Play interactive tour

Edit tour

Windows Analysis Report 9Hh9OY15jt.exe

Overview

General Information

Sample Name:	9Hh9OY15jt.exe
Analysis ID:	492886
MD5:	0bc97a36dc6135fc7a69c90c1c303439
SHA1:	a3508e80c4e9bd20c04114c599be634107a49952
SHA256:	7859d00a4fe195ff6eee7795be34ee9a351a0445acf0639cd999e9a3767dd1df
Tags:	ArkeiStealerexe
Infos:
Most interesting Screenshot:

Detection

Vidar

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Vidar stealer

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

PE file contains strange resources

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

9Hh9OY15jt.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\9Hh9OY15jt.exe' MD5: 0BC97A36DC6135FC7A69C90C1C303439)

cleanup

Malware Configuration

Threatname: Vidar

{"C2 url": "api.faceit.com/core/v1/nicknames/"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.295704642.0000000002290000.00000004.00000001.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 9Hh9OY15jt.exe PID: 7052	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.3.9Hh9OY15jt.exe.2290000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.9Hh9OY15jt.exe.21b0e50.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.9Hh9OY15jt.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.9Hh9OY15jt.exe.2290000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.9Hh9OY15jt.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.9Hh9OY15jt.exe.21b0e50.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.9Hh9OY15jt.exe.21b0e50.1.raw.unpack

Malware Configuration Extractor: Vidar {"C2 url": "api.faceit.com/core/v1/nicknames/"}

Multi AV Scanner detection for submitted file

Show sources

Source: 9Hh9OY15jt.exe	Virustotal: Detection: 29%	Perma Link
Source: 9Hh9OY15jt.exe	Metadefender: Detection: 37%	Perma Link
Source: 9Hh9OY15jt.exe	ReversingLabs: Detection: 66%

Machine Learning detection for sample

Show sources

Source: 9Hh9OY15jt.exe

Joe Sandbox ML: detected

Source: 1.3.9Hh9OY15jt.exe.2290000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.9Hh9OY15jt.exe.21b0e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Unpacked PE file: 1.2.9Hh9OY15jt.exe.400000.0.unpack

Source: 9Hh9OY15jt.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.3:49744 version: TLS 1.2

Source:

Binary string: C:\resudiwigogora\tuvakuwoyidu\mawe.pdb source: 9Hh9OY15jt.exe

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_00496670 FindFirstFileW,FindNextFileW,FindNextFileW,		1_2_00496670
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_022468C0 FindFirstFileW,FindNextFileW,FindNextFileW,		1_2_022468C0

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /@killern0 HTTP/1.1Host: mas.to

Source: Joe Sandbox View	IP Address: 88.99.75.82 88.99.75.82
Source: Joe Sandbox View	IP Address: 23.88.105.196 23.88.105.196

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.105.196

Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/1008
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/1008-
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/1008=
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/1008u
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/freebl3.dll
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/mozglue.dllF
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/mozglue.dllP
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/msvcp140.dll
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/msvcp140.dllj
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/nss3.dll
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/nss3.dll.m
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/softokn3.dll
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/softokn3.dlld
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/softokn3.dllm
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://23.88.105.196/softokn3.dll~
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: https://mas.to
Source: 9Hh9OY15jt.exe, 00000001.00000002.549475719.0000000002570000.00000004.00000040.sdmp	String found in binary or memory: https://mas.to/
Source: 9Hh9OY15jt.exe, 00000001.00000002.549475719.0000000002570000.00000004.00000040.sdmp	String found in binary or memory: https://mas.to/users/killern0
Source: 9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	String found in binary or memory: https://media.mas.to

Source: unknown

DNS traffic detected: queries for: mas.to

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Code function: 1_2_00414FD0 InternetSetFilePointer,InternetReadFile,_memmove,_memset,HttpQueryInfoA,_memcpy_s,_memcpy_s,

1_2_00414FD0

Source: global traffic

HTTP traffic detected: GET /@killern0 HTTP/1.1Host: mas.to

Source: unknown

HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.3:49744 version: TLS 1.2

Source: 9Hh9OY15jt.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 9Hh9OY15jt.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9Hh9OY15jt.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9Hh9OY15jt.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9Hh9OY15jt.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_004B2840	1_2_004B2840
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_004AD033	1_2_004AD033
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_0049D0F0	1_2_0049D0F0
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_00498990	1_2_00498990
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_004982C0	1_2_004982C0
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_004B22EF	1_2_004B22EF
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_0041DBF0	1_2_0041DBF0
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_00440C30	1_2_00440C30
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_004B3D10	1_2_004B3D10
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_004B1D9E	1_2_004B1D9E
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_0049A6B0	1_2_0049A6B0
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_004B2F1C	1_2_004B2F1C
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_0225D283	1_2_0225D283
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_02262A90	1_2_02262A90
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_0224D340	1_2_0224D340
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_02263F60	1_2_02263F60
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_02261FEE	1_2_02261FEE
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_0226253F	1_2_0226253F

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: String function: 004A2EB0 appears 44 times
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: String function: 02253100 appears 44 times
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: String function: 00401020 appears 53 times

Source: 9Hh9OY15jt.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 9Hh9OY15jt.exe	Virustotal: Detection: 29%
Source: 9Hh9OY15jt.exe	Metadefender: Detection: 37%
Source: 9Hh9OY15jt.exe	ReversingLabs: Detection: 66%

Source: 9Hh9OY15jt.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Code function: 1_2_004926D0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,std::_Lockit::_Lockit,std::ios_base::_Ios_base_dtor,

1_2_004926D0

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 9Hh9OY15jt.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 9Hh9OY15jt.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 9Hh9OY15jt.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 9Hh9OY15jt.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 9Hh9OY15jt.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 9Hh9OY15jt.exe, 00000001.00000003.295704642.0000000002290000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 9Hh9OY15jt.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 9Hh9OY15jt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\resudiwigogora\tuvakuwoyidu\mawe.pdb source: 9Hh9OY15jt.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Unpacked PE file: 1.2.9Hh9OY15jt.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Unpacked PE file: 1.2.9Hh9OY15jt.exe.400000.0.unpack

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_004A0CB7 push ecx; ret	1_2_004A0CCA
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_004A2EF5 push ecx; ret	1_2_004A2F08
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_02253145 push ecx; ret	1_2_02253158
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_02250F07 push ecx; ret	1_2_02250F1A

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Code function: 1_2_004AFE89 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_004AFE89

Source: initial sample

Static PE information: section name: .text entropy: 7.98791388464

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_00496670 FindFirstFileW,FindNextFileW,FindNextFileW,		1_2_00496670
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_022468C0 FindFirstFileW,FindNextFileW,FindNextFileW,		1_2_022468C0

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Code function: 1_2_004A31A7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_004A31A7

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_021B092B mov eax, dword ptr fs:[00000030h]	1_2_021B092B
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_021B0ED1 mov eax, dword ptr fs:[00000030h]	1_2_021B0ED1
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_021B0D90 mov eax, dword ptr fs:[00000030h]	1_2_021B0D90

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

1_2_004AFE89

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Code function: 1_2_004B19C7 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_004B19C7

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_004A31A7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004A31A7
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_0049BCD2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0049BCD2
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_022533F7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_022533F7
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: 1_2_0224BF22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0224BF22

Source: 9Hh9OY15jt.exe, 00000001.00000002.549121197.0000000000D50000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: 9Hh9OY15jt.exe, 00000001.00000002.549121197.0000000000D50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 9Hh9OY15jt.exe, 00000001.00000002.549121197.0000000000D50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 9Hh9OY15jt.exe, 00000001.00000002.549121197.0000000000D50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_004B1803
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	1_2_004AC142
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004AC917
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	1_2_004ACA0C
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	1_2_004AB23B
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	1_2_004ACAB3
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	1_2_004ACB0E
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	1_2_004AC430
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	1_2_004ACCDF
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_004AB4E6
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_004ACD9F
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	1_2_004ACE42
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_004ACE06
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: GetLocaleInfoA,	1_2_0049DE22
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	1_2_004A072A
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	1_2_004B1729
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_02261A53
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_0225CB67
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,	1_2_0225C392
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_0225D056
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itow_s,	1_2_0225D092
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	1_2_0225097A
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	1_2_0225CF2F
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_0225B736
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_0225CFEF
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	1_2_0225CC5C
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,GetLocaleInfoW,	1_2_0225B48B
Source: C:\Users\user\Desktop\9Hh9OY15jt.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	1_2_0225CD03

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Code function: 1_2_004A5D12 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

1_2_004A5D12

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Code function: 1_2_00498B40 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

1_2_00498B40

Source: C:\Users\user\Desktop\9Hh9OY15jt.exe

Code function: 1_2_00491AC0 GetUserNameA,

1_2_00491AC0

Stealing of Sensitive Information:

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 1.3.9Hh9OY15jt.exe.2290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9Hh9OY15jt.exe.21b0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9Hh9OY15jt.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.9Hh9OY15jt.exe.2290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9Hh9OY15jt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9Hh9OY15jt.exe.21b0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.295704642.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9Hh9OY15jt.exe PID: 7052, type: MEMORYSTR

Remote Access Functionality:

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 1.3.9Hh9OY15jt.exe.2290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9Hh9OY15jt.exe.21b0e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9Hh9OY15jt.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.9Hh9OY15jt.exe.2290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9Hh9OY15jt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9Hh9OY15jt.exe.21b0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.295704642.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9Hh9OY15jt.exe PID: 7052, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing23	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery12	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9Hh9OY15jt.exe	30%	Virustotal		Browse
9Hh9OY15jt.exe	37%	Metadefender		Browse
9Hh9OY15jt.exe	67%	ReversingLabs	Win32.Trojan.Racealer
9Hh9OY15jt.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.3.9Hh9OY15jt.exe.2290000.0.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File
1.2.9Hh9OY15jt.exe.21b0e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://23.88.105.196/msvcp140.dll	0%	Avira URL Cloud	safe
http://23.88.105.196/1008u	0%	Avira URL Cloud	safe
http://23.88.105.196/softokn3.dll	0%	Avira URL Cloud	safe
http://23.88.105.196/nss3.dll	0%	Avira URL Cloud	safe
http://23.88.105.196/msvcp140.dllj	0%	Avira URL Cloud	safe
http://23.88.105.196/softokn3.dllm	0%	Avira URL Cloud	safe
http://23.88.105.196/1008=	0%	Avira URL Cloud	safe
http://23.88.105.196/mozglue.dllP	0%	Avira URL Cloud	safe
http://23.88.105.196/nss3.dll.m	0%	Avira URL Cloud	safe
https://mas.to/	0%	Avira URL Cloud	safe
http://23.88.105.196/	0%	Avira URL Cloud	safe
http://23.88.105.196/softokn3.dlld	0%	Avira URL Cloud	safe
http://23.88.105.196/1008	0%	Avira URL Cloud	safe
http://23.88.105.196/freebl3.dll	0%	Avira URL Cloud	safe
https://mas.to	0%	Avira URL Cloud	safe
http://23.88.105.196/softokn3.dll~	0%	Avira URL Cloud	safe
http://23.88.105.196/1008-	0%	Avira URL Cloud	safe
https://mas.to/users/killern0	0%	Avira URL Cloud	safe
http://23.88.105.196/mozglue.dllF	0%	Avira URL Cloud	safe
https://media.mas.to	0%	Avira URL Cloud	safe
https://mas.to/@killern0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mas.to	88.99.75.82	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://mas.to/@killern0	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://23.88.105.196/msvcp140.dll	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/1008u	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/softokn3.dll	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/nss3.dll	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/msvcp140.dllj	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/softokn3.dllm	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/1008=	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/mozglue.dllP	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/nss3.dll.m	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://mas.to/	9Hh9OY15jt.exe, 00000001.00000002.549475719.0000000002570000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/softokn3.dlld	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/1008	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/freebl3.dll	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://mas.to	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/softokn3.dll~	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/1008-	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://mas.to/users/killern0	9Hh9OY15jt.exe, 00000001.00000002.549475719.0000000002570000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.105.196/mozglue.dllF	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://media.mas.to	9Hh9OY15jt.exe, 00000001.00000002.549604782.0000000002F10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.99.75.82	mas.to	Germany		24940	HETZNER-ASDE	false
23.88.105.196	unknown	United States		18978	ENZUINC-US	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492886
Start date:	29.09.2021
Start time:	04:28:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9Hh9OY15jt.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@1/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.4.86, 23.211.5.146, 23.211.6.115, 20.50.102.62, 20.54.110.249, 40.112.88.60, 8.248.141.254, 8.248.93.254, 8.238.85.126, 8.238.85.254, 8.248.117.254, 20.199.120.85, 80.67.82.235, 80.67.82.211, 20.199.120.151, 20.82.210.154 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, fg.download.windowsupdate.com.c.footprint.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.99.75.82	OglZjKt8G4.exe	Get hash	malicious	Browse
	Sdcix10Xdz.exe	Get hash	malicious	Browse
	mqqT3E8dYo.exe	Get hash	malicious	Browse
	pO6W7ZstaH.exe	Get hash	malicious	Browse
	8NdtVFdwcs.exe	Get hash	malicious	Browse
	UeRoGyirVi.exe	Get hash	malicious	Browse
	5d33XA71cr.exe	Get hash	malicious	Browse
	RCnbEaKhdD.exe	Get hash	malicious	Browse
	X9iTxI3QtS.exe	Get hash	malicious	Browse
	lcZoxd23lU.exe	Get hash	malicious	Browse
	eh1Jd9oktL.exe	Get hash	malicious	Browse
	Gbb8oluLdo.exe	Get hash	malicious	Browse
	rO27azgdXP.exe	Get hash	malicious	Browse
	8FjZ4i5ZYi.exe	Get hash	malicious	Browse
	2awEYXkQvX.exe	Get hash	malicious	Browse
	e1RA3RFD7Q.exe	Get hash	malicious	Browse
	f1iHAqCbBt.exe	Get hash	malicious	Browse
	Q5yOweGeTg.exe	Get hash	malicious	Browse
	EITyS0c1l1.exe	Get hash	malicious	Browse
	2mdb3OG6FM.exe	Get hash	malicious	Browse
23.88.105.196	UeRoGyirVi.exe	Get hash	malicious	Browse	23.88.105.196/
	5d33XA71cr.exe	Get hash	malicious	Browse	23.88.105.196/
	RCnbEaKhdD.exe	Get hash	malicious	Browse	23.88.105.196/
	X9iTxI3QtS.exe	Get hash	malicious	Browse	23.88.105.196/
	lcZoxd23lU.exe	Get hash	malicious	Browse	23.88.105.196/
	eh1Jd9oktL.exe	Get hash	malicious	Browse	23.88.105.196/
	Gbb8oluLdo.exe	Get hash	malicious	Browse	23.88.105.196/
	rO27azgdXP.exe	Get hash	malicious	Browse	23.88.105.196/
	8FjZ4i5ZYi.exe	Get hash	malicious	Browse	23.88.105.196/
	e1RA3RFD7Q.exe	Get hash	malicious	Browse	23.88.105.196/
	f1iHAqCbBt.exe	Get hash	malicious	Browse	23.88.105.196/
	Q5yOweGeTg.exe	Get hash	malicious	Browse	23.88.105.196/
	EITyS0c1l1.exe	Get hash	malicious	Browse	23.88.105.196/
	2mdb3OG6FM.exe	Get hash	malicious	Browse	23.88.105.196/
	gmT455QDI6.exe	Get hash	malicious	Browse	23.88.105.196/
	IdI36XfAJc.exe	Get hash	malicious	Browse	23.88.105.196/
	CYqow0VzsU.exe	Get hash	malicious	Browse	23.88.105.196/
	YMFYAIMpF8.exe	Get hash	malicious	Browse	23.88.105.196/
	AO8LQp0Yff.exe	Get hash	malicious	Browse	23.88.105.196/
	xtlA67ZUPd.exe	Get hash	malicious	Browse	23.88.105.196/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mas.to	OglZjKt8G4.exe	Get hash	malicious	Browse	88.99.75.82
	Sdcix10Xdz.exe	Get hash	malicious	Browse	88.99.75.82
	mqqT3E8dYo.exe	Get hash	malicious	Browse	88.99.75.82
	pO6W7ZstaH.exe	Get hash	malicious	Browse	88.99.75.82
	8NdtVFdwcs.exe	Get hash	malicious	Browse	88.99.75.82
	UeRoGyirVi.exe	Get hash	malicious	Browse	88.99.75.82
	5d33XA71cr.exe	Get hash	malicious	Browse	88.99.75.82
	RCnbEaKhdD.exe	Get hash	malicious	Browse	88.99.75.82
	X9iTxI3QtS.exe	Get hash	malicious	Browse	88.99.75.82
	lcZoxd23lU.exe	Get hash	malicious	Browse	88.99.75.82
	eh1Jd9oktL.exe	Get hash	malicious	Browse	88.99.75.82
	Gbb8oluLdo.exe	Get hash	malicious	Browse	88.99.75.82
	rO27azgdXP.exe	Get hash	malicious	Browse	88.99.75.82
	8FjZ4i5ZYi.exe	Get hash	malicious	Browse	88.99.75.82
	e1RA3RFD7Q.exe	Get hash	malicious	Browse	88.99.75.82
	f1iHAqCbBt.exe	Get hash	malicious	Browse	88.99.75.82
	Q5yOweGeTg.exe	Get hash	malicious	Browse	88.99.75.82
	EITyS0c1l1.exe	Get hash	malicious	Browse	88.99.75.82
	2mdb3OG6FM.exe	Get hash	malicious	Browse	88.99.75.82
	gmT455QDI6.exe	Get hash	malicious	Browse	88.99.75.82

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	RpcNs4.exe	Get hash	malicious	Browse	195.201.56.70
	PO 290921-021A.exe	Get hash	malicious	Browse	136.243.159.53
	payment advice.exe	Get hash	malicious	Browse	136.243.159.53
	2021-draft Shipping documents BL & Packing list.exe	Get hash	malicious	Browse	168.119.93.163
	bZOxNc1FGQ.exe	Get hash	malicious	Browse	88.99.66.31
	OglZjKt8G4.exe	Get hash	malicious	Browse	88.99.75.82
	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	Get hash	malicious	Browse	88.99.66.31
	Sdcix10Xdz.exe	Get hash	malicious	Browse	88.99.75.82
	PAYMENT_ADVICE.exe	Get hash	malicious	Browse	46.4.66.178
	8YvgZNbOUh.exe	Get hash	malicious	Browse	188.34.181.205
	mqqT3E8dYo.exe	Get hash	malicious	Browse	88.99.75.82
	pO6W7ZstaH.exe	Get hash	malicious	Browse	88.99.75.82
	8NdtVFdwcs.exe	Get hash	malicious	Browse	88.99.75.82
	7yyqdBJVGf.exe	Get hash	malicious	Browse	88.99.66.31
	sample.dll	Get hash	malicious	Browse	116.203.98.109
	UeRoGyirVi.exe	Get hash	malicious	Browse	88.99.75.82
	mvuAUoDi3k.exe	Get hash	malicious	Browse	136.243.159.53
	nKknqwJB7z.exe	Get hash	malicious	Browse	95.217.228.176
	0xjh5n37kN.exe	Get hash	malicious	Browse	144.76.183.53
	NtA6ABwq75.exe	Get hash	malicious	Browse	5.9.120.250
ENZUINC-US	OglZjKt8G4.exe	Get hash	malicious	Browse	23.88.105.196
	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	Get hash	malicious	Browse	45.136.151.102
	Sdcix10Xdz.exe	Get hash	malicious	Browse	23.88.111.187
	mqqT3E8dYo.exe	Get hash	malicious	Browse	23.88.105.196
	pO6W7ZstaH.exe	Get hash	malicious	Browse	23.88.111.187
	8NdtVFdwcs.exe	Get hash	malicious	Browse	23.88.111.187
	UeRoGyirVi.exe	Get hash	malicious	Browse	23.88.105.196
	5d33XA71cr.exe	Get hash	malicious	Browse	23.88.105.196
	RCnbEaKhdD.exe	Get hash	malicious	Browse	23.88.105.196
	X9iTxI3QtS.exe	Get hash	malicious	Browse	23.88.105.196
	lcZoxd23lU.exe	Get hash	malicious	Browse	23.88.105.196
	eh1Jd9oktL.exe	Get hash	malicious	Browse	23.88.105.196
	Gbb8oluLdo.exe	Get hash	malicious	Browse	23.88.105.196
	rO27azgdXP.exe	Get hash	malicious	Browse	23.88.105.196
	8FjZ4i5ZYi.exe	Get hash	malicious	Browse	23.88.105.196
	2awEYXkQvX.exe	Get hash	malicious	Browse	45.136.151.102
	e1RA3RFD7Q.exe	Get hash	malicious	Browse	23.88.105.196
	f1iHAqCbBt.exe	Get hash	malicious	Browse	23.88.105.196
	Q5yOweGeTg.exe	Get hash	malicious	Browse	23.88.105.196
	EITyS0c1l1.exe	Get hash	malicious	Browse	23.88.105.196

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Confirm_Sept_Invoice.html	Get hash	malicious	Browse	88.99.75.82
	bZOxNc1FGQ.exe	Get hash	malicious	Browse	88.99.75.82
	rwqGxFrXrc.exe	Get hash	malicious	Browse	88.99.75.82
	FACTURA.exe	Get hash	malicious	Browse	88.99.75.82
	OglZjKt8G4.exe	Get hash	malicious	Browse	88.99.75.82
	remittance for Troweprice Batch-2443337.html	Get hash	malicious	Browse	88.99.75.82
	Guloader.exe	Get hash	malicious	Browse	88.99.75.82
	EVLb7JeDaK.dll	Get hash	malicious	Browse	88.99.75.82
	Zfghetkzueityaerxzsazyjxhqkivudjcd.exe	Get hash	malicious	Browse	88.99.75.82
	Sdcix10Xdz.exe	Get hash	malicious	Browse	88.99.75.82
	cs.exe	Get hash	malicious	Browse	88.99.75.82
	mqqT3E8dYo.exe	Get hash	malicious	Browse	88.99.75.82
	exe.exe	Get hash	malicious	Browse	88.99.75.82
	pO6W7ZstaH.exe	Get hash	malicious	Browse	88.99.75.82
	ACH_paytrace4758A.html	Get hash	malicious	Browse	88.99.75.82
	8NdtVFdwcs.exe	Get hash	malicious	Browse	88.99.75.82
	nuovo ordine. 908272762.exe	Get hash	malicious	Browse	88.99.75.82
	receipt.html	Get hash	malicious	Browse	88.99.75.82
	ACH_paytrace4758A.html	Get hash	malicious	Browse	88.99.75.82
	javascript.js	Get hash	malicious	Browse	88.99.75.82

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.857968143961598
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	9Hh9OY15jt.exe
File size:	599040
MD5:	0bc97a36dc6135fc7a69c90c1c303439
SHA1:	a3508e80c4e9bd20c04114c599be634107a49952
SHA256:	7859d00a4fe195ff6eee7795be34ee9a351a0445acf0639cd999e9a3767dd1df
SHA512:	67a8a4f9d33789460f677fd30e450673b564c6bcf09fdddac0a1932a0c42237c296d6d1f10f01bf4d6a1cb6641846a342d1798badc575bdfff2ac8ab37dfb0a3
SSDEEP:	12288:c9OG5U3giCpd7Pq9m3QGpbSz9xLgo3/QwQf5gpZfQmzTO6sO99aO73pfqUtO:c9OGq50BZHpbOnUg/iOZfQ+Os9aOFf
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................................PE..L..

File Icon


Icon Hash:	e0e0e8beb0e4c8ea

Static PE Info

General
Entrypoint:	0x401b2c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5FC62993 [Tue Dec 1 11:31:31 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f98cc9327e2d65cc6189a693f26e1c1d

Entrypoint Preview

Instruction
call 00007F79ECD1A31Ch
jmp 00007F79ECD1772Dh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [00488008h+ecx*8]
je 00007F79ECD178C5h
inc ecx
cmp ecx, 2Dh
jc 00007F79ECD178A3h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F79ECD178C0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [0048800Ch+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F79ECD19F81h
test eax, eax
jne 00007F79ECD178B8h
mov eax, 00488170h
ret
add eax, 08h
ret
call 00007F79ECD19F6Eh
test eax, eax
jne 00007F79ECD178B8h
mov eax, 00488174h
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007F79ECD17897h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007F79ECD17837h
pop ecx
mov esi, eax
call 00007F79ECD17871h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
push 0000000Ch
push 004865D8h
call 00007F79ECD1863Ch
mov ecx, dword ptr [ebp+08h]
xor edi, edi
cmp ecx, edi
jbe 00007F79ECD178E0h
push FFFFFFE0h
pop eax
xor edx, edx
div ecx
cmp eax, dword ptr [ebp+0Ch]
sbb eax, eax
inc eax
jne 00007F79ECD178D1h
call 00007F79ECD17843h
mov dword ptr [eax], 0000000Ch
push edi
push edi
push edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x871a0	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8692c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10e000	0xa8f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x841c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x85480	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x84000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x82560	0x82600	False	0.976096221836	data	7.98791388464	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x84000	0x31f5	0x3200	False	0.258984375	data	4.17091107698	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x88000	0x8557c	0x1e00	False	0.117838541667	data	1.3207191359	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x10e000	0xa8f0	0xaa00	False	0.668887867647	data	6.0767085964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x10e3f0	0xea8	data	English	United States
RT_ICON	0x10f298	0x8a8	data	English	United States
RT_ICON	0x10fb40	0x6c8	data	English	United States
RT_ICON	0x110208	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x110770	0x25a8	data	English	United States
RT_ICON	0x112d18	0x10a8	data	English	United States
RT_ICON	0x113dc0	0x988	data	English	United States
RT_ICON	0x114748	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x114c28	0x6c8	data	English	United States
RT_ICON	0x1152f0	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x115858	0x25a8	data	English	United States
RT_ICON	0x117e00	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0x1184c8	0x424	data
RT_ACCELERATOR	0x1182a8	0x50	data
RT_ACCELERATOR	0x1182f8	0x20	data
RT_GROUP_ICON	0x118268	0x3e	data	English	United States
RT_GROUP_ICON	0x114bb0	0x76	data	English	United States
RT_VERSION	0x118318	0x1b0	data

Imports

DLL

Import

KERNEL32.dll

HeapReAlloc, GetLocaleInfoA, LoadResource, InterlockedIncrement, GetEnvironmentStringsW, AddConsoleAliasW, SetEvent, OpenSemaphoreA, GetSystemTimeAsFileTime, GetCommandLineA, WriteFileGather, CreateActCtxW, GetEnvironmentStrings, LeaveCriticalSection, GetFileAttributesA, ReadFile, GetDevicePowerState, GetProcAddress, FreeUserPhysicalPages, VerLanguageNameW, WriteConsoleA, GetProcessId, LocalAlloc, RemoveDirectoryW, GlobalGetAtomNameW, WaitForMultipleObjects, EnumResourceTypesW, GetModuleFileNameA, GetModuleHandleA, EraseTape, GetStringTypeW, ReleaseMutex, EndUpdateResourceA, LocalSize, FindFirstVolumeW, FindNextVolumeA, lstrcpyW, HeapAlloc, GetStartupInfoA, DeleteCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, GetFileType, GetLastError, SetFilePointer, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, InitializeCriticalSectionAndSpinCount, RtlUnwind, LoadLibraryA, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, CloseHandle, CreateFileA

USER32.dll

GetCursorPos

Exports

Name	Ordinal	Address
@SetViceVariants@12	1	0x401000

Version Infos

Description	Data
InternalName	sajbmiamezu.ise
ProductVersion	8.64.59.5
Copyright	Copyrighz (C) 2021, fudkagat
Translation	0x0127 0x0081

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 04:30:01.804203987 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:01.804253101 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:01.804419041 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:01.848206043 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:01.848232985 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:01.961651087 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:01.970252037 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:02.398257017 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:02.398288965 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:02.400105000 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:02.404359102 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:02.408057928 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:02.456461906 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:02.510982037 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:02.511012077 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:02.511029959 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:02.511091948 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:02.511132002 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:02.511151075 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:02.511226892 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:02.518754959 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:02.518843889 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:02.520451069 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:02.521604061 CEST	49744	443	192.168.2.3	88.99.75.82
Sep 29, 2021 04:30:02.521629095 CEST	443	49744	88.99.75.82	192.168.2.3
Sep 29, 2021 04:30:02.786643982 CEST	49745	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:30:05.795670986 CEST	49745	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:30:11.796969891 CEST	49745	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:30:23.801944971 CEST	49748	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:30:26.812944889 CEST	49748	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:30:32.813374996 CEST	49748	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:30:44.863531113 CEST	49793	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:30:47.877310038 CEST	49793	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:30:53.877826929 CEST	49793	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:31:05.885660887 CEST	49821	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:31:08.894747972 CEST	49821	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:31:14.910809994 CEST	49821	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:31:26.914582014 CEST	49824	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:31:29.912152052 CEST	49824	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:31:35.912614107 CEST	49824	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:31:47.916100025 CEST	49826	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:31:50.913907051 CEST	49826	80	192.168.2.3	23.88.105.196
Sep 29, 2021 04:31:56.914412022 CEST	49826	80	192.168.2.3	23.88.105.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 04:29:43.939186096 CEST	56844	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:29:44.014434099 CEST	53	56844	8.8.8.8	192.168.2.3
Sep 29, 2021 04:29:45.180644989 CEST	58045	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:29:45.214689016 CEST	53	58045	8.8.8.8	192.168.2.3
Sep 29, 2021 04:29:46.539122105 CEST	57459	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:29:46.559900999 CEST	53	57459	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:01.733625889 CEST	57875	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:01.750793934 CEST	53	57875	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:11.832479954 CEST	54154	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:11.859894991 CEST	53	54154	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:35.631206036 CEST	52806	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:35.684628963 CEST	53	52806	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:36.196507931 CEST	53910	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:36.231792927 CEST	53	53910	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:37.176487923 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:37.278810978 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:37.330245972 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:37.365607023 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:37.962846041 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:37.988543034 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:38.551683903 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:38.586920023 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:39.060837030 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:39.083786011 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:39.088443041 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:39.120609999 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:40.113069057 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:40.132203102 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:40.608449936 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:40.628249884 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:41.410072088 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:41.433495045 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:42.315690041 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:42.337029934 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:42.804460049 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:42.823839903 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:43.729938984 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:43.751826048 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 29, 2021 04:30:47.242181063 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:30:47.271248102 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 29, 2021 04:31:01.531900883 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:31:01.549546003 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 29, 2021 04:31:16.085719109 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:31:16.105366945 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 29, 2021 04:31:17.035361052 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:31:17.065779924 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 29, 2021 04:31:35.561414957 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:31:35.578649044 CEST	53	50728	8.8.8.8	192.168.2.3
Sep 29, 2021 04:31:59.409549952 CEST	53777	53	192.168.2.3	8.8.8.8
Sep 29, 2021 04:31:59.429382086 CEST	53	53777	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 29, 2021 04:30:01.733625889 CEST	192.168.2.3	8.8.8.8	0x46e9	Standard query (0)	mas.to	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 29, 2021 04:30:01.750793934 CEST	8.8.8.8	192.168.2.3	0x46e9	No error (0)	mas.to		88.99.75.82	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

mas.to

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49744	88.99.75.82	443	C:\Users\user\Desktop\9Hh9OY15jt.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-29 02:30:02 UTC	0	OUT	GET /@killern0 HTTP/1.1 Host: mas.to
2021-09-29 02:30:02 UTC	0	IN	HTTP/1.1 200 OK Date: Wed, 29 Sep 2021 02:30:02 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Server: Mastodon X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Permissions-Policy: interest-cohort=() Link: <https://mas.to/.well-known/webfinger?resource=acct%3Akillern0%40mas.to>; rel="lrdd"; type="application/jrd+json", <https://mas.to/users/killern0>; rel="alternate"; type="application/activity+json" Vary: Accept, Accept-Encoding, Origin Cache-Control: max-age=0, public ETag: W/"09349ce1045b03cbdf928f859e0574ba" Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://mas.to; img-src 'self' https: data: blob: https://mas.to; style-src 'self' https://mas.to 'nonce-hQBGHoSIUj3I4RCaJnt/3A=='; media-src 'self' https: data: https://mas.to; frame-src 'self' https:; manifest-src 'self' https://mas.to; connect-src 'self' data: blob: https://mas.to https://media.mas.to wss://mas.to; script-src 'self' https://mas.to; child-src 'self' blob: https://mas.to; worker-src 'self' blob: https://mas.to Set-Cookie: _mastodon_session=Vf33mlzVPuWWTzJbPbKPNEYbRv96VYjspsnkn%2BSSi2SxejN7rRWLGwo56VEmc3manK2vwrhQcyHtZprcYQyVNBLEt69pvt3UkSS6Co5yLXsdu1nFVkn6shAye1dGzIX8NC7ewiMwqN4X94%2FC%2FWezgW%2BqWHR0uJ4DXsqSiflWYZ0dKqzw%2F5OAIjEJj0JKDfKjm5edONq0XkT%2B%2FkiSELphFNrueu9d6UBsqqIuOKf2oPXSBMvLdW4%2Fe0mOoLeeU3AVssKRScTN2s9GPFyqN6HxdenEDbVBTutnt0RFe5Ou92xlRAQLN1R13zAPRV1TTk0%2F0z%2BkyjkBTezDYAWau18zKXd8JNkbICwwGkvRuj8IJiOKzJhPZg%3D%3D--iV1iX5G63cmMN%2B39--%2BwSSDm9%2FBxvhzykrDjsigQ%3D%3D; path=/; secure; HttpOnly; SameSite=Lax X-Request-Id: 63865d64-de6b-4e72-8407-9d274260b03b X-Runtime: 0.054453 Strict-Transport-Security: max-age=63072000; includeSubDomains X-Cached: MISS Strict-Transport-Security: max-age=31536000
2021-09-29 02:30:02 UTC	1	IN	Data Raw: 35 30 34 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73 Data Ascii: 504f<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
2021-09-29 02:30:02 UTC	16	IN	Data Raw: 37 33 38 32 38 2d 31 38 2e 37 39 38 38 32 39 2d 31 31 2e 36 30 32 35 20 30 2d 31 37 2e 34 31 37 39 37 20 37 2e 35 30 38 35 31 36 2d 31 37 2e 34 31 37 39 37 20 32 32 2e 33 35 33 35 31 36 76 33 32 2e 33 37 35 30 30 32 48 39 36 2e 32 30 37 30 33 31 56 38 35 2e 34 32 33 38 32 38 63 30 2d 31 34 2e 38 34 35 2d 35 2e 38 31 35 34 36 38 2d 32 32 2e 33 35 33 35 31 35 2d 31 37 2e 34 31 37 39 36 39 2d 32 32 2e 33 35 33 35 31 36 2d 31 30 2e 34 39 33 37 35 20 30 2d 31 35 2e 37 34 30 32 33 34 20 36 2e 33 33 30 30 37 39 2d 31 35 2e 37 34 30 32 33 34 20 31 38 2e 37 39 38 38 32 39 76 35 39 2e 31 34 38 34 33 39 48 33 38 2e 39 30 34 32 39 37 56 38 30 2e 30 37 36 31 37 32 63 30 2d 31 32 2e 34 35 35 20 33 2e 31 37 31 30 31 36 2d 32 32 2e 33 35 31 33 32 38 20 39 2e 35 34 31 30 Data Ascii: 73828-18.798829-11.6025 0-17.41797 7.508516-17.41797 22.353516v32.375002H96.207031V85.423828c0-14.845-5.815468-22.353515-17.417969-22.353516-10.49375 0-15.740234 6.330079-15.740234 18.798829v59.148439H38.904297V80.076172c0-12.455 3.171016-22.351328 9.5410

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 9Hh9OY15jt.exe PID: 7052 Parent PID: 4396

General

Start time:	04:29:52
Start date:	29/09/2021
Path:	C:\Users\user\Desktop\9Hh9OY15jt.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\9Hh9OY15jt.exe'
Imagebase:	0x400000
File size:	599040 bytes
MD5 hash:	0BC97A36DC6135FC7A69C90C1C303439
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.295704642.0000000002290000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 9Hh9OY15jt.exe PID: 7052 Parent PID: 4396 9Hh9OY15jt.exeCOMMON

Executed Functions

Function 00491AC0, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32 ref: 00491AF6

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: fbd7f1f31775140c2410dfef175017acd0f32cf79ceab7fe4c8529fcaa8b23d5
Instruction ID: 31d172919f5a663b823a1a99c2b3aa783a5a2d09b84c0491761752d047d5da8e
Opcode Fuzzy Hash: fbd7f1f31775140c2410dfef175017acd0f32cf79ceab7fe4c8529fcaa8b23d5
Instruction Fuzzy Hash: EB0162711043019FD720DF14D454BEBBBE4EB95304F008A1EE4C987250EBB89548CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 021B003C, Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 021B024D

Strings

kernel32.dll, xrefs: 021B008F, 021B0095
cess, xrefs: 021B018D

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction ID: 9ea78830244e6391ef8110f35a04ca43f7a1235a976a2fb2a4fcda001d4c12d1
Opcode Fuzzy Hash: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction Fuzzy Hash: 13526974A01229DFDB65CF68C984BADBBB1BF09304F1580E9E54DAB351DB30AA85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00495950, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,00000024,5896F21E), ref: 004959C9
__time64.LIBCMT ref: 004959D0

Part of subcall function 0049D44C: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004959D5,00000000), ref: 0049D457
Part of subcall function 0049D44C: __aulldiv.LIBCMT ref: 0049D477

Part of subcall function 00493050: _malloc.LIBCMT ref: 00493057
Part of subcall function 00493050: GetTickCount.KERNEL32 ref: 00493064
Part of subcall function 00493050: _rand.LIBCMT ref: 00493080
Part of subcall function 00493050: _sprintf.LIBCMT ref: 00493095

Part of subcall function 0049FE88: __getptd.LIBCMT ref: 0049FE8D

_rand.LIBCMT ref: 00495A05

Part of subcall function 0049FE9A: __getptd.LIBCMT ref: 0049FE9A

std::_Xinvalid_argument.LIBCPMT ref: 00495A1C

Strings

invalid string position, xrefs: 00495A17
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 0049598A

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Time__getptd_rand$CountFileSleepSystemTickXinvalid_argument__aulldiv__time64_malloc_sprintfstd::_
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$invalid string position
API String ID: 3490354527-3173898365
Opcode ID: bd3684733ae6dfc7ba607f613c021938278f63bc0f047592a8fa07a51f19b293
Instruction ID: 6801e1378f72f6fa28ec371c07371dd7753675c767b4f3e7db2a2a0bdb9decb4
Opcode Fuzzy Hash: bd3684733ae6dfc7ba607f613c021938278f63bc0f047592a8fa07a51f19b293
Instruction Fuzzy Hash: 864192B1A00644ABDF15DFA5D881BAEBBF5FF84704F20013EF502A7281DBB85905CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0049C971, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0049C98B

Part of subcall function 0049E04E: __FF_MSGBANNER.LIBCMT ref: 0049E067
Part of subcall function 0049E04E: __NMSG_WRITE.LIBCMT ref: 0049E06E
Part of subcall function 0049E04E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A0B2E,00000000,00000001,00000000,?,004A75C4,00000018,004CF090,0000000C,004A7654), ref: 0049E093

std::exception::exception.LIBCMT ref: 0049C9C0
std::exception::exception.LIBCMT ref: 0049C9DA
__CxxThrowException@8.LIBCMT ref: 0049C9EB

Strings

bad allocation, xrefs: 0049C9B9
P-@, xrefs: 0049C9A3

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: P-@$bad allocation
API String ID: 615853336-1329529977
Opcode ID: 947a0ab379d0fb12964c54183797623f7a8b992c1ffabfa6080dd38af0b9f357
Instruction ID: baa4dd520f34c1804c13deedcca7e244aa2bb1314d8136e224ff5042320ae75c
Opcode Fuzzy Hash: 947a0ab379d0fb12964c54183797623f7a8b992c1ffabfa6080dd38af0b9f357
Instruction Fuzzy Hash: 32F02DB05411095BCF10EB55DC86E9D7FA89B80318F10013FF804A62D2DBBC8A008B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00402FA0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00403039

Part of subcall function 0049C32E: std::exception::_Copy_str.LIBCMT ref: 0049C349

__CxxThrowException@8.LIBCMT ref: 0040304E

Part of subcall function 0049C9F1: RaiseException.KERNEL32(S0@,?,5896F21E,004BB6BC,00403053,?,004CB4C0,?,5896F21E), ref: 0049CA33

Part of subcall function 00402EE0: std::exception::exception.LIBCMT ref: 00402F10
Part of subcall function 00402EE0: __CxxThrowException@8.LIBCMT ref: 00402F27

_memmove.LIBCMT ref: 00403095

Strings

P-@, xrefs: 00403047

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_memmovestd::exception::_
String ID: P-@
API String ID: 163498487-3305893085
Opcode ID: a0484082c698ec235ceaedaa41a0e7e5a49afc87a5e6b0cfbc71d63a6c447758
Instruction ID: 8abb1a78577fe6a0bbecbf7ab086c6365ff3b43973a43b2c898c643c438534f5
Opcode Fuzzy Hash: a0484082c698ec235ceaedaa41a0e7e5a49afc87a5e6b0cfbc71d63a6c447758
Instruction Fuzzy Hash: CE41B371911205ABCB14DF69C881A9EBFF8EB09364F50423FE816A73C1D7799A40CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00414A10, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00414A1B
_strcpy_s.LIBCMT ref: 00414A32
_memset.LIBCMT ref: 00414A51

Strings

1BEF0A57BE110FD467A, xrefs: 00414A24

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memset$_strcpy_s
String ID: 1BEF0A57BE110FD467A
API String ID: 1261871945-2910601657
Opcode ID: 88a9e5dfc9833a836808a1ab1ae1f9eb64d6c2832a00b5ef89d707f368bcbc5e
Instruction ID: 7bdc023e39880342543e07bcad02bf11e1c7d3a236515f781d168fd2557a93ae
Opcode Fuzzy Hash: 88a9e5dfc9833a836808a1ab1ae1f9eb64d6c2832a00b5ef89d707f368bcbc5e
Instruction Fuzzy Hash: CFF081706417009FD360DF55D981A4BBBE0FF88B00F40891EF58A97780D778F8008B95

Uniqueness

Uniqueness Score: -1.00%

Function 00403590, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00403604
_memmove.LIBCMT ref: 00403653

Part of subcall function 00403370: std::_Xinvalid_argument.LIBCPMT ref: 0040338A

Strings

string too long, xrefs: 004035FF

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 98eb1c21f80fb018e7c4d8c8c96fb8c7840e94922f8cad7b8fd2620fc14ce9e3
Instruction ID: f3144821c85a426eb57cb42337321211df6be9b4418fb5f9bd87335f55164839
Opcode Fuzzy Hash: 98eb1c21f80fb018e7c4d8c8c96fb8c7840e94922f8cad7b8fd2620fc14ce9e3
Instruction Fuzzy Hash: 2531B132310610ABD6349E5C998491BEBEDEBA6752B200D3FF081D73D1C779DD4483A9

Uniqueness

Uniqueness Score: -1.00%

Function 021B0DF8, Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,021B0223,?,?), ref: 021B0E02
SetErrorMode.KERNEL32(00000000,?,?,021B0223,?,?), ref: 021B0E07

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: d821965d9bc9b06f90abaa9ef2804d197ecda6e88fab0b0819dd07c329a46ad8
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 22D0123514512C77D7012A95DC09BCE7B1C9F05B66F108011FB0DD9181C770994046F5

Uniqueness

Uniqueness Score: -1.00%

Function 004AB3F6, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004A0B78,00000000,?,00000000,00000000,00000000,?,004A4E8F,00000001,00000214,?,?), ref: 004AB439

Part of subcall function 004A284D: __getptd_noexit.LIBCMT ref: 004A284D

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 0ad2d8c7dc44aff3a8b917ed81c8241a9261df5c2c174084947612e321cff378
Instruction ID: a04db9638a1dee0b1ca6a23852cada495cbb4116754694e9136b679fe552be70
Opcode Fuzzy Hash: 0ad2d8c7dc44aff3a8b917ed81c8241a9261df5c2c174084947612e321cff378
Instruction Fuzzy Hash: 1F01B5312016159BEB249F25EC14B673754EBB7761F01863BE8158A2A3DB78C800C698

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041DBF0, Relevance: 35.8, APIs: 18, Strings: 2, Instructions: 772COMMON

Download Yara Rule

APIs

Part of subcall function 00496670: FindFirstFileW.KERNEL32(00000000,?,?,?,5896F21E), ref: 004966EC
Part of subcall function 00496670: FindNextFileW.KERNEL32(?,?), ref: 0049679B

Part of subcall function 004962D0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000001,?,004966DA,?,?,5896F21E), ref: 004962FB
Part of subcall function 004962D0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0049632E

Part of subcall function 00415EA0: std::_Lockit::_Lockit.LIBCPMT ref: 00415EBC

Part of subcall function 004185F0: std::_Lockit::_Lockit.LIBCPMT ref: 0041861C
Part of subcall function 004185F0: std::_Lockit::_Lockit.LIBCPMT ref: 00418642

std::_Lockit::_Lockit.LIBCPMT ref: 0041DE91
_memmove.LIBCMT ref: 0041E05D
_fprintf.LIBCMT ref: 0041E0AA
_fprintf.LIBCMT ref: 0041E0B5
_fprintf.LIBCMT ref: 0041E0C0
_memmove.LIBCMT ref: 0041E130
_fprintf.LIBCMT ref: 0041E181
_fprintf.LIBCMT ref: 0041E18C
_fprintf.LIBCMT ref: 0041E1D4
_fprintf.LIBCMT ref: 0041E213
_fprintf.LIBCMT ref: 0041E22E
_fprintf.LIBCMT ref: 0041E239
_fprintf.LIBCMT ref: 0041E257
_fprintf.LIBCMT ref: 0041E262
_fprintf.LIBCMT ref: 0041E285
_fprintf.LIBCMT ref: 0041E290
std::_Lockit::_Lockit.LIBCPMT ref: 0041E50E
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0041E593

Part of subcall function 0049B347: std::ios_base::_Tidy.LIBCPMT ref: 0049B368

Strings

TK, xrefs: 0041E56A
FALSE, xrefs: 0041E0AF, 0041E186, 0041E20D

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _fprintf$LockitLockit::_std::_$ByteCharFileFindMultiWide_memmovestd::ios_base::_$FirstIos_base_dtorNextTidy
String ID: FALSE$TK
API String ID: 1373035807-3658482967
Opcode ID: 5a82b9d226b8a5f64f0dfe1c55215693df5e092b59378aecd27131957e571985
Instruction ID: 62a3aa233642b21d3fcff5de88d84bf0d7ae202760ec1fb673875ef54a847a4e
Opcode Fuzzy Hash: 5a82b9d226b8a5f64f0dfe1c55215693df5e092b59378aecd27131957e571985
Instruction Fuzzy Hash: 5C626AB1D00228DBDF20DF55C881BDEBBB5BF55704F1041AEE40967281EB786A85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00440C30, Relevance: 29.1, APIs: 7, Strings: 9, Instructions: 1140COMMON

Download Yara Rule

Strings

-x0, xrefs: 004411E1
<, xrefs: 004410AB
+Inf, xrefs: 00441480
0123456789ABCDEF0123456789abcdef, xrefs: 00441156
4L, xrefs: 00441494
Inf, xrefs: 0044148C
-Inf, xrefs: 0044145B
+, xrefs: 0044126E
gfff, xrefs: 004416F1

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: +$+Inf$-Inf$-x0$0123456789ABCDEF0123456789abcdef$<$Inf$gfff$4L
API String ID: 0-1787924640
Opcode ID: 5116af430d9567ea727b958ea1b5fb7e6db769f70edc29c2c3c3e214fe771679
Instruction ID: fba6fbdc4271ef3d03d0cb99a5f74c72394e20d0f9ed21e908b87e9606d76243
Opcode Fuzzy Hash: 5116af430d9567ea727b958ea1b5fb7e6db769f70edc29c2c3c3e214fe771679
Instruction Fuzzy Hash: 4192E971A083819BE712CF14C48035BBFE1FB95344F288D9EE4C597362E779C9958B8A

Uniqueness

Uniqueness Score: -1.00%

Function 004926D0, Relevance: 23.3, APIs: 6, Strings: 7, Instructions: 569processCOMMON

Download Yara Rule

APIs

Part of subcall function 00417A90: std::locale::_Init.LIBCPMT ref: 00417AD6
Part of subcall function 00417A90: std::_Lockit::_Lockit.LIBCPMT ref: 00417AE9

Part of subcall function 00418B00: std::_Lockit::_Lockit.LIBCPMT ref: 00418B59

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004928B5
Process32First.KERNEL32(00000000,00000128), ref: 004928C8
Process32Next.KERNEL32 ref: 004928EE

Part of subcall function 00417940: __CxxThrowException@8.LIBCMT ref: 00417963
Part of subcall function 00417940: std::exception::exception.LIBCMT ref: 0041798C
Part of subcall function 00417940: __CxxThrowException@8.LIBCMT ref: 004179AB
Part of subcall function 00417940: std::exception::exception.LIBCMT ref: 004179CD
Part of subcall function 00417940: __CxxThrowException@8.LIBCMT ref: 004179EC
Part of subcall function 00417940: std::exception::exception.LIBCMT ref: 00417A09
Part of subcall function 00417940: __CxxThrowException@8.LIBCMT ref: 00417A28

Strings

@A@, xrefs: 004927CA, 00492EE1
`J@, xrefs: 004927F8, 00492D90, 00492DB2
@B@, xrefs: 00492826, 00492DD7
0pL, xrefs: 004927C1
---------- , xrefs: 00492959, 00492A9F
A@, xrefs: 004927DE, 00492ECD
----------, xrefs: 00492867

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Exception@8Throw$std::exception::exception$LockitLockit::_Process32std::_$CreateFirstInitNextSnapshotToolhelp32std::locale::_
String ID: ----------$---------- $0pL$@A@$@B@$`J@$A@
API String ID: 1947876736-662054990
Opcode ID: bc174fdda8882830cc61b04c1a4d856725d22a7d9ca8c9866f43daf0d3f5a8b3
Instruction ID: 2bfb976691c48a61b7a39d47cec03666e9eca9abd99376726084787559db1fd8
Opcode Fuzzy Hash: bc174fdda8882830cc61b04c1a4d856725d22a7d9ca8c9866f43daf0d3f5a8b3
Instruction Fuzzy Hash: 9B329CB1D00258AFDF20DF94CD85BDEBBB4AF45308F1481AEE40967242DBB95A84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0049A6B0, Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 595COMMON

Download Yara Rule

Strings

in-gdi-devcaps-l1-1-0, xrefs: 0049A6ED
/, xrefs: 0049A77E
UT, xrefs: 0049AA04

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: /$UT$in-gdi-devcaps-l1-1-0
API String ID: 0-3985708853
Opcode ID: 0b2936130edaf1771e452198c592b2c756dd34c805548351b8dcbc8e121acbd4
Instruction ID: a792363149891a9abd31b8105d9eae563542827c5719375a632cd780f5a16e86
Opcode Fuzzy Hash: 0b2936130edaf1771e452198c592b2c756dd34c805548351b8dcbc8e121acbd4
Instruction Fuzzy Hash: 1132C1715083858FCB25DF29C8806ABBFE2AFD5304F04893EE9C987342D6389955CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00414FD0, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 263networkfileCOMMON

Download Yara Rule

APIs

InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00415041
InternetReadFile.WININET(?,?,000003E8,?), ref: 00415062
_memmove.LIBCMT ref: 0041509D
_memset.LIBCMT ref: 004150D7
HttpQueryInfoA.WININET(?,0000001D,?,?,00000000), ref: 004150ED

Strings

text, xrefs: 00415196

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileInternet$HttpInfoPointerQueryRead_memmove_memset
String ID: text
API String ID: 612126011-999008199
Opcode ID: a201c5c297489dc4b39391c9997fe708797e293fd24a75c6bb713e72c03e2bae
Instruction ID: 010eb944c99dd7c4094758586f6ceeef2a8d535b3fc3a7f0f8942080d6cfdaab
Opcode Fuzzy Hash: a201c5c297489dc4b39391c9997fe708797e293fd24a75c6bb713e72c03e2bae
Instruction Fuzzy Hash: C2A16A715047409FD324DF69C984AABBBE8FFC9704F404A2EF48A87650E738E944CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0049BCD2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004A29A5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004A29BA
UnhandledExceptionFilter.KERNEL32(xJM), ref: 004A29C5
GetCurrentProcess.KERNEL32(C0000409), ref: 004A29E1
TerminateProcess.KERNEL32(00000000), ref: 004A29E8

Strings

xJM, xrefs: 004A29C0

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: xJM
API String ID: 2579439406-2807593560
Opcode ID: f2e456bb417e733b39653815599da595cb8a1a5e7428df8eb8dac9b11fd2e616
Instruction ID: 59d55090f61c98df212ec8eb8b0f0368b587815597263fbbd6f4bafc4c4d00ac
Opcode Fuzzy Hash: f2e456bb417e733b39653815599da595cb8a1a5e7428df8eb8dac9b11fd2e616
Instruction Fuzzy Hash: E021BCB88023049FD740DFA9F9457543BA8FBA9325F11413BE54896361EBB4A981CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 004AC917, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,004ACF54,?,004A122C,?,000000BC,?,00000001,00000000,00000000), ref: 004AC956
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,004ACF54,?,004A122C,?,000000BC,?,00000001,00000000,00000000), ref: 004AC97F
GetACP.KERNEL32(?,?,004ACF54,?,004A122C,?,000000BC,?,00000001,00000000), ref: 004AC993

Strings

ACP, xrefs: 004AC926
OCP, xrefs: 004AC937

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 05aff873d96311cc49e3e9e9f08f3a53032b8d964b201d92d4064beed88df1fd
Instruction ID: 7c9d50e7e84f5f118dcac1fb45d922fb705bb6fdb9ec152af251a6aa9ab4fab2
Opcode Fuzzy Hash: 05aff873d96311cc49e3e9e9f08f3a53032b8d964b201d92d4064beed88df1fd
Instruction Fuzzy Hash: 2801FCB5606206BBEB519B65AC86F9B77ACAF23718F20001FF101E21C0FB68DE41C65C

Uniqueness

Uniqueness Score: -1.00%

Function 00498B40, Relevance: 7.6, APIs: 5, Instructions: 127timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,00000000,?,?,0049A7E7,?,?,00000000,00000000,00000010), ref: 00498B94
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,0049A7E7,?,?,00000000,00000000), ref: 00498BC1
GetLocalTime.KERNEL32(?,?,?,0049A7E7,?,?,00000000,00000000,00000010,00000000), ref: 00498C06
SystemTimeToFileTime.KERNEL32(?,?,?,?,0049A7E7,?,?,00000000,00000000,00000010,00000000), ref: 00498C16
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498C53

Part of subcall function 00498570: GetFileInformationByHandle.KERNEL32(?,?,?,?), ref: 004985A6

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 89576305-0
Opcode ID: 8de9f16e28c943ed37f5d46d155a9b6da7c04f9b91277517f3cfe4386719e072
Instruction ID: 17ee11142aad87d9e1524ee9e71412c506f87eb4d94cfcf7d0711618822b5b06
Opcode Fuzzy Hash: 8de9f16e28c943ed37f5d46d155a9b6da7c04f9b91277517f3cfe4386719e072
Instruction Fuzzy Hash: 524184B15047449FD724DF2DD88096BFBE8FB98314F404A2EF59A83650EB35E848CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0224BF22, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02252BF5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02252C0A
UnhandledExceptionFilter.KERNEL32(004C83A8), ref: 02252C15
GetCurrentProcess.KERNEL32(C0000409), ref: 02252C31
TerminateProcess.KERNEL32(00000000), ref: 02252C38

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f2e456bb417e733b39653815599da595cb8a1a5e7428df8eb8dac9b11fd2e616
Instruction ID: 90c467bf78d76f545d3fa42f6e904527dfa2f8c3c09863abfb6a4a551b3ebb17
Opcode Fuzzy Hash: f2e456bb417e733b39653815599da595cb8a1a5e7428df8eb8dac9b11fd2e616
Instruction Fuzzy Hash: 3821CDB88123049BD740DFA8F9457547BA8FBA8325F11453BE94897360EBB0A581CF0C

Uniqueness

Uniqueness Score: -1.00%

Function 022468C0, Relevance: 4.6, APIs: 3, Instructions: 145fileCOMMON

Download Yara Rule

APIs

Part of subcall function 02246520: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000001,?,0224692A,?,?,004D279C), ref: 0224654B
Part of subcall function 02246520: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0224657E

FindFirstFileW.KERNEL32(00000000,?,?,?,004D279C), ref: 0224693C
FindNextFileW.KERNEL32(?,?), ref: 022469EB
FindNextFileW.KERNEL32(?,?,?,?,?), ref: 02246A79

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: FileFind$ByteCharMultiNextWide$First
String ID:
API String ID: 1501163664-0
Opcode ID: d917b43fba4d8f33674cf65e126e6d7e10101edb8951a24cc533958845b5fdc1
Instruction ID: 42b7ca2d34c0d2d05c473bad7fd2f7c03ce9e815c56439e24ce2f19ce3538b9f
Opcode Fuzzy Hash: d917b43fba4d8f33674cf65e126e6d7e10101edb8951a24cc533958845b5fdc1
Instruction Fuzzy Hash: 3D518FB15183819BD728DF94C884AABB7EDFFD8304F448A2EE48987254EB74E504CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00496670, Relevance: 4.6, APIs: 3, Instructions: 145fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004962D0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000001,?,004966DA,?,?,5896F21E), ref: 004962FB
Part of subcall function 004962D0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0049632E

FindFirstFileW.KERNEL32(00000000,?,?,?,5896F21E), ref: 004966EC
FindNextFileW.KERNEL32(?,?), ref: 0049679B
FindNextFileW.KERNEL32(?,?,?,?,?), ref: 00496829

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFind$ByteCharMultiNextWide$First
String ID:
API String ID: 1501163664-0
Opcode ID: d917b43fba4d8f33674cf65e126e6d7e10101edb8951a24cc533958845b5fdc1
Instruction ID: 0d2b8d864ed86e80172c5fe242d0e61fb55c426dd9a101164f238c3e4891137a
Opcode Fuzzy Hash: d917b43fba4d8f33674cf65e126e6d7e10101edb8951a24cc533958845b5fdc1
Instruction Fuzzy Hash: B9518DB15083819BDB20DF65C985A9BBBE8FFD8304F454A2EF48983250EB78E504CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00498990, Relevance: 4.6, APIs: 3, Instructions: 121fileCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004989E1
_memmove.LIBCMT ref: 00498A91
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,0049902E,?,00000000,?,00004000,?,00000000,?), ref: 00498AB5

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memmove$FileWrite
String ID:
API String ID: 726942401-0
Opcode ID: 2768d2ef051900618224d300e7ff53ccd59e37fd360ecf48f74ee32be75c27da
Instruction ID: 986d0415b1d1014c74def0908bc7bc2070a4c2b2779cb8c7359b06e8e5ea05ed
Opcode Fuzzy Hash: 2768d2ef051900618224d300e7ff53ccd59e37fd360ecf48f74ee32be75c27da
Instruction Fuzzy Hash: 2D41BDB2600B019BC768DF19D980A27BBE9FBD5310B54493FE48387A41D639F405CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0225CB67, Relevance: 4.6, APIs: 3, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,0225D1A4,?,0225147C,?,000000BC,?,00000001,00000000,00000000), ref: 0225CBA6
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,0225D1A4,?,0225147C,?,000000BC,?,00000001,00000000,00000000), ref: 0225CBCF
GetACP.KERNEL32(?,?,0225D1A4,?,0225147C,?,000000BC,?,00000001,00000000), ref: 0225CBE3

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 05aff873d96311cc49e3e9e9f08f3a53032b8d964b201d92d4064beed88df1fd
Instruction ID: 0c7fd8b782f3c8c24affdb9189f2729dda8b69695e8d289b260cfefa6327a261
Opcode Fuzzy Hash: 05aff873d96311cc49e3e9e9f08f3a53032b8d964b201d92d4064beed88df1fd
Instruction Fuzzy Hash: B9017531615B1BBBEB119FA4EC06F5976A9AB0075CF10809BE901E5084FF70DA41D698

Uniqueness

Uniqueness Score: -1.00%

Function 021B092B, Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 021B0966
., xrefs: 021B095F
GetProcAddress., xrefs: 021B09DC, 021B09DF, 021B09E4

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 42c187d63ad208e56e3ce7d04a141884dc5d9f54a8ed117be69e661acb09b349
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: E53148B6900609DFDB11CF99C880AEEBBF9FF4C324F15414AD845A7250D7B1EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 021B0ED1, Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07aed9a80e6987493a7dc1c268839c685e127a92a9bbe308dc3ec03e0e11efea
Instruction ID: 0da60c95d067e98c0b0caa4d753d29e029919de15d7875e146345e61dd80bdb3
Opcode Fuzzy Hash: 07aed9a80e6987493a7dc1c268839c685e127a92a9bbe308dc3ec03e0e11efea
Instruction Fuzzy Hash: DF51A6A254E3C02FD31387744CA4A907FB2AF17218B1E46CBD0C1CF5B3E29A4959C762

Uniqueness

Uniqueness Score: -1.00%

Function 0224D340, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 8a3c99ddded6a51d96cecb52d77f0853295346c91538f86f2f538b81fb37a2c0
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 19110BB726414343D70C8ABDD4F86BAAF95EBC612DB2D43A5E0414F75CDB62E1459D00

Uniqueness

Uniqueness Score: -1.00%

Function 0049D0F0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 321b955498b90130f58826a429d81102f9d33588e07cb83a6734ca6c8551ad8b
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 4B115077A0009153DE14CE3DD9B65B7EF95EBD7320B2C437BD0414B758D22AD985D608

Uniqueness

Uniqueness Score: -1.00%

Function 004982C0, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418356fbf7a41597f6cb58822acaa329cff84b2edbddee9a3604e00bcfe76132
Instruction ID: e7eb43701fe1d378e3c2e4dfa6114a63b42d6e99290750e85edf32d235511e88
Opcode Fuzzy Hash: 418356fbf7a41597f6cb58822acaa329cff84b2edbddee9a3604e00bcfe76132
Instruction Fuzzy Hash: B3219A335798F706D7948B328C04A762BD2CBCA246F6F81F9DE8487252C63ED403E615

Uniqueness

Uniqueness Score: -1.00%

Function 021B0D90, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction ID: 3f40eb4ea030d5a5473f21297c9268c3f669008578947005c12a4d5ecb58679b
Opcode Fuzzy Hash: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction Fuzzy Hash: 99F0CD76A406049FDF22CF24C805BEE73F9FF88215F4441A8D80AD7282D331E9428B90

Uniqueness

Uniqueness Score: -1.00%

Function 00404AA0, Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 334COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404AF2
std::_Xinvalid_argument.LIBCPMT ref: 00404B14
_memmove.LIBCMT ref: 00404B72
_memmove.LIBCMT ref: 00404B99
_memmove.LIBCMT ref: 00404BAE
_memmove.LIBCMT ref: 00404BDE
_memmove.LIBCMT ref: 00404D79
std::_Xinvalid_argument.LIBCPMT ref: 00404DAF

Strings

invalid string position, xrefs: 00404DAA
string too long, xrefs: 00404AED, 00404B0F

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 949745c46d393ce84c4dd6718055479f4a2c5e678b9bead8a90ae0b3649265f0
Instruction ID: c2cef426deeffe9d05cef3f3d9891c92d3c3a103ee5b0e0520645e383c7c02d8
Opcode Fuzzy Hash: 949745c46d393ce84c4dd6718055479f4a2c5e678b9bead8a90ae0b3649265f0
Instruction Fuzzy Hash: B2A171B03141409BDA28CE1CDD95A2EB3A6EFC5704768093EE682E77D1D63CEC45876E

Uniqueness

Uniqueness Score: -1.00%

Function 00404660, Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 305COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004046A2
std::_Xinvalid_argument.LIBCPMT ref: 004046C0
_memmove.LIBCMT ref: 0040472D
_memmove.LIBCMT ref: 0040475F
std::_Xinvalid_argument.LIBCPMT ref: 004047D3
std::_Xinvalid_argument.LIBCPMT ref: 00404848
std::_Xinvalid_argument.LIBCPMT ref: 00404860
std::_Xinvalid_argument.LIBCPMT ref: 0040487A
_memmove.LIBCMT ref: 004048E4
_memmove.LIBCMT ref: 00404901

Strings

invalid string position, xrefs: 004047CE, 00404843
string too long, xrefs: 0040469D, 004046BB, 0040485B, 00404875

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 7609e0a0032f5b97959fdf184ffc1fecabbf64c3114a8a6f498bd1ae64eed66f
Instruction ID: 624e38b0dce2cd2fdf7bbce591bc919b4c01a7962ea774963b332ee451eed2f5
Opcode Fuzzy Hash: 7609e0a0032f5b97959fdf184ffc1fecabbf64c3114a8a6f498bd1ae64eed66f
Instruction Fuzzy Hash: A491B4B63002409BD724DE1DE98096AB3E6EBD2714B204E3FF192E76C1D778DC4587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00415310, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 203networkCOMMON

Download Yara Rule

APIs

__cftof.LIBCMT ref: 004153E5
InternetOpenA.WININET(?,00000000,?,00000000,00000000), ref: 00415403
InternetSetOptionA.WININET ref: 00415425
InternetConnectA.WININET(00000000,?,00000050,?,?,00000003,00000000,00000001), ref: 0041544F
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00400000,00000001), ref: 0041547D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041549A
InternetCloseHandle.WININET(00000000), ref: 004154B1

Part of subcall function 00414FD0: InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00415041
Part of subcall function 00414FD0: InternetReadFile.WININET(?,?,000003E8,?), ref: 00415062
Part of subcall function 00414FD0: _memmove.LIBCMT ref: 0041509D
Part of subcall function 00414FD0: _memset.LIBCMT ref: 004150D7
Part of subcall function 00414FD0: HttpQueryInfoA.WININET(?,0000001D,?,?,00000000), ref: 004150ED

InternetCloseHandle.WININET(00000000), ref: 004154B8
InternetCloseHandle.WININET(00000000), ref: 004154C4

Part of subcall function 00414E80: HttpAddRequestHeadersA.WININET(?,5896F21E,?,20000000), ref: 00414F00
Part of subcall function 00414E80: HttpAddRequestHeadersA.WININET(?,5896F21E,?,20000000), ref: 00414F30
Part of subcall function 00414E80: HttpAddRequestHeadersA.WININET(?,5896F21E,?,20000000), ref: 00414F60
Part of subcall function 00414E80: HttpAddRequestHeadersA.WININET(?,5896F21E,?,20000000), ref: 00414F90

Strings

GET, xrefs: 00415477
http://, xrefs: 00415377
/, xrefs: 004153A6

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Internet$Http$Request$Headers$CloseHandle$FileOpen$ConnectInfoOptionPointerQueryReadSend__cftof_memmove_memset
String ID: /$GET$http://
API String ID: 3181371185-2325301807
Opcode ID: a4fc0dd2e020c51f0a4ed7fa7a9d8d6085e411f62a85b08fed1a7b6822b54528
Instruction ID: 8db07d805f68f9f5de63f8cd420c743e13d842eb26b56de422f3cb701a38c734
Opcode Fuzzy Hash: a4fc0dd2e020c51f0a4ed7fa7a9d8d6085e411f62a85b08fed1a7b6822b54528
Instruction Fuzzy Hash: 556193B1608740EFD710DB64DC85FABB7E9FBC9704F40092EF58596281DBB8E9448B1A

Uniqueness

Uniqueness Score: -1.00%

Function 00405100, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 195stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00414A10: _memset.LIBCMT ref: 00414A1B
Part of subcall function 00414A10: _strcpy_s.LIBCMT ref: 00414A32
Part of subcall function 00414A10: _memset.LIBCMT ref: 00414A51

_memset.LIBCMT ref: 00405170
_memset.LIBCMT ref: 00405183
_strtok.LIBCMT ref: 004051B3
lstrcatA.KERNEL32(?,00753210,?,?,00000000,5896F21E), ref: 004051DF
lstrcatA.KERNEL32(?,00000000,?,?,00000000,5896F21E), ref: 00405202
lstrcatA.KERNEL32(?,006D25A0), ref: 00405227
lstrcatA.KERNEL32(?,?,?,00000000), ref: 0040525C
lstrcatA.KERNEL32(?,006D3338), ref: 0040526C
ShellExecuteA.SHELL32(00000000,00000000,?,004BB6C4,00000000,00000000), ref: 0040533D
_strtok.LIBCMT ref: 00405352

Strings

83m, xrefs: 0040525E, 0040526E

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$_memset$_strtok$ExecuteShell_strcpy_s
String ID: 83m
API String ID: 1415731133-307303919
Opcode ID: f9c2aa327a9252ee08233d91339566c0136ba04a51cef3ae75b43697f585151a
Instruction ID: c786249e37913b12d59a80b914a847e06419e2e2d3a03ff72aac9bf4afb915a0
Opcode Fuzzy Hash: f9c2aa327a9252ee08233d91339566c0136ba04a51cef3ae75b43697f585151a
Instruction Fuzzy Hash: 3471A2B11083809FD725EF55C880AABBBECEF95744F40092EF18547151DB789A48CB67

Uniqueness

Uniqueness Score: -1.00%

Function 00417940, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00417963

Part of subcall function 0049C9F1: RaiseException.KERNEL32(S0@,?,5896F21E,004BB6BC,00403053,?,004CB4C0,?,5896F21E), ref: 0049CA33

std::exception::exception.LIBCMT ref: 0041798C
__CxxThrowException@8.LIBCMT ref: 004179AB
std::exception::exception.LIBCMT ref: 004179CD
__CxxThrowException@8.LIBCMT ref: 004179EC
std::exception::exception.LIBCMT ref: 00417A09
__CxxThrowException@8.LIBCMT ref: 00417A28

Strings

ios_base::badbit set, xrefs: 00417984
ios_base::eofbit set, xrefs: 00417A01
yA, xrefs: 004179A3, 004179E4, 00417A20
ios_base::failbit set, xrefs: 004179C5

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
String ID: yA$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4237746311-666802446
Opcode ID: f9a38244dd8c08ae4e606d4ae5f10f3c9dd1d32984c2b23f61a32791cb04162a
Instruction ID: 743ca177a8dca47bb895a7b018980b98b76616d38f0cf74092dd70c349b140ae
Opcode Fuzzy Hash: f9a38244dd8c08ae4e606d4ae5f10f3c9dd1d32984c2b23f61a32791cb04162a
Instruction Fuzzy Hash: FF21A1F54087015FC700DF56C442B8BBBE4BF98708F048A5FB18956241E7B8C608CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00498570, Relevance: 16.7, APIs: 11, Instructions: 198fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,?,?), ref: 004985A6
GetFileSize.KERNEL32(?,00000000,00000000), ref: 0049862C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?), ref: 0049864D
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00498664
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0049866D
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0049867E
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0049869F
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 004986B0

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-0
Opcode ID: bfbb248982ee7a52a62e57597ec3854ac9af00e181a86566ae72ff5cad27a90f
Instruction ID: 227adef929ca9e4cc889ebfd138ef45e677136110288c94b542a9d3f050b2155
Opcode Fuzzy Hash: bfbb248982ee7a52a62e57597ec3854ac9af00e181a86566ae72ff5cad27a90f
Instruction Fuzzy Hash: 19616E71604300AFE714DF59CC81B6BBBE4FB89704F14892EF65597280DB78E9048B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00414E80, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 93networkCOMMON

Download Yara Rule

APIs

HttpAddRequestHeadersA.WININET(?,5896F21E,?,20000000), ref: 00414F00
HttpAddRequestHeadersA.WININET(?,5896F21E,?,20000000), ref: 00414F30
HttpAddRequestHeadersA.WININET(?,5896F21E,?,20000000), ref: 00414F60
HttpAddRequestHeadersA.WININET(?,5896F21E,?,20000000), ref: 00414F90

Strings

Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 00414F68
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00414EB6
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 00414F38
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 00414F08

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HeadersHttpRequest
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
API String ID: 1754618566-787135837
Opcode ID: 7a6b28609bb06b2c6554c66f11959ef481696574e28899dfeb95dec1988d598e
Instruction ID: 63dd635962c0a455672f220ede9d29cf1853c3f817067128a2956c77e0f4bbdb
Opcode Fuzzy Hash: 7a6b28609bb06b2c6554c66f11959ef481696574e28899dfeb95dec1988d598e
Instruction Fuzzy Hash: B8312A71548300AFD200DF50C845FABB7E8EBD9715F50892EF59556280E778EA09CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0049C0DC, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(004D4A28,P-@,?,?,?,0049C1E0,?,004CEA38,0000000C,0049C20C,?,?,0049C9D5,004B7CF1,?), ref: 0049C0F1
DecodePointer.KERNEL32(?,?,0049C1E0,?,004CEA38,0000000C,0049C20C,?,?,0049C9D5,004B7CF1,?), ref: 0049C0FE
__realloc_crt.LIBCMT ref: 0049C13B
__realloc_crt.LIBCMT ref: 0049C151
EncodePointer.KERNEL32(00000000,?,?,0049C1E0,?,004CEA38,0000000C,0049C20C,?,?,0049C9D5,004B7CF1,?), ref: 0049C163
EncodePointer.KERNEL32(?,?,?,0049C1E0,?,004CEA38,0000000C,0049C20C,?,?,0049C9D5,004B7CF1,?), ref: 0049C177
EncodePointer.KERNEL32(-00000004,?,?,0049C1E0,?,004CEA38,0000000C,0049C20C,?,?,0049C9D5,004B7CF1,?), ref: 0049C17F

Strings

P-@, xrefs: 0049C0E3

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt
String ID: P-@
API String ID: 4108716018-3305893085
Opcode ID: 25e0e4e601459e24bcbd8275923078b7c521353a8ec7af66a76a19f52b6b5bdf
Instruction ID: 7012e1594ca56cf5a7f4639412be7d728f5325b0ba160baa60806d2465e23922
Opcode Fuzzy Hash: 25e0e4e601459e24bcbd8275923078b7c521353a8ec7af66a76a19f52b6b5bdf
Instruction Fuzzy Hash: 8F11D372600215AFDF005F78EDC285A7BEDEB45364311097BE801E3261EB75EC818E9C

Uniqueness

Uniqueness Score: -1.00%

Function 00418BC0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00418BEC
std::_Lockit::_Lockit.LIBCPMT ref: 00418C12
std::bad_exception::bad_exception.LIBCMT ref: 00418C9A
__CxxThrowException@8.LIBCMT ref: 00418CA9
std::_Lockit::_Lockit.LIBCPMT ref: 00418CBE
std::locale::facet::_Facet_Register.LIBCPMT ref: 00418CD9

Strings

bad cast, xrefs: 00418C91

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 83d41c88ff931d7d6301c3aa6b0f4b63562c0c551ec5aad7f4c51ed11fc7bb8d
Instruction ID: d69058116a1a3acccef6f5373c2ea6e32dd072e941d31743e9c80540a8624ea0
Opcode Fuzzy Hash: 83d41c88ff931d7d6301c3aa6b0f4b63562c0c551ec5aad7f4c51ed11fc7bb8d
Instruction Fuzzy Hash: 9931BF755053408BCB14DF15D981B9A77E0FB95764F00466FF8A2532A1EB38A884CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 00493B90, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00493BBC
std::_Lockit::_Lockit.LIBCPMT ref: 00493BE2
std::bad_exception::bad_exception.LIBCMT ref: 00493C6A
__CxxThrowException@8.LIBCMT ref: 00493C79
std::_Lockit::_Lockit.LIBCPMT ref: 00493C8E
std::locale::facet::_Facet_Register.LIBCPMT ref: 00493CA9

Strings

bad cast, xrefs: 00493C61

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 91d13c19d6b3e21b09ab20da20e99d609926edf14989370538faf6f3e410335f
Instruction ID: 7d8f94ddcc88eb06d6b12c6cd763c9a74d5afebd6c75c6ac46e3528febf0ce6b
Opcode Fuzzy Hash: 91d13c19d6b3e21b09ab20da20e99d609926edf14989370538faf6f3e410335f
Instruction Fuzzy Hash: A031D3765047409FCB14DF14D985B5ABBE0FB96725F00067FF852632A1D738EA04CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004185F0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041861C
std::_Lockit::_Lockit.LIBCPMT ref: 00418642
std::bad_exception::bad_exception.LIBCMT ref: 004186CA
__CxxThrowException@8.LIBCMT ref: 004186D9
std::_Lockit::_Lockit.LIBCPMT ref: 004186EE
std::locale::facet::_Facet_Register.LIBCPMT ref: 00418709

Strings

bad cast, xrefs: 004186C1

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 52582ac12b1018fab5956bb68680d91455fa7c00245413156fd600cf34055142
Instruction ID: 61d71b5fe86ca11294d5420486f5379aa49884d9afa9d9a02dc993d09b18ea87
Opcode Fuzzy Hash: 52582ac12b1018fab5956bb68680d91455fa7c00245413156fd600cf34055142
Instruction Fuzzy Hash: 4931E0755043408FCB14EF10E991B9A77E0FB94764F140A6FF496A72E1DB38E884CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 02256C05, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02256C11

Part of subcall function 0225512D: __getptd_noexit.LIBCMT ref: 02255130
Part of subcall function 0225512D: __amsg_exit.LIBCMT ref: 0225513D

__amsg_exit.LIBCMT ref: 02256C31
__lock.LIBCMT ref: 02256C41
InterlockedDecrement.KERNEL32(?), ref: 02256C5E
_free.LIBCMT ref: 02256C71
InterlockedIncrement.KERNEL32(004D3198), ref: 02256C89

Strings

p-M, xrefs: 02256C68

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: p-M
API String ID: 3470314060-2214057600
Opcode ID: c6d5e5cc163e3a14878b468e786f66a7dd820308b16dad6286adaea5fe03d541
Instruction ID: aaadf311b40ecceb0c7b76647cac92919976f061726caa35f012678d2aa4a947
Opcode Fuzzy Hash: c6d5e5cc163e3a14878b468e786f66a7dd820308b16dad6286adaea5fe03d541
Instruction Fuzzy Hash: F101A131A21736ABCB14AFA4940C76D7765BF0076AF84C15ADC1467298CB385541CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 0225188E, Relevance: 10.7, APIs: 7, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0225190F
_strncmp.LIBCMT ref: 02251952
_strlen.LIBCMT ref: 02251960
_strcspn.LIBCMT ref: 02251986
__setlocale_get_all.LIBCMT ref: 02251A96

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: __setlocale_get_all_strcspn_strlen_strncmp_strpbrk
String ID:
API String ID: 3252769141-0
Opcode ID: 66a68c162eb7ed8f1ae0855585f61939bb078f8e4e5ed5b98ef6c6e4813903ff
Instruction ID: 68b3e72b0323fa75e06b07e22a0dabd9f03f45f5410f1b9643781c6ce7c59330
Opcode Fuzzy Hash: 66a68c162eb7ed8f1ae0855585f61939bb078f8e4e5ed5b98ef6c6e4813903ff
Instruction Fuzzy Hash: AA51B6719202769AEF319AF48C80BA977B5AF41354F14C4A9ED4DA6049DF788E94CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00493AA0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00493AB4

Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B1EA
Part of subcall function 0049B1D5: __CxxThrowException@8.LIBCMT ref: 0049B1FF
Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B210

std::_Xinvalid_argument.LIBCPMT ref: 00493ACC
std::_Xinvalid_argument.LIBCPMT ref: 00493AE7
_memmove.LIBCMT ref: 00493B51

Strings

invalid string position, xrefs: 00493AAF
string too long, xrefs: 00493AC7, 00493AE2

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 8a65d4b70570bccffd81223860bcb2a6f0006c12e3b732f5b8e7ed91bf90e76e
Instruction ID: 80ac770b44c08de99d0c48a9b291aac7c7f8c1ef6702c59f1ddaddfc7c802566
Opcode Fuzzy Hash: 8a65d4b70570bccffd81223860bcb2a6f0006c12e3b732f5b8e7ed91bf90e76e
Instruction Fuzzy Hash: 7F2109323042105BCA209E5D9880A2FFBE9DBD2762B20093FF181C7782CB69AD4443AD

Uniqueness

Uniqueness Score: -1.00%

Function 00496100, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00417A90: std::locale::_Init.LIBCPMT ref: 00417AD6
Part of subcall function 00417A90: std::_Lockit::_Lockit.LIBCPMT ref: 00417AE9

Part of subcall function 00418B00: std::_Lockit::_Lockit.LIBCPMT ref: 00418B59

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0049629C

Part of subcall function 00417940: __CxxThrowException@8.LIBCMT ref: 00417963
Part of subcall function 00417940: std::exception::exception.LIBCMT ref: 0041798C
Part of subcall function 00417940: __CxxThrowException@8.LIBCMT ref: 004179AB
Part of subcall function 00417940: std::exception::exception.LIBCMT ref: 004179CD
Part of subcall function 00417940: __CxxThrowException@8.LIBCMT ref: 004179EC
Part of subcall function 00417940: std::exception::exception.LIBCMT ref: 00417A09
Part of subcall function 00417940: __CxxThrowException@8.LIBCMT ref: 00417A28

Strings

0pL, xrefs: 004961D7
@A@, xrefs: 004961DE
`J@, xrefs: 0049620B
@B@, xrefs: 00496218
A@, xrefs: 004961ED

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Exception@8Throw$std::exception::exception$LockitLockit::_std::_$InitIos_base_dtorstd::ios_base::_std::locale::_
String ID: 0pL$@A@$@B@$`J@$A@
API String ID: 250614744-438863827
Opcode ID: 97e982bee7af23ef6303ac1ab39a5d5ab0d7019686e83b7fe38ec1941dbf8ba8
Instruction ID: 65ae86c68d49ab7a11304c8b24cbdb17181524f5cbbb5bd10e2968bbc8fed94e
Opcode Fuzzy Hash: 97e982bee7af23ef6303ac1ab39a5d5ab0d7019686e83b7fe38ec1941dbf8ba8
Instruction Fuzzy Hash: B64137B0508380CFD724DF24C580B9BFBE4FB98308F508D2EE59997251DBB89548CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00404570, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404587

Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B1EA
Part of subcall function 0049B1D5: __CxxThrowException@8.LIBCMT ref: 0049B1FF
Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B210

std::_Xinvalid_argument.LIBCPMT ref: 004045AA
std::_Xinvalid_argument.LIBCPMT ref: 004045C5
_memmove.LIBCMT ref: 00404626

Strings

invalid string position, xrefs: 00404582
string too long, xrefs: 004045A5, 004045C0

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: ac6c81bb67f34bb604cf7880d2d8626fd5da6d16922bb2eda33b441d95c4093e
Instruction ID: 250e57ee2fc2892ce8122578cd2753f4dee41fd89a5c0ce31f9679457375e17d
Opcode Fuzzy Hash: ac6c81bb67f34bb604cf7880d2d8626fd5da6d16922bb2eda33b441d95c4093e
Instruction Fuzzy Hash: 2F2193723042009BC724DE1DE990A2AB7E1EBE6714B600E3FF252D72D1D779DC4187A9

Uniqueness

Uniqueness Score: -1.00%

Function 021C7B90, Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 021C7BB3

Part of subcall function 0224CC41: RaiseException.KERNEL32(021B32A3,?,004D279C,004BB6BC,021B32A3,?,004CB4C0,?,004D279C), ref: 0224CC83

std::exception::exception.LIBCMT ref: 021C7BDC
__CxxThrowException@8.LIBCMT ref: 021C7BFB
std::exception::exception.LIBCMT ref: 021C7C1D
__CxxThrowException@8.LIBCMT ref: 021C7C3C
std::exception::exception.LIBCMT ref: 021C7C59
__CxxThrowException@8.LIBCMT ref: 021C7C78

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
String ID:
API String ID: 4237746311-0
Opcode ID: f9a38244dd8c08ae4e606d4ae5f10f3c9dd1d32984c2b23f61a32791cb04162a
Instruction ID: 5a60220ac8b765513bf14ba58d37d3273c1b6e103ddf7e65cd0f0f3fd2d92c01
Opcode Fuzzy Hash: f9a38244dd8c08ae4e606d4ae5f10f3c9dd1d32984c2b23f61a32791cb04162a
Instruction Fuzzy Hash: 9E2190B58187015FC308DFA8C441B4BF7E5AF98718F14895FB49952154EBB4C209CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 004180A0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004180CE
std::exception::exception.LIBCMT ref: 0041810D

Part of subcall function 0049C32E: std::exception::_Copy_str.LIBCMT ref: 0049C349

__CxxThrowException@8.LIBCMT ref: 00418124

Part of subcall function 0049C9F1: RaiseException.KERNEL32(S0@,?,5896F21E,004BB6BC,00403053,?,004CB4C0,?,5896F21E), ref: 0049CA33

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0041812B

Strings

bad locale name, xrefs: 00418105
yA, xrefs: 0041811C

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: yA$bad locale name
API String ID: 73090415-1344023470
Opcode ID: 8c137d7277b8d131593d02a7f6fec72f1394c890439066219a858aad24473143
Instruction ID: b99b666c4dad2dc89f48d61ff09c0cb729f592b38e8194f2ab0e255fa7e4e700
Opcode Fuzzy Hash: 8c137d7277b8d131593d02a7f6fec72f1394c890439066219a858aad24473143
Instruction Fuzzy Hash: C01182B24087409FC310DF199981A47FBE4FB68714F408A6FF49993741D738A508CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 004A1AB3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 004A1ABA

Part of subcall function 004A4E64: GetLastError.KERNEL32(?,?,004A2852,0049E89A,?,?,004030AB,?,5896F21E), ref: 004A4E68
Part of subcall function 004A4E64: ___set_flsgetvalue.LIBCMT ref: 004A4E76
Part of subcall function 004A4E64: __calloc_crt.LIBCMT ref: 004A4E8A
Part of subcall function 004A4E64: DecodePointer.KERNEL32(00000000,?,?,004A2852,0049E89A,?,?,004030AB,?,5896F21E), ref: 004A4EA4
Part of subcall function 004A4E64: __initptd.LIBCMT ref: 004A4EB3
Part of subcall function 004A4E64: GetCurrentThreadId.KERNEL32 ref: 004A4EBA
Part of subcall function 004A4E64: SetLastError.KERNEL32(00000000,?,?,004A2852,0049E89A,?,?,004030AB,?,5896F21E), ref: 004A4ED2

__calloc_crt.LIBCMT ref: 004A1ADC
__get_sys_err_msg.LIBCMT ref: 004A1AFA
_strcpy_s.LIBCMT ref: 004A1B02
__invoke_watson.LIBCMT ref: 004A1B17

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004A1AC7, 004A1AEA

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__initptd__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 69636372-798102604
Opcode ID: 57b9c70f459b047f7c084c5922b6572d07aaac525c56e1db00ebfa54f109ff1e
Instruction ID: 9f7b35e12d40908d40a6eea71429319c83616e304f08cffdb19c0e523777ce3d
Opcode Fuzzy Hash: 57b9c70f459b047f7c084c5922b6572d07aaac525c56e1db00ebfa54f109ff1e
Instruction Fuzzy Hash: BFF0813260131057DB2079564C81D6B759CDBE3B28F20843FF90587261FB7E9C01415E

Uniqueness

Uniqueness Score: -1.00%

Function 0224CBC1, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0224CBDB

Part of subcall function 0224E29E: __FF_MSGBANNER.LIBCMT ref: 0224E2B7
Part of subcall function 0224E29E: __NMSG_WRITE.LIBCMT ref: 0224E2BE
Part of subcall function 0224E29E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0224E2E3

std::exception::exception.LIBCMT ref: 0224CC10
std::exception::exception.LIBCMT ref: 0224CC2A
__CxxThrowException@8.LIBCMT ref: 0224CC3B

Strings

P-@, xrefs: 0224CBF3
(JM, xrefs: 0224CBEE

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: (JM$P-@
API String ID: 615853336-2055475409
Opcode ID: 804a66ebd254ce2d86192d8fc90080461ae91bd45b3ba4fc7d0f112b6329f956
Instruction ID: 3c624a76ec03af7c2f0c710d04680027bb4cb3c5d94f9014c0f65500587f346e
Opcode Fuzzy Hash: 804a66ebd254ce2d86192d8fc90080461ae91bd45b3ba4fc7d0f112b6329f956
Instruction Fuzzy Hash: DBF0F97156230A57DB08EBDCDC41AAD7BA9AB80714F10502FE800A6194DFB486408B5C

Uniqueness

Uniqueness Score: -1.00%

Function 021C8E10, Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 021C8E3C
std::_Lockit::_Lockit.LIBCPMT ref: 021C8E62
std::bad_exception::bad_exception.LIBCMT ref: 021C8EEA
__CxxThrowException@8.LIBCMT ref: 021C8EF9
std::_Lockit::_Lockit.LIBCPMT ref: 021C8F0E
std::locale::facet::_Facet_Register.LIBCPMT ref: 021C8F29

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID:
API String ID: 2427920155-0
Opcode ID: 83d41c88ff931d7d6301c3aa6b0f4b63562c0c551ec5aad7f4c51ed11fc7bb8d
Instruction ID: 71d8fc172565c18a36d19b0f3fafb2fbd57ef1338519d268d74a11953d992bcb
Opcode Fuzzy Hash: 83d41c88ff931d7d6301c3aa6b0f4b63562c0c551ec5aad7f4c51ed11fc7bb8d
Instruction Fuzzy Hash: FF31DFB99543408BC719DF54D890B5AB3E0BBA4724F61062EF4A2972A0DB30E804CF92

Uniqueness

Uniqueness Score: -1.00%

Function 021C8840, Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 021C886C
std::_Lockit::_Lockit.LIBCPMT ref: 021C8892
std::bad_exception::bad_exception.LIBCMT ref: 021C891A
__CxxThrowException@8.LIBCMT ref: 021C8929
std::_Lockit::_Lockit.LIBCPMT ref: 021C893E
std::locale::facet::_Facet_Register.LIBCPMT ref: 021C8959

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID:
API String ID: 2427920155-0
Opcode ID: 52582ac12b1018fab5956bb68680d91455fa7c00245413156fd600cf34055142
Instruction ID: b4aa1cec12e0f2a43b908dcd9919d71070a7c0da3ac1e357b6f62c0ba47fb6c9
Opcode Fuzzy Hash: 52582ac12b1018fab5956bb68680d91455fa7c00245413156fd600cf34055142
Instruction Fuzzy Hash: 6831C2399593408FC719EF14D890B6AB7E0FBA4724F55062EF492A76E0DB30E844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02243DE0, Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02243E0C
std::_Lockit::_Lockit.LIBCPMT ref: 02243E32
std::bad_exception::bad_exception.LIBCMT ref: 02243EBA
__CxxThrowException@8.LIBCMT ref: 02243EC9
std::_Lockit::_Lockit.LIBCPMT ref: 02243EDE
std::locale::facet::_Facet_Register.LIBCPMT ref: 02243EF9

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID:
API String ID: 2427920155-0
Opcode ID: 91d13c19d6b3e21b09ab20da20e99d609926edf14989370538faf6f3e410335f
Instruction ID: 7396cbc265b46ba029f4da4a4f83e18532bae8675d834cba2b7e2bed6753020a
Opcode Fuzzy Hash: 91d13c19d6b3e21b09ab20da20e99d609926edf14989370538faf6f3e410335f
Instruction Fuzzy Hash: 47319C35A263418BC71CDF94D890B5AB7E4EF94724F500A6EE452972A4DF34E904CF92

Uniqueness

Uniqueness Score: -1.00%

Function 022520C1, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 022520E9

Part of subcall function 0224CF6C: __getptd.LIBCMT ref: 0224CF7A
Part of subcall function 0224CF6C: __getptd.LIBCMT ref: 0224CF88

__getptd.LIBCMT ref: 022520F3

Part of subcall function 0225512D: __getptd_noexit.LIBCMT ref: 02255130
Part of subcall function 0225512D: __amsg_exit.LIBCMT ref: 0225513D

__getptd.LIBCMT ref: 02252101
__getptd.LIBCMT ref: 0225210F
__getptd.LIBCMT ref: 0225211A
_CallCatchBlock2.LIBCMT ref: 02252140

Part of subcall function 0224D011: __CallSettingFrame@12.LIBCMT ref: 0224D05D

Part of subcall function 022521E7: __getptd.LIBCMT ref: 022521F6
Part of subcall function 022521E7: __getptd.LIBCMT ref: 02252204

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 8d4060c23243055f3148b2a1561825819f31ddada69ea45590a86c6643508523
Instruction ID: 902aaf77b5678abf3f4239bce96719c00397a3bdddb5a48e0d1f576e802858c1
Opcode Fuzzy Hash: 8d4060c23243055f3148b2a1561825819f31ddada69ea45590a86c6643508523
Instruction Fuzzy Hash: 9E11E2B1C10309DFDF00EFA4D844AAEBBB1BB08350F10D16AE914A7265EB789A119F50

Uniqueness

Uniqueness Score: -1.00%

Function 004A1E71, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 004A1E99

Part of subcall function 0049CD1C: __getptd.LIBCMT ref: 0049CD2A
Part of subcall function 0049CD1C: __getptd.LIBCMT ref: 0049CD38

__getptd.LIBCMT ref: 004A1EA3

Part of subcall function 004A4EDD: __getptd_noexit.LIBCMT ref: 004A4EE0
Part of subcall function 004A4EDD: __amsg_exit.LIBCMT ref: 004A4EED

__getptd.LIBCMT ref: 004A1EB1
__getptd.LIBCMT ref: 004A1EBF
__getptd.LIBCMT ref: 004A1ECA
_CallCatchBlock2.LIBCMT ref: 004A1EF0

Part of subcall function 0049CDC1: __CallSettingFrame@12.LIBCMT ref: 0049CE0D

Part of subcall function 004A1F97: __getptd.LIBCMT ref: 004A1FA6
Part of subcall function 004A1F97: __getptd.LIBCMT ref: 004A1FB4

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 8d4060c23243055f3148b2a1561825819f31ddada69ea45590a86c6643508523
Instruction ID: 8f6c1583387aca7e048d559fa49f560d0792ab60f5f53046a7620f9b548c2a36
Opcode Fuzzy Hash: 8d4060c23243055f3148b2a1561825819f31ddada69ea45590a86c6643508523
Instruction Fuzzy Hash: F811D4B1C00209DFDF00EFA5C586AAEBBB0FF59318F10856AF814A7251DB789A519F58

Uniqueness

Uniqueness Score: -1.00%

Function 004A69B5, Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004A69C1

Part of subcall function 004A4EDD: __getptd_noexit.LIBCMT ref: 004A4EE0
Part of subcall function 004A4EDD: __amsg_exit.LIBCMT ref: 004A4EED

__amsg_exit.LIBCMT ref: 004A69E1
__lock.LIBCMT ref: 004A69F1
InterlockedDecrement.KERNEL32(?), ref: 004A6A0E
_free.LIBCMT ref: 004A6A21
InterlockedIncrement.KERNEL32(025715F8), ref: 004A6A39

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: c6d5e5cc163e3a14878b468e786f66a7dd820308b16dad6286adaea5fe03d541
Instruction ID: 0c02ca99279eb7b28926f2c74e08aad39853fcab0e37f7f36a408eea688105e5
Opcode Fuzzy Hash: c6d5e5cc163e3a14878b468e786f66a7dd820308b16dad6286adaea5fe03d541
Instruction Fuzzy Hash: 2F01C4B1901B21ABCB11AF6A940675F7760BB27719F0A812BE41467390CB7C9A41CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 02243780, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 022437B0

Part of subcall function 0225010B: __getptd.LIBCMT ref: 0225010B

Strings

false, xrefs: 02243812
true, xrefs: 0224383C
., xrefs: 02243887
,, xrefs: 02243890

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: __getptd_localeconv
String ID: ,$.$false$true
API String ID: 1421026308-4283260876
Opcode ID: 99c90f483f138ae1042709eb543ca919390a9d49dd6489493c584f65a1096805
Instruction ID: 0424d28f512e123b066893b92ac425ab8a53cb9355648749a24f4f26f5264c43
Opcode Fuzzy Hash: 99c90f483f138ae1042709eb543ca919390a9d49dd6489493c584f65a1096805
Instruction Fuzzy Hash: 6A313B75C183818BCB09DFA8945065AFFA19F4A314F2884EDD89A4F349DF35C904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00493530, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 00493560

Part of subcall function 0049FEBB: __getptd.LIBCMT ref: 0049FEBB

Strings

true, xrefs: 004935EC
,, xrefs: 00493640
., xrefs: 00493637
false, xrefs: 004935C2

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __getptd_localeconv
String ID: ,$.$false$true
API String ID: 1421026308-4283260876
Opcode ID: 2f80f0005759ed82b41f413d7540dff7e419ae79121cbe831705ec9ede9afbe8
Instruction ID: 2a6d5d1f9e94b508d0bb6af87ac1e74d4ec1b8acd567f3678f3be9f5eba983e6
Opcode Fuzzy Hash: 2f80f0005759ed82b41f413d7540dff7e419ae79121cbe831705ec9ede9afbe8
Instruction Fuzzy Hash: C93128B59082809BCF12DF299481666BFA0DF4A354F1880BFDC558F346D739DA05CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00403460, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040347A

Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B1EA
Part of subcall function 0049B1D5: __CxxThrowException@8.LIBCMT ref: 0049B1FF
Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B210

std::_Xinvalid_argument.LIBCPMT ref: 004034B9

Part of subcall function 0049B188: std::exception::exception.LIBCMT ref: 0049B19D
Part of subcall function 0049B188: __CxxThrowException@8.LIBCMT ref: 0049B1B2
Part of subcall function 0049B188: std::exception::exception.LIBCMT ref: 0049B1C3

_memmove.LIBCMT ref: 00403521

Strings

invalid string position, xrefs: 00403475
string too long, xrefs: 004034B4

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: fc5b1880c3bad4862aa3e970f4dc086e33232da95e1d65c6beb2f1618e13e9e9
Instruction ID: 16e54054ee1cb2da4d2155e9293334c47a3c7f2cfa6ddc8472a688241ce8b449
Opcode Fuzzy Hash: fc5b1880c3bad4862aa3e970f4dc086e33232da95e1d65c6beb2f1618e13e9e9
Instruction Fuzzy Hash: 9431E2323043149BC621AE5CE98196BF7ADEFD6762710093FF542DB290DB36E90187A9

Uniqueness

Uniqueness Score: -1.00%

Function 00403370, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040338A

Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B1EA
Part of subcall function 0049B1D5: __CxxThrowException@8.LIBCMT ref: 0049B1FF
Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B210

std::_Xinvalid_argument.LIBCPMT ref: 004033C6

Part of subcall function 0049B188: std::exception::exception.LIBCMT ref: 0049B19D
Part of subcall function 0049B188: __CxxThrowException@8.LIBCMT ref: 0049B1B2
Part of subcall function 0049B188: std::exception::exception.LIBCMT ref: 0049B1C3

_memmove.LIBCMT ref: 00403427

Strings

invalid string position, xrefs: 00403385
string too long, xrefs: 004033C1

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: 3dfc23417125f877db4bd16bbb457c20a143596b1df24d53c4b2241b7b7bec17
Instruction ID: fc52d5bcf03503e14a0d47f07702954af73c8eadaf93a15c0afd54800ed5a30f
Opcode Fuzzy Hash: 3dfc23417125f877db4bd16bbb457c20a143596b1df24d53c4b2241b7b7bec17
Instruction Fuzzy Hash: 0121F7323006109BC7219E5DA980A6EFB9CDBE2766F20093FF551DB2C1DB799D4083A9

Uniqueness

Uniqueness Score: -1.00%

Function 00493050, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00493057

Part of subcall function 0049E04E: __FF_MSGBANNER.LIBCMT ref: 0049E067
Part of subcall function 0049E04E: __NMSG_WRITE.LIBCMT ref: 0049E06E
Part of subcall function 0049E04E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A0B2E,00000000,00000001,00000000,?,004A75C4,00000018,004CF090,0000000C,004A7654), ref: 0049E093

GetTickCount.KERNEL32 ref: 00493064

Part of subcall function 0049FE88: __getptd.LIBCMT ref: 0049FE8D

_rand.LIBCMT ref: 00493080

Part of subcall function 0049FE9A: __getptd.LIBCMT ref: 0049FE9A

_sprintf.LIBCMT ref: 00493095

Strings

%s%d, xrefs: 0049308F

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __getptd$AllocateCountHeapTick_malloc_rand_sprintf
String ID: %s%d
API String ID: 2210831635-1110647743
Opcode ID: 9ebabe74a073720600e8862edd3ea84d53632f7f2ce9d6442dfb6cdb9d76b5c6
Instruction ID: 94034e78967ba481b7292eef43dac6ac7b7959af3d56be502e03ba38a1ad7de7
Opcode Fuzzy Hash: 9ebabe74a073720600e8862edd3ea84d53632f7f2ce9d6442dfb6cdb9d76b5c6
Instruction Fuzzy Hash: 51F0BB9370015157DB117AAA9C45F87AE8C8F61351F14447FF648C7213E969CD5083BB

Uniqueness

Uniqueness Score: -1.00%

Function 004A1BAE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004A1BCF

Part of subcall function 004A4EDD: __getptd_noexit.LIBCMT ref: 004A4EE0
Part of subcall function 004A4EDD: __amsg_exit.LIBCMT ref: 004A4EED

__getptd.LIBCMT ref: 004A1BE0
__getptd.LIBCMT ref: 004A1BEE

Strings

RCC, xrefs: 004A1BBA
MOC, xrefs: 004A1BC1

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC
API String ID: 803148776-2084237596
Opcode ID: b1bbe44ff54bde19c51d4256c27e1c908a71b64fc5c6ce829d285814e0e4f12e
Instruction ID: 7fb8cc94cb0179e7aff9487af22bea6490357e6a3e84a5b52399565006445256
Opcode Fuzzy Hash: b1bbe44ff54bde19c51d4256c27e1c908a71b64fc5c6ce829d285814e0e4f12e
Instruction Fuzzy Hash: 07E012351041048FC7109765C08AB6A33D5FBE635CF5908E7E40DCB372D76CE8908A5A

Uniqueness

Uniqueness Score: -1.00%

Function 0224E405, Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0224E460
_memcpy_s.LIBCMT ref: 0224E4D1
__read.LIBCMT ref: 0224E534
__filbuf.LIBCMT ref: 0224E550

Part of subcall function 02252A9D: __getptd_noexit.LIBCMT ref: 02252A9D

_memset.LIBCMT ref: 0224E591

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 583b1b677e1792be25ddf204d47e98c5b0f8de77f7936e8b47d8b9f05f1225b4
Instruction ID: e4e9521e58867e13920b24fe1d9fab44802f8555aa2bbc5db22f6fc8581b5210
Opcode Fuzzy Hash: 583b1b677e1792be25ddf204d47e98c5b0f8de77f7936e8b47d8b9f05f1225b4
Instruction Fuzzy Hash: DB51E970E20306DFEB289FF9D84469EB771BF44324F568269E824961D8EB70DA50CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0049E1B5, Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0049E210
_memcpy_s.LIBCMT ref: 0049E281
__read.LIBCMT ref: 0049E2E4
__filbuf.LIBCMT ref: 0049E300

Part of subcall function 004A284D: __getptd_noexit.LIBCMT ref: 004A284D

_memset.LIBCMT ref: 0049E341

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 583b1b677e1792be25ddf204d47e98c5b0f8de77f7936e8b47d8b9f05f1225b4
Instruction ID: 1ac67f202c977f64f0fa06004735b99fc761685b36bf4d2ab039f42c530740d4
Opcode Fuzzy Hash: 583b1b677e1792be25ddf204d47e98c5b0f8de77f7936e8b47d8b9f05f1225b4
Instruction Fuzzy Hash: 4E51D030A00205EBDF24DFABC94469FBFB5AF51320F24827BE82497291D7789E41CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0224EA17, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0224EA25

Part of subcall function 0224E29E: __FF_MSGBANNER.LIBCMT ref: 0224E2B7
Part of subcall function 0224E29E: __NMSG_WRITE.LIBCMT ref: 0224E2BE
Part of subcall function 0224E29E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0224E2E3

_free.LIBCMT ref: 0224EA38

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 96a29856673fc55b7648a9f01021e814253421bdac77e492bf7afe3959301c66
Instruction ID: a2fa66b6b1655b263910434389a7c9d70f4b45e49ae05f6ca576c5e1713a562d
Opcode Fuzzy Hash: 96a29856673fc55b7648a9f01021e814253421bdac77e492bf7afe3959301c66
Instruction Fuzzy Hash: E911C832524736ABEF257FF4A8046593B99BF40360B168527FC589A198DF38C440CA94

Uniqueness

Uniqueness Score: -1.00%

Function 0049E7C7, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0049E7D5

Part of subcall function 0049E04E: __FF_MSGBANNER.LIBCMT ref: 0049E067
Part of subcall function 0049E04E: __NMSG_WRITE.LIBCMT ref: 0049E06E
Part of subcall function 0049E04E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A0B2E,00000000,00000001,00000000,?,004A75C4,00000018,004CF090,0000000C,004A7654), ref: 0049E093

_free.LIBCMT ref: 0049E7E8

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 85b161982d99ff21d147067a8aff796a723b2ca6d5cb82450ff7446860f05810
Instruction ID: c7e1d6fb654a31e4fc33791518c3b6fe2ab0cde5dd2fe23b7239b19863cad0fb
Opcode Fuzzy Hash: 85b161982d99ff21d147067a8aff796a723b2ca6d5cb82450ff7446860f05810
Instruction Fuzzy Hash: 21112B32441511A7CF21FBB7AC0465A3F959B613B0B21467FF4489B251EE7CC841865D

Uniqueness

Uniqueness Score: -1.00%

Function 021C83A0, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 021C83D2

Part of subcall function 0224B8FA: _setlocale.LIBCMT ref: 0224B90C

_free.LIBCMT ref: 021C83E4

Part of subcall function 0224EAC4: HeapFree.KERNEL32(00000000,00000000,?,021B32FB,?,004D279C), ref: 0224EADA

_free.LIBCMT ref: 021C83F7
_free.LIBCMT ref: 021C840A
_free.LIBCMT ref: 021C841D

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: _free$FreeHeapLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 1034197179-0
Opcode ID: b5b02bde389356c97008c127cfe2bc10859bcc976c1755d0fcbfc13f9b871136
Instruction ID: fbf2899c31d3c78f153e73299876cde49a7c7bf0d3b5680384b7103b417b6acc
Opcode Fuzzy Hash: b5b02bde389356c97008c127cfe2bc10859bcc976c1755d0fcbfc13f9b871136
Instruction Fuzzy Hash: F01191F1A04B509BD621DF599840A0BF7E9FF94720F198A2EE056C3684EB39E4048E92

Uniqueness

Uniqueness Score: -1.00%

Function 00418150, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00418182

Part of subcall function 0049B6AA: _setlocale.LIBCMT ref: 0049B6BC

_free.LIBCMT ref: 00418194

Part of subcall function 0049E874: HeapFree.KERNEL32(00000000,00000000,?,004030AB,?,5896F21E), ref: 0049E88A

_free.LIBCMT ref: 004181A7
_free.LIBCMT ref: 004181BA
_free.LIBCMT ref: 004181CD

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$FreeHeapLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 1034197179-0
Opcode ID: b5b02bde389356c97008c127cfe2bc10859bcc976c1755d0fcbfc13f9b871136
Instruction ID: 9940f372f53cae88a363a79202e9387dc8d63462f9e991f136512c6998a2b412
Opcode Fuzzy Hash: b5b02bde389356c97008c127cfe2bc10859bcc976c1755d0fcbfc13f9b871136
Instruction Fuzzy Hash: 761182F1900B406BDA20DF1AD845A4BFBE9EF90710F144A2FF05AC3750E739E8048A96

Uniqueness

Uniqueness Score: -1.00%

Function 02257386, Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02257392

Part of subcall function 0225512D: __getptd_noexit.LIBCMT ref: 02255130
Part of subcall function 0225512D: __amsg_exit.LIBCMT ref: 0225513D

__getptd.LIBCMT ref: 022573A9
__amsg_exit.LIBCMT ref: 022573B7
__lock.LIBCMT ref: 022573C7
__updatetlocinfoEx_nolock.LIBCMT ref: 022573DB

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 4d4828333fb6b383eab88b09f1e7db4750f43e6ab659692cd90c228e13da406b
Instruction ID: c24725b6b09b456f45f249de6e519991b7497ed8c811b5bd213660e41159d699
Opcode Fuzzy Hash: 4d4828333fb6b383eab88b09f1e7db4750f43e6ab659692cd90c228e13da406b
Instruction Fuzzy Hash: 37F0F0329F0730EBD720BBF5A809B18B7A2AF00775F10D18ADC14AB1D8CB785540CE66

Uniqueness

Uniqueness Score: -1.00%

Function 004A7136, Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004A7142

Part of subcall function 004A4EDD: __getptd_noexit.LIBCMT ref: 004A4EE0
Part of subcall function 004A4EDD: __amsg_exit.LIBCMT ref: 004A4EED

__getptd.LIBCMT ref: 004A7159
__amsg_exit.LIBCMT ref: 004A7167
__lock.LIBCMT ref: 004A7177
__updatetlocinfoEx_nolock.LIBCMT ref: 004A718B

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 4d4828333fb6b383eab88b09f1e7db4750f43e6ab659692cd90c228e13da406b
Instruction ID: 72ba6c850253534e5d4345560bca46b6812f78be0ef27554b4da5c5398e7648a
Opcode Fuzzy Hash: 4d4828333fb6b383eab88b09f1e7db4750f43e6ab659692cd90c228e13da406b
Instruction Fuzzy Hash: 8AF062319486109AD631BB699C02B4F33D06F2272DF10425FE054963C2CB6C59419A5E

Uniqueness

Uniqueness Score: -1.00%

Function 021C8010, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 021C78B0: std::_Lockit::_Lockit.LIBCPMT ref: 021C78CC

Part of subcall function 021C7950: std::_Lockit::_Lockit.LIBCPMT ref: 021C7999

std::_Lockit::_Lockit.LIBCPMT ref: 021C812F
std::_Lockit::_Lockit.LIBCPMT ref: 021C8183
std::_Lockit::_Lockit.LIBCPMT ref: 021C81CE

Strings

HAL9, xrefs: 021C8022

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID: HAL9
API String ID: 3382485803-225820728
Opcode ID: 9ce9b4544776cb3d2fec5164b7f55bde0e69fe4466afefa52729bd88dbed9538
Instruction ID: 66fde15fd6f061aac54f521c62af20059a8afbe921d75ed0f753510c75380e9d
Opcode Fuzzy Hash: 9ce9b4544776cb3d2fec5164b7f55bde0e69fe4466afefa52729bd88dbed9538
Instruction Fuzzy Hash: 03713379604B019FC719CF28C590A2AB7E1BF9DB14F204A1CE99A87790DB30F905CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00417DC0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 00417660: std::_Lockit::_Lockit.LIBCPMT ref: 0041767C

Part of subcall function 00417700: std::_Lockit::_Lockit.LIBCPMT ref: 00417749

std::_Lockit::_Lockit.LIBCPMT ref: 00417EDF
std::_Lockit::_Lockit.LIBCPMT ref: 00417F33
std::_Lockit::_Lockit.LIBCPMT ref: 00417F7E

Strings

HAL9, xrefs: 00417DD2

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID: HAL9
API String ID: 3382485803-225820728
Opcode ID: 9ce9b4544776cb3d2fec5164b7f55bde0e69fe4466afefa52729bd88dbed9538
Instruction ID: fa7e2025b6dc06826602946d92d227b72fa8e2c69c26dd5f90bd0cda493c9fb4
Opcode Fuzzy Hash: 9ce9b4544776cb3d2fec5164b7f55bde0e69fe4466afefa52729bd88dbed9538
Instruction Fuzzy Hash: 54714475208B019FC714CF28C680A6AB7F1FF89B14F104A6DE99A87791DB34F905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404E3B
std::_Xinvalid_argument.LIBCPMT ref: 00404E56
_memmove.LIBCMT ref: 00404EA9

Part of subcall function 00404570: std::_Xinvalid_argument.LIBCPMT ref: 00404587
Part of subcall function 00404570: std::_Xinvalid_argument.LIBCPMT ref: 004045AA
Part of subcall function 00404570: std::_Xinvalid_argument.LIBCPMT ref: 004045C5
Part of subcall function 00404570: _memmove.LIBCMT ref: 00404626

Strings

string too long, xrefs: 00404E36, 00404E51

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 3d85b591ab57ed470afc3793323a984247738e55aef00379fd432fe23a26e2aa
Instruction ID: a06c0e93454b2be01e9576b4922b1e9ed8a9d97a43e7ce3eedd55e9a8c22a3a7
Opcode Fuzzy Hash: 3d85b591ab57ed470afc3793323a984247738e55aef00379fd432fe23a26e2aa
Instruction Fuzzy Hash: D231F4B23102105BC624AA5DE98096BB7EAFBD6711B50093FE291A77C1C779AC4483E9

Uniqueness

Uniqueness Score: -1.00%

Function 021B3360, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 021B3400

Part of subcall function 0224C57E: std::exception::_Copy_str.LIBCMT ref: 0224C599

__CxxThrowException@8.LIBCMT ref: 021B3415

Part of subcall function 0224CC41: RaiseException.KERNEL32(021B32A3,?,004D279C,004BB6BC,021B32A3,?,004CB4C0,?,004D279C), ref: 0224CC83

Part of subcall function 021B3190: std::exception::exception.LIBCMT ref: 021B31C6
Part of subcall function 021B3190: __CxxThrowException@8.LIBCMT ref: 021B31DD

Strings

P-@, xrefs: 021B340E
1@, xrefs: 021B3437

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_
String ID: P-@$1@
API String ID: 1430062303-3163305381
Opcode ID: 4c0cb47575a63e12093e2c6585f0f128f0f89f630cdc3c4de1f04941d4bf0859
Instruction ID: 4ddcd51b64f2679d580e4eee72aadd62c6da86237330978e64f7f53c4c758be6
Opcode Fuzzy Hash: 4c0cb47575a63e12093e2c6585f0f128f0f89f630cdc3c4de1f04941d4bf0859
Instruction Fuzzy Hash: E541C971E502059BC709CF68C8816EEB7F9FF44314F10426EE826D7790DB75AA50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00403110, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 004031B0

Part of subcall function 0049C32E: std::exception::_Copy_str.LIBCMT ref: 0049C349

__CxxThrowException@8.LIBCMT ref: 004031C5

Part of subcall function 0049C9F1: RaiseException.KERNEL32(S0@,?,5896F21E,004BB6BC,00403053,?,004CB4C0,?,5896F21E), ref: 0049CA33

Part of subcall function 00402F40: std::exception::exception.LIBCMT ref: 00402F76
Part of subcall function 00402F40: __CxxThrowException@8.LIBCMT ref: 00402F8D

_memmove.LIBCMT ref: 0040320E

Strings

P-@, xrefs: 004031BE

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_memmovestd::exception::_
String ID: P-@
API String ID: 163498487-3305893085
Opcode ID: f1d26f146ba17ee6f04886200bf31b7278cc5bf7683a187353ffa9ac443e7d1e
Instruction ID: 486326a0063b83de9025a31b2d93e7eb048a48092115a542314a79203f052a6c
Opcode Fuzzy Hash: f1d26f146ba17ee6f04886200bf31b7278cc5bf7683a187353ffa9ac443e7d1e
Instruction Fuzzy Hash: 9841B771A00105ABCB04DF69C9816AEBBF9FB49355F20423FE816A7780D778AE44C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 021B31F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 021B3289

Part of subcall function 0224C57E: std::exception::_Copy_str.LIBCMT ref: 0224C599

__CxxThrowException@8.LIBCMT ref: 021B329E

Part of subcall function 0224CC41: RaiseException.KERNEL32(021B32A3,?,004D279C,004BB6BC,021B32A3,?,004CB4C0,?,004D279C), ref: 0224CC83

Part of subcall function 021B3130: std::exception::exception.LIBCMT ref: 021B3160
Part of subcall function 021B3130: __CxxThrowException@8.LIBCMT ref: 021B3177

Strings

v0@, xrefs: 021B32C0
P-@, xrefs: 021B3297

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_
String ID: P-@$v0@
API String ID: 1430062303-2345542528
Opcode ID: 493d786db9856d9125f73e2505b04a3ec1573cee5065ed58c8b9cd6c4768c2b6
Instruction ID: f8ea06980b20c8ff263bf52fe4fb67ede12a571ffd587a11b418b545a6d6ee59
Opcode Fuzzy Hash: 493d786db9856d9125f73e2505b04a3ec1573cee5065ed58c8b9cd6c4768c2b6
Instruction Fuzzy Hash: AC41B771E50645ABCB15DFA8C4806DDBBF4EF05320F5042AAE83697380D770AA50CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0224C32C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__realloc_crt.LIBCMT ref: 0224C38B
__realloc_crt.LIBCMT ref: 0224C3A1
RtlEncodePointer.NTDLL(00000000), ref: 0224C3B3

Strings

P-@, xrefs: 0224C333

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: __realloc_crt$EncodePointer
String ID: P-@
API String ID: 562370833-3305893085
Opcode ID: 25e0e4e601459e24bcbd8275923078b7c521353a8ec7af66a76a19f52b6b5bdf
Instruction ID: 84a148135a22829ba8912fbdada9ebc22f5d5cafd57353a7fbf68e51757d1b73
Opcode Fuzzy Hash: 25e0e4e601459e24bcbd8275923078b7c521353a8ec7af66a76a19f52b6b5bdf
Instruction Fuzzy Hash: E711C872616615AFDB085FBCEC808597FEDEB44238711497BE805DB224EFB1FD408A98

Uniqueness

Uniqueness Score: -1.00%

Function 022501D9, Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 022501E7

Part of subcall function 0224D92B: __getptd.LIBCMT ref: 0224D93E

Part of subcall function 02252A9D: __getptd_noexit.LIBCMT ref: 02252A9D

__stricmp_l.LIBCMT ref: 02250254

Part of subcall function 0224D9EB: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0224D9FA

___crtLCMapStringA.LIBCMT ref: 022502AA
___crtLCMapStringA.LIBCMT ref: 0225032B

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
String ID:
API String ID: 2544346105-0
Opcode ID: 9e5ffc4cb05905fbd7aa0df57ea0de227fbb9546b88197d760bfd397cede81c8
Instruction ID: 50bfdf056655673982ee7e369920bc6ac0074b20e730c482838e40d867470c6e
Opcode Fuzzy Hash: 9e5ffc4cb05905fbd7aa0df57ea0de227fbb9546b88197d760bfd397cede81c8
Instruction Fuzzy Hash: 83511F70934266ABDF259BD4CC85BBD7BB0AF05314F18C199E8A19F1D9D7708B41C750

Uniqueness

Uniqueness Score: -1.00%

Function 0049FF89, Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0049FF97

Part of subcall function 0049D6DB: __getptd.LIBCMT ref: 0049D6EE

Part of subcall function 004A284D: __getptd_noexit.LIBCMT ref: 004A284D

__stricmp_l.LIBCMT ref: 004A0004

Part of subcall function 0049D79B: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0049D7AA

___crtLCMapStringA.LIBCMT ref: 004A005A
___crtLCMapStringA.LIBCMT ref: 004A00DB

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
String ID:
API String ID: 2544346105-0
Opcode ID: 9e5ffc4cb05905fbd7aa0df57ea0de227fbb9546b88197d760bfd397cede81c8
Instruction ID: 77479f05dd417f8d821e731cf2fb52d6163a3c3d76437650e18152e987a36196
Opcode Fuzzy Hash: 9e5ffc4cb05905fbd7aa0df57ea0de227fbb9546b88197d760bfd397cede81c8
Instruction Fuzzy Hash: 66513970D04159ABDF259B64C885BFE7BF0AB23314F28419BE0A15F2D2D3398E42DB15

Uniqueness

Uniqueness Score: -1.00%

Function 0049F2BD, Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0049F358
__flush.LIBCMT ref: 0049F376
__write.LIBCMT ref: 0049F39D
__flsbuf.LIBCMT ref: 0049F3C8

Part of subcall function 004A284D: __getptd_noexit.LIBCMT ref: 004A284D

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 1d392abd2acc133e5efc88026678faa2218ff1761bc7052396982c6cd11fdc3a
Instruction ID: 4c8b7da3941b3fbc133e5dc0a3ea6702fd7cd52a7b71e60dbc717fcc10f89492
Opcode Fuzzy Hash: 1d392abd2acc133e5efc88026678faa2218ff1761bc7052396982c6cd11fdc3a
Instruction Fuzzy Hash: E9419F31A006049BDF24DFAA88856AFBFB5AF80324F24817FEC55D6280D77DDD498B48

Uniqueness

Uniqueness Score: -1.00%

Function 02245BA0, Relevance: 6.1, APIs: 4, Instructions: 121sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,004C7064,00000024,004D279C), ref: 02245C19
__time64.LIBCMT ref: 02245C20

Part of subcall function 0224D69C: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,02245C25,00000000), ref: 0224D6A7
Part of subcall function 0224D69C: __aulldiv.LIBCMT ref: 0224D6C7

Part of subcall function 022432A0: _malloc.LIBCMT ref: 022432A7
Part of subcall function 022432A0: GetTickCount.KERNEL32 ref: 022432B4
Part of subcall function 022432A0: _rand.LIBCMT ref: 022432D0
Part of subcall function 022432A0: _sprintf.LIBCMT ref: 022432E5

Part of subcall function 022500D8: __getptd.LIBCMT ref: 022500DD

_rand.LIBCMT ref: 02245C55

Part of subcall function 022500EA: __getptd.LIBCMT ref: 022500EA

std::_Xinvalid_argument.LIBCPMT ref: 02245C6C

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: Time__getptd_rand$CountFileSleepSystemTickXinvalid_argument__aulldiv__time64_malloc_sprintfstd::_
String ID:
API String ID: 3490354527-0
Opcode ID: 357e6f8e4c1c543a149263cccda9c748d442fccebcd230183d73eb6c61cf46b5
Instruction ID: 410b1005037f0c2d1c20f88ac7a25687966c2f684cd55bfa1aa269ed25100bdc
Opcode Fuzzy Hash: 357e6f8e4c1c543a149263cccda9c748d442fccebcd230183d73eb6c61cf46b5
Instruction Fuzzy Hash: BF41D6B0A20355AFDB18DFD4D881BAEB7BAFF54700F50012DE542A7284DBB45A04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0226146A, Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0226149E
__isleadbyte_l.LIBCMT ref: 022614D1
MultiByteToWideChar.KERNEL32(00000000,00000009,0000000C,00000000,021CE84C,00000000,?,?,?,004CEA58,0000000C,021CE84C), ref: 02261502
MultiByteToWideChar.KERNEL32(00000000,00000009,0000000C,00000001,021CE84C,00000000,?,?,?,004CEA58,0000000C,021CE84C), ref: 02261570

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9c17a0650e31d761841d794ae28cb099ae0994050b4eb252ae31cce1953730a1
Instruction ID: d482da5af21b2d4f2e6e5ce229201d16c0c799f0025071b121544b8960dba291
Opcode Fuzzy Hash: 9c17a0650e31d761841d794ae28cb099ae0994050b4eb252ae31cce1953730a1
Instruction Fuzzy Hash: 3D31D532520247EFDB20DFE4C888ABD7BB5BF01315F058969E4699B299D730E9A0DB50

Uniqueness

Uniqueness Score: -1.00%

Function 004B121A, Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004B124E
__isleadbyte_l.LIBCMT ref: 004B1281
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036ACC,00BFBBEF,00000000,?,?,?,004AF6A4,00000109,00BFBBEF,00000003), ref: 004B12B2
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,004AF6A4,00000109,00BFBBEF,00000003), ref: 004B1320

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9c17a0650e31d761841d794ae28cb099ae0994050b4eb252ae31cce1953730a1
Instruction ID: 4db2654cd19cbf0ff6fdb0cc35245cd9993303e1929d1d4c5589467273d214f0
Opcode Fuzzy Hash: 9c17a0650e31d761841d794ae28cb099ae0994050b4eb252ae31cce1953730a1
Instruction Fuzzy Hash: CE31D531500285EFDF14DFA8C8A49EE3BA5BF01310F5485EAE555EB2A1D734DD40DB28

Uniqueness

Uniqueness Score: -1.00%

Function 021C50D0, Relevance: 6.1, APIs: 4, Instructions: 93networkCOMMON

Download Yara Rule

APIs

HttpAddRequestHeadersA.WININET(?,004D279C,?,20000000), ref: 021C5150
HttpAddRequestHeadersA.WININET(?,004D279C,?,20000000), ref: 021C5180
HttpAddRequestHeadersA.WININET(?,004D279C,?,20000000), ref: 021C51B0
HttpAddRequestHeadersA.WININET(?,004D279C,?,20000000), ref: 021C51E0

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: HeadersHttpRequest
String ID:
API String ID: 1754618566-0
Opcode ID: 7a6b28609bb06b2c6554c66f11959ef481696574e28899dfeb95dec1988d598e
Instruction ID: d121dd6f3fdfeac2fd810913edba4a4cd41a195fff0361a8340cf0819752b439
Opcode Fuzzy Hash: 7a6b28609bb06b2c6554c66f11959ef481696574e28899dfeb95dec1988d598e
Instruction Fuzzy Hash: 37316A75548300AFD305DF50C845FABB3E9FF98714F508A2EF5A566280D774EA08CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00498DD0, Relevance: 6.1, APIs: 4, Instructions: 83timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,0049A814,00000000,00000000,00000010,00000000), ref: 00498E11
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0049A814,00000000,00000000,00000010,00000000), ref: 00498E21
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0049A814,00000000,00000000,00000010,00000000), ref: 00498E41
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00498E63

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: 3e275d58e440eb23b49efbe264de999d33f7f1361024b8a9bd009aff0d280a2a
Instruction ID: a471692c70d378398092e6b48fb6e8c9101360ba68442dea1ad9fb23e9c4775f
Opcode Fuzzy Hash: 3e275d58e440eb23b49efbe264de999d33f7f1361024b8a9bd009aff0d280a2a
Instruction Fuzzy Hash: DE31F5B59087009FD318CF29C89096BFBE5FB88254F408A2EE5AAC7750DB74E509CB55

Uniqueness

Uniqueness Score: -1.00%

Function 021C82F0, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 021C831E
std::exception::exception.LIBCMT ref: 021C835D

Part of subcall function 0224C57E: std::exception::_Copy_str.LIBCMT ref: 0224C599

__CxxThrowException@8.LIBCMT ref: 021C8374

Part of subcall function 0224CC41: RaiseException.KERNEL32(021B32A3,?,004D279C,004BB6BC,021B32A3,?,004CB4C0,?,004D279C), ref: 0224CC83

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 021C837B

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 73090415-0
Opcode ID: 8c137d7277b8d131593d02a7f6fec72f1394c890439066219a858aad24473143
Instruction ID: 03bc73438c5d279d03d0cc4a1b588d0159edb3095e78563663ed4c1f17bb567a
Opcode Fuzzy Hash: 8c137d7277b8d131593d02a7f6fec72f1394c890439066219a858aad24473143
Instruction Fuzzy Hash: BD1190B1809B409FC324DF288980A47FBE4BB68700F408A2FE49993640D734E508CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0225AAD4, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0225AAFA

Part of subcall function 0225A926: __fltout2.LIBCMT ref: 0225A951

__cftog_l.LIBCMT ref: 0225AB20
__cftoe_l.LIBCMT ref: 0225AB52

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 9e1014353cd6ceeb3316e1f18a4f72d5f608f7aeff48e4fd576a3f1b17e050df
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: A611283202055ABB8F125EC4CC42CAE3F63BF28354F498615FE5859138D336C9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 004AA884, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004AA8AA

Part of subcall function 004AA6D6: __fltout2.LIBCMT ref: 004AA701

__cftog_l.LIBCMT ref: 004AA8D0
__cftoe_l.LIBCMT ref: 004AA902

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: acefbdb06d7d4ebae9b74473577ca326700328c2f92e29c12d71baa16948cf1e
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 8B11437200014EBBCF126E85CC01CEE3F76BB6A354F59841AFA5855131D33AC9B2EB86

Uniqueness

Uniqueness Score: -1.00%

Function 022432A0, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 022432A7

Part of subcall function 0224E29E: __FF_MSGBANNER.LIBCMT ref: 0224E2B7
Part of subcall function 0224E29E: __NMSG_WRITE.LIBCMT ref: 0224E2BE
Part of subcall function 0224E29E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0224E2E3

GetTickCount.KERNEL32 ref: 022432B4

Part of subcall function 022500D8: __getptd.LIBCMT ref: 022500DD

_rand.LIBCMT ref: 022432D0

Part of subcall function 022500EA: __getptd.LIBCMT ref: 022500EA

_sprintf.LIBCMT ref: 022432E5

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: __getptd$AllocateCountHeapTick_malloc_rand_sprintf
String ID:
API String ID: 2210831635-0
Opcode ID: 04ba967137eb75654a164b2413588acc5e62ecd3b9d2f9c68eb419b49a29f572
Instruction ID: 3a9af0d9bb6bd22e8e61c1ae34e9f70d4457237cc578fd32bda40c7e40c724a6
Opcode Fuzzy Hash: 04ba967137eb75654a164b2413588acc5e62ecd3b9d2f9c68eb419b49a29f572
Instruction Fuzzy Hash: 73F02BA331029117D310A6E85C44B47BA4D9F65350F14447EFA44C3105EE65C81083B3

Uniqueness

Uniqueness Score: -1.00%

Function 004B1107, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,004A89DD,00000000,00000000,74E05970,?,0049EA8B,?,00000000), ref: 004B110A
__malloc_crt.LIBCMT ref: 004B1139
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,00000000,?,0049EA8B,?,00000000), ref: 004B1146

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 35d7fa1be702710d1e5db715c49e6c7e7c1a561b8be8fa75b6e2af1f04974dc2
Instruction ID: 316f26375f605f0cd77650341741c6df0c53f4fdb34655e037849bd45c2b6d01
Opcode Fuzzy Hash: 35d7fa1be702710d1e5db715c49e6c7e7c1a561b8be8fa75b6e2af1f04974dc2
Instruction Fuzzy Hash: 71F0A777601110ABCF31777DBC958DB6739DAEA36435A452BF901C3360FA288D8286F9

Uniqueness

Uniqueness Score: -1.00%

Function 00493390, Relevance: 6.0, APIs: 4, Instructions: 33fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000), ref: 004933AB
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,5896F21E), ref: 004933BE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,5896F21E), ref: 004933C9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,5896F21E), ref: 004933DA

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: a77e2c15d4ccfd051175ff4ecdd267cc877b5e18a3f158a6fca0d42b6d9c7381
Instruction ID: 795d9d186629f84d3c271c6c627cb69cd0f77ad3184e3e007e0a01879458923b
Opcode Fuzzy Hash: a77e2c15d4ccfd051175ff4ecdd267cc877b5e18a3f158a6fca0d42b6d9c7381
Instruction Fuzzy Hash: 1BF08935640210ABD220EB28EC4DF8B7758AB55B51F018634FD54A22D0EA705919C669

Uniqueness

Uniqueness Score: -1.00%

Function 00403680, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004036E7
_memmove.LIBCMT ref: 0040373E

Strings

string too long, xrefs: 004036E2

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 5244c4676091b6790bb0d42b658074f27e86bdc8f855536a2309061d2296be4b
Instruction ID: 74f75318326d0ccb69bccae673865ae466a9ff4259977ab655d68d0c233e826f
Opcode Fuzzy Hash: 5244c4676091b6790bb0d42b658074f27e86bdc8f855536a2309061d2296be4b
Instruction Fuzzy Hash: 0E31C4723146049BC634EE9CE88082AFBEEEF967163104D3FE041D7790D779AD448BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004032C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004032D2

Part of subcall function 0049B188: std::exception::exception.LIBCMT ref: 0049B19D
Part of subcall function 0049B188: __CxxThrowException@8.LIBCMT ref: 0049B1B2
Part of subcall function 0049B188: std::exception::exception.LIBCMT ref: 0049B1C3

_memmove.LIBCMT ref: 0040331A

Strings

string too long, xrefs: 004032CD

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 1785806476-2556327735
Opcode ID: 8258743c3f0f5a1aa7fddc0bb57623a73243e7edeb7b674b0ef681bf7af75515
Instruction ID: 5da86d647c49e79fdf99b9f508c935f0504fb0c180d761ed05676a4a24ba0056
Opcode Fuzzy Hash: 8258743c3f0f5a1aa7fddc0bb57623a73243e7edeb7b674b0ef681bf7af75515
Instruction Fuzzy Hash: FE115B711447085BEB20AE6C6981A3FBB9CAB61710F500E3FE497D26C1DF79E9448298

Uniqueness

Uniqueness Score: -1.00%

Function 00418850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00418869

Part of subcall function 0049B188: std::exception::exception.LIBCMT ref: 0049B19D
Part of subcall function 0049B188: __CxxThrowException@8.LIBCMT ref: 0049B1B2
Part of subcall function 0049B188: std::exception::exception.LIBCMT ref: 0049B1C3

std::_Xinvalid_argument.LIBCPMT ref: 00418880

Strings

string too long, xrefs: 00418864, 0041887B

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 6a4addcb76046695d3f2780bfb78d04bfae6f43fcd8215dc87e0b7bfcaed4329
Instruction ID: 7f61ede93880ead9d10146abcd2d7694c1d1839b067fbb96554ce4b3068b28aa
Opcode Fuzzy Hash: 6a4addcb76046695d3f2780bfb78d04bfae6f43fcd8215dc87e0b7bfcaed4329
Instruction Fuzzy Hash: 75110B323006105BD721BA5D9480A9BF7E9EFE5761F60062FF191D7380CBA49C8483B9

Uniqueness

Uniqueness Score: -1.00%

Function 004049B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00491AC0: GetUserNameA.ADVAPI32 ref: 00491AF6

ExitProcess.KERNEL32 ref: 00404A45

Strings

JohnDoe, xrefs: 004049DA
HAL9TH, xrefs: 00404A19

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitNameProcessUser
String ID: HAL9TH$JohnDoe
API String ID: 282088302-3469431008
Opcode ID: 65d54da961c71f6a023e2d432cf3263e92512469732bd32a84981cefdd02da5c
Instruction ID: 8b8ed941e3813f37f43f8dac260e56484bb71635ff78634de205b62df0752c5c
Opcode Fuzzy Hash: 65d54da961c71f6a023e2d432cf3263e92512469732bd32a84981cefdd02da5c
Instruction Fuzzy Hash: 9911A7B1A453009FDA00EB60D982A4B77D8AFD4755F04493FF44997191EB38E544CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00402E63

Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B1EA
Part of subcall function 0049B1D5: __CxxThrowException@8.LIBCMT ref: 0049B1FF
Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B210

_memmove.LIBCMT ref: 00402EA3

Strings

invalid string position, xrefs: 00402E5E

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 3a7feca8392ac57b8d1af0f9b2cb665aff0aa3d1796291a9744525f0da04506f
Instruction ID: 7461fb4a98491259ca43cc1448436002d54731699899ad7cdefa9a6017f4eb2c
Opcode Fuzzy Hash: 3a7feca8392ac57b8d1af0f9b2cb665aff0aa3d1796291a9744525f0da04506f
Instruction Fuzzy Hash: E5118E323446118BC724CE6CDA8486BB3E6AFD5704320493FD481DB695DBB4D846C7E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00402DE3

Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B1EA
Part of subcall function 0049B1D5: __CxxThrowException@8.LIBCMT ref: 0049B1FF
Part of subcall function 0049B1D5: std::exception::exception.LIBCMT ref: 0049B210

_memmove.LIBCMT ref: 00402E1E

Strings

invalid string position, xrefs: 00402DDE

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 1e739fd6a7962e6a6ba06f81b30ce8a1103422412bb25d2b9c70c585ea0db199
Instruction ID: 511870542295513d7d39826078f1b87ddd0b5dddf15f0ea464ac81a5554301e8
Opcode Fuzzy Hash: 1e739fd6a7962e6a6ba06f81b30ce8a1103422412bb25d2b9c70c585ea0db199
Instruction Fuzzy Hash: 5101C0313446008BC225892CDE8862AB7E6AFD6700B24093FE081E77C5D7F4DC8283E8

Uniqueness

Uniqueness Score: -1.00%

Function 022521E7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 022521F6

Part of subcall function 0225512D: __getptd_noexit.LIBCMT ref: 02255130
Part of subcall function 0225512D: __amsg_exit.LIBCMT ref: 0225513D

__getptd.LIBCMT ref: 02252204

Strings

csm, xrefs: 02252212

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 13f6baa98dff881eb24ebd0b68a76a97ff0b9319efa4a1b86dd0e3b61b20ac21
Instruction ID: c0a65a632bad61f8091fa331250983f9af140d7b488c913babec1fb9045b86e0
Opcode Fuzzy Hash: 13f6baa98dff881eb24ebd0b68a76a97ff0b9319efa4a1b86dd0e3b61b20ac21
Instruction Fuzzy Hash: A5017C3A922316CACF289FA4C45066DB7BAAF00310F54C61ADC44DA694EB708996CE41

Uniqueness

Uniqueness Score: -1.00%

Function 004A1F97, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0049CD6F: __getptd.LIBCMT ref: 0049CD75
Part of subcall function 0049CD6F: __getptd.LIBCMT ref: 0049CD85

__getptd.LIBCMT ref: 004A1FA6

Part of subcall function 004A4EDD: __getptd_noexit.LIBCMT ref: 004A4EE0
Part of subcall function 004A4EDD: __amsg_exit.LIBCMT ref: 004A4EED

__getptd.LIBCMT ref: 004A1FB4

Strings

csm, xrefs: 004A1FC2

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 13f6baa98dff881eb24ebd0b68a76a97ff0b9319efa4a1b86dd0e3b61b20ac21
Instruction ID: 51a3060c677246234b17cad4a586fcce31f85bd7bf12e70bff8cfea466f4c965
Opcode Fuzzy Hash: 13f6baa98dff881eb24ebd0b68a76a97ff0b9319efa4a1b86dd0e3b61b20ac21
Instruction Fuzzy Hash: 4E01D630804305CFEF34AF69C540A6EB7B4BF21318F14042FE44197391CB788990DB08

Uniqueness

Uniqueness Score: -1.00%

Function 021C8220, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 021C8260
__CxxThrowException@8.LIBCMT ref: 021C8277

Part of subcall function 0224CBC1: _malloc.LIBCMT ref: 0224CBDB

Strings

P-@, xrefs: 021C826F

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: P-@
API String ID: 4063778783-3305893085
Opcode ID: 0c5006d241f0cdfd39687acc0e6d338da8e4fced4193d0b2ef6137457bc4e00e
Instruction ID: 3f25cca41b79805e633c108d52786b92a313c23bf9afcf07f80768a022fae892
Opcode Fuzzy Hash: 0c5006d241f0cdfd39687acc0e6d338da8e4fced4193d0b2ef6137457bc4e00e
Instruction Fuzzy Hash: 20F0A7B95553015BD71DEFB8D995B6F77E49FA0B00F05442D9445C1104FB78CA0CCA67

Uniqueness

Uniqueness Score: -1.00%

Function 00417FD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00418010
__CxxThrowException@8.LIBCMT ref: 00418027

Part of subcall function 0049C971: _malloc.LIBCMT ref: 0049C98B

Strings

P-@, xrefs: 0041801F

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: P-@
API String ID: 4063778783-3305893085
Opcode ID: 89f587be7bb31082264df071607a9f6da6b464e0b862f26ef06edb2066f2d356
Instruction ID: 17b37bcbbbf17cb563853b0220baa83649d615d881d1c3ab0229303c445095a6
Opcode Fuzzy Hash: 89f587be7bb31082264df071607a9f6da6b464e0b862f26ef06edb2066f2d356
Instruction Fuzzy Hash: DDF0A7B550830157D718DB71D992BAF7BE49F94B04F44443EE80581201FBBCC94CC69B

Uniqueness

Uniqueness Score: -1.00%

Function 021B3190, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 021B31C6
__CxxThrowException@8.LIBCMT ref: 021B31DD

Part of subcall function 0224CBC1: _malloc.LIBCMT ref: 0224CBDB

Strings

P-@, xrefs: 021B31D5

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: P-@
API String ID: 4063778783-3305893085
Opcode ID: 1ede298ff6925978a37a42be4d3e255e04d5a8c2a874310f7119c4f21f838225
Instruction ID: 9939034e6268f9feedb96b4afb7029615e1f00f017bec923d295ab844c4ce9c8
Opcode Fuzzy Hash: 1ede298ff6925978a37a42be4d3e255e04d5a8c2a874310f7119c4f21f838225
Instruction Fuzzy Hash: 1EE0EDB58053019BC318EFA4C551AAFB3E9AF84B08F10892EE46981180FB71C71C8A63

Uniqueness

Uniqueness Score: -1.00%

Function 00402F40, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00402F76
__CxxThrowException@8.LIBCMT ref: 00402F8D

Part of subcall function 0049C971: _malloc.LIBCMT ref: 0049C98B

Strings

P-@, xrefs: 00402F85

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: P-@
API String ID: 4063778783-3305893085
Opcode ID: 4ed73e77a632d5569438c8b0ad1b3228d7fa312283a5ead0da4a1fe2cdabc144
Instruction ID: ffc936eb41f665df5c429e0853eb0f5b6f803375f0005f742481d999886dfe33
Opcode Fuzzy Hash: 4ed73e77a632d5569438c8b0ad1b3228d7fa312283a5ead0da4a1fe2cdabc144
Instruction Fuzzy Hash: 2EE0E5B50083026BC714EB60C686A5FB7F4AF9474CF40893EF819512C1F7B8CA0C966B

Uniqueness

Uniqueness Score: -1.00%

Function 021B3130, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 021B3160
__CxxThrowException@8.LIBCMT ref: 021B3177

Part of subcall function 0224CBC1: _malloc.LIBCMT ref: 0224CBDB

Strings

P-@, xrefs: 021B316F

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: P-@
API String ID: 4063778783-3305893085
Opcode ID: 77ca7c640a18f2ff42cdf67060c748a8ded1e280f494dac71e115b4df877b2d2
Instruction ID: 4befee46e68bc66d214ad2a3a247e339543f87030fa4df4ec2e24c4afe5c193c
Opcode Fuzzy Hash: 77ca7c640a18f2ff42cdf67060c748a8ded1e280f494dac71e115b4df877b2d2
Instruction Fuzzy Hash: 92E0EDB541930196C319EBA8D901AAFB2A89F80B00F044A2EE85941280FB70C6188AA7

Uniqueness

Uniqueness Score: -1.00%

Function 004041E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00404217

Part of subcall function 0049B347: std::ios_base::_Tidy.LIBCPMT ref: 0049B368

Strings

@A@, xrefs: 004041FA
A@, xrefs: 004041EC

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::ios_base::_$Ios_base_dtorTidy
String ID: @A@$A@
API String ID: 3167631304-3090660310
Opcode ID: e1432c0684c43e36d02e92e24d96ba77cfc77e8f4710dd6c85118a5264989d1f
Instruction ID: 88cf9c7263f093331865935adac68eaa63cbb1bb14d31e9a1b9d2fa4ed31915f
Opcode Fuzzy Hash: e1432c0684c43e36d02e92e24d96ba77cfc77e8f4710dd6c85118a5264989d1f
Instruction Fuzzy Hash: F2F05EB46002019FC710CF14D6889A6BBA1EF95318B24C0ADD9450B366C7B6ED86CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00402EE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00402F10
__CxxThrowException@8.LIBCMT ref: 00402F27

Part of subcall function 0049C971: _malloc.LIBCMT ref: 0049C98B

Strings

P-@, xrefs: 00402F1F

Memory Dump Source

Source File: 00000001.00000002.548156636.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: P-@
API String ID: 4063778783-3305893085
Opcode ID: 9545651b6c723d1c69fa7ed36c595e60f2ffce73bb58dec0fbbc96362a29a621
Instruction ID: 2114a16a42231c71bcb0b93c713675b90cb9aa66d50eb15868f11b98fe17692c
Opcode Fuzzy Hash: 9545651b6c723d1c69fa7ed36c595e60f2ffce73bb58dec0fbbc96362a29a621
Instruction Fuzzy Hash: DFE09BB550830256C714EB30D656B5F77E49F90748F40463FF849512C1FBB8C90C95AB

Uniqueness

Uniqueness Score: -1.00%

Function 0224F1C6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL(?), ref: 0224F1FA

Part of subcall function 022577B0: RtlLeaveCriticalSection.NTDLL ref: 022577BF

Strings

0*M, xrefs: 0224F1D7
@YM, xrefs: 0224F1CE

Memory Dump Source

Source File: 00000001.00000002.549230850.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false

Yara matches

Similarity

API ID: CriticalLeaveSection
String ID: 0*M$@YM
API String ID: 3988221542-260419101
Opcode ID: 30dc7b885803cebd201ab244b966cdd46c56de102f84947920b9adf155597a5c
Instruction ID: a46d070a16ba9cea72e5317450f43f596bcc731af292792032187c09029f18f5
Opcode Fuzzy Hash: 30dc7b885803cebd201ab244b966cdd46c56de102f84947920b9adf155597a5c
Instruction Fuzzy Hash: 51E02B731303054B8B3806F9FD4985B775CC688232316851BE90DC2790DE35E480851C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 9Hh9OY15jt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Vidar

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets