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4924d4d24f223221fdbb9a0ec2e4b6b2bb59ca9faec4bc60e2856aeda0837f4c
Instruction ID: 02225ea202e809a45205119e8d6d068647febcbf8a73176ef8c7a49ae2e2926a
Opcode Fuzzy Hash: 4924d4d24f223221fdbb9a0ec2e4b6b2bb59ca9faec4bc60e2856aeda0837f4c
Instruction Fuzzy Hash: 53F0A35B60004589C60057D846C54C9EF7052AB7343381BFFC1B35B6C2E1F44207AE70

Function 00402464 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1315f76aedc072e882277cb11b63ec4cabce7e3242d6b99178868fe1690cb992
Instruction ID: fd08cc4acbec9d724d170e495cae0b8411d18b9e730c60b94546074d743e6c2e
Opcode Fuzzy Hash: 1315f76aedc072e882277cb11b63ec4cabce7e3242d6b99178868fe1690cb992
Instruction Fuzzy Hash: BEE0D8378851404AEA628B98878B984BF72F1874307380A68C14669A67C1F6430BB331

Function 00402421 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1691388070.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LH27WS7BVJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168fb599194ead4b33809b34bb7bb54dc03455e6f8294ee412123f88df47309e
Instruction ID: 34cabaf976a25a87465afe27a04e1e539af209cd9adb84c7ab4f63964ef161c7
Opcode Fuzzy Hash: 168fb599194ead4b33809b34bb7bb54dc03455e6f8294ee412123f88df47309e
Instruction Fuzzy Hash: 96C08075C4500489E956C6988DC77C57F37F0178307741F1DD5455AD37C27341179275

Analysis Process: wtftrbrPID: 2004, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	48
Total number of Limit Nodes:	2

Executed Functions

Function 048C003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 048C024D

Strings

kernel32.dll, xrefs: 048C008F, 048C0095
cess, xrefs: 048C018D

Memory Dump Source

Source File: 00000003.00000002.1941515606.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_48c0000_wtftrbr.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: bd9e77228a92fd0b16ef38f927e9806ca237c2a912bb725c33ce2dfc6e2dd51a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9F527A74A01229DFDB64CF98C984BACBBB1BF09304F1485D9E50DAB351DB30AA85DF15

Function 02CE1C09 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02CE1C31
Module32First.KERNEL32(00000000,00000224), ref: 02CE1C51

Memory Dump Source

Source File: 00000003.00000002.1941400771.0000000002CDB000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CDB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2cdb000_wtftrbr.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 1dc61f7da6a2de731c5d7a1c4be0a16e26167ff17dab60d6adcccf8c71839250
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B7F09631100B146BDB303BF5A88DBAE76ECEF89624F180528E65BD10C0DBB0ED559A61

Function 048C0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,048C0223,?,?), ref: 048C0E19
SetErrorMode.KERNELBASE(00000000,?,?,048C0223,?,?), ref: 048C0E1E

Memory Dump Source

Source File: 00000003.00000002.1941515606.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_48c0000_wtftrbr.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 974fbefe494e3660b2d81de3df00582b3900c2d20be45972480681e4c8a0c2b8
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 2DD01231545128B7D7003AD4DC09BCD7B1CDF05BA2F008411FB0DD9080C770954046E5

Function 02CE18C8 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02CE1919

Memory Dump Source

Source File: 00000003.00000002.1941400771.0000000002CDB000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CDB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2cdb000_wtftrbr.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 7b8f5b1e44f867d4736735c799f733ea44a91e76f0184c5c31db9b90b020b538
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: F5113F79A00208EFDB01DF98C985E98BBF5AF08351F098094F948AB361D371EA50DF90

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LH27WS7BVJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\wtftrbr

C:\Users\user\AppData\Roaming\wtftrbr:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
LH27WS7BVJ.exe

Function 004015A5 Relevance: 10.7, APIs: 7, Instructions: 200
nativeCOMMON

Function 004015BB Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Function 004015CD Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 004015BF Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 004015D1 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 004015D4 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Function 02E621B1 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02E2003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 02E20E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 00401971 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 0040197C Relevance: 1.3, APIs: 1, Instructions: 58
sleepCOMMON

Function 0040199F Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Function 00401996 Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Function 004019A3 Relevance: 1.3, APIs: 1, Instructions: 48
sleepCOMMON

Function 004019A6 Relevance: 1.3, APIs: 1, Instructions: 48
sleepCOMMON

Function 048C003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON