Create Interactive Tour

Analysis Report vidar.bin

Overview

General Information

Sample Name:	vidar.bin (renamed file extension from bin to exe)
Analysis ID:	424408
MD5:	d6e3cc39633db14165cb84ff0aab7e32
SHA1:	3fd3927e30b8af15291840179b0685f402f36b00
SHA256:	d80e33c76d583d678e8286c52b4b65b2da4d5fcc70f2de1eecee419a0879b945
Tags:	vidar
Infos:
Most interesting Screenshot:

Detection

Vidar

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Vidar stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

vidar.exe (PID: 5108 cmdline: 'C:\Users\user\Desktop\vidar.exe' MD5: D6E3CC39633DB14165CB84FF0AAB7E32)

cleanup

Malware Configuration

Threatname: Vidar

{
  "C2 url": "api.faceit.com/core/v1/nicknames/"
}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.238401992.00000000025A0000.00000004.00000001.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.496886988.0000000000B40000.00000040.00000001.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: vidar.exe PID: 5108	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vidar.exe PID: 5108	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.vidar.exe.b40e50.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.vidar.exe.25a0000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.vidar.exe.b40e50.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.vidar.exe.25a0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.vidar.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Cryptography
• Compliance
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: vidar.exe

Avira: detected

Found malware configuration

Show sources

Source: 0.3.vidar.exe.25a0000.0.raw.unpack

Malware Configuration Extractor: Vidar {"C2 url": "api.faceit.com/core/v1/nicknames/"}

Multi AV Scanner detection for submitted file

Show sources

Source: vidar.exe	Virustotal: Detection: 59%	Perma Link
Source: vidar.exe	Metadefender: Detection: 26%	Perma Link
Source: vidar.exe	ReversingLabs: Detection: 86%

Machine Learning detection for sample

Show sources

Source: vidar.exe

Joe Sandbox ML: detected

Source: 0.0.vidar.exe.400000.0.unpack

Avira: Label: TR/AD.VidarStealer.jlejb

Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0040A3C8 _memset,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,	0_2_0040A3C8
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0040A560 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_0040A560
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0040A5C3 CryptUnprotectData,LocalAlloc,_memmove,LocalFree,	0_2_0040A5C3
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0040A6DA _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,	0_2_0040A6DA

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\vidar.exe

Unpacked PE file: 0.2.vidar.exe.400000.0.unpack

Source: vidar.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\vidar.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.17.62.50:443 -> 192.168.2.7:49715 version: TLS 1.2

Source:

Binary string: C:\zere-xad_luduxiyipopukuno62\dahapevunukom55 cuvafa22 venugomize.pdb source: vidar.exe

Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0045E21E __EH_prolog3_GS,FindFirstFileW,FindNextFileW,	0_2_0045E21E
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0040E623 _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,	0_2_0040E623
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0040474C __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose,	0_2_0040474C
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0040E80D __EH_prolog3,__wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,	0_2_0040E80D
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_00404F9D __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,_sprintf,FindNextFileA,FindClose,	0_2_00404F9D

Source: Joe Sandbox View	IP Address: 104.17.62.50 104.17.62.50
Source: Joe Sandbox View	IP Address: 198.98.55.103 198.98.55.103

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103
Source: unknown	TCP traffic detected without corresponding DNS query: 198.98.55.103

Source: C:\Users\user\Desktop\vidar.exe

Code function: 0_2_004042D5 __EH_prolog3,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004042D5

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Source: vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/
Source: vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/828
Source: vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp, vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/freebl3.dll
Source: vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/freebl3.dll.21.3.
Source: vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/freebl3.dllK
Source: vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/mozglue.dll
Source: vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/mozglue.dllcknames/vyh62lapin
Source: vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/mozglue.dllo
Source: vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp, vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/msvcp140.dll
Source: vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/msvcp140.dll000000
Source: vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/msvcp140.dllu
Source: vidar.exe, 00000000.00000002.498396039.0000000000CE2000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/nss3.dll
Source: vidar.exe, 00000000.00000002.497966657.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/nss3.dllRBPA7X4H3Z
Source: vidar.exe, 00000000.00000002.498396039.0000000000CE2000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/nss3.dlle
Source: vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp, vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/softokn3.dll
Source: vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/softokn3.dll1
Source: vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/softokn3.dll6.1.5.
Source: vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	String found in binary or memory: http://198.98.55.103/softokn3.dllknames/vyh62lapin
Source: vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
Source: vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
Source: vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp	String found in binary or memory: http://status.geotrust.com0=
Source: vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	String found in binary or memory: https://api.faceit.com/M
Source: vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	String found in binary or memory: https://api.faceit.com/core/v1/nicknames/vyh62lapin
Source: vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	String found in binary or memory: https://api.faceit.com/core/v1/nicknames/vyh62lapinU
Source: vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	String found in binary or memory: https://api.faceit.com/core/v1/nicknames/vyh62lapinbx0
Source: vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	String found in binary or memory: https://api.faceit.com/core/v1/nicknames/vyh62lapintx
Source: vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	String found in binary or memory: https://api.faceit.com/n
Source: vidar.exe, 00000000.00000002.498396039.0000000000CE2000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cd
Source: vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown

HTTPS traffic detected: 104.17.62.50:443 -> 192.168.2.7:49715 version: TLS 1.2

Source: vidar.exe, 00000000.00000002.497246010.0000000000C0A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0047806B	0_2_0047806B
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0043E09A	0_2_0043E09A
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_004560B3	0_2_004560B3
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_004121D5	0_2_004121D5
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_004222BC	0_2_004222BC
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_004745C0	0_2_004745C0
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_004785BC	0_2_004785BC
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0044E85B	0_2_0044E85B
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_00474A55	0_2_00474A55
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_00478B0D	0_2_00478B0D
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_00460D55	0_2_00460D55
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_00474DF3	0_2_00474DF3
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_00424F72	0_2_00424F72

Source: C:\Users\user\Desktop\vidar.exe	Code function: String function: 00402B8D appears 55 times
Source: C:\Users\user\Desktop\vidar.exe	Code function: String function: 00425DEE appears 66 times

Source: vidar.exe, 00000000.00000002.503321231.0000000002F90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs vidar.exe
Source: vidar.exe, 00000000.00000002.503405364.00000000030E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs vidar.exe

Source: vidar.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@1/1@2/2

Source: C:\Users\user\Desktop\vidar.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD

Jump to behavior

Source: vidar.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vidar.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\vidar.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\vidar.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: vidar.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vidar.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vidar.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: vidar.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vidar.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vidar.exe, 00000000.00000003.238401992.00000000025A0000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: vidar.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: vidar.exe	Virustotal: Detection: 59%
Source: vidar.exe	Metadefender: Detection: 26%
Source: vidar.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\vidar.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: vidar.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\zere-xad_luduxiyipopukuno62\dahapevunukom55 cuvafa22 venugomize.pdb source: vidar.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\vidar.exe

Unpacked PE file: 0.2.vidar.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\vidar.exe

Unpacked PE file: 0.2.vidar.exe.400000.0.unpack

Source: C:\Users\user\Desktop\vidar.exe

Code function: 0_2_0045E310 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0045E310

Source: C:\Users\user\Desktop\vidar.exe

Code function: 0_2_00466CB5 push ecx; ret

0_2_00466CC8

Source: C:\Users\user\Desktop\vidar.exe

0_2_0045E310

Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0045E21E __EH_prolog3_GS,FindFirstFileW,FindNextFileW,	0_2_0045E21E
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0040E623 _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,	0_2_0040E623
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0040474C __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose,	0_2_0040474C
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_0040E80D __EH_prolog3,__wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,	0_2_0040E80D
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_00404F9D __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,_sprintf,FindNextFileA,FindClose,	0_2_00404F9D

Source: C:\Users\user\Desktop\vidar.exe

Code function: 0_2_0045A544 GetSystemInfo,

0_2_0045A544

Source: vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\vidar.exe

Code function: 0_2_00466FF7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00466FF7

Source: C:\Users\user\Desktop\vidar.exe

0_2_0045E310

Source: C:\Users\user\Desktop\vidar.exe

Code function: 0_2_0040EAA2 __EH_prolog3,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,_strcpy_s,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,_strcpy_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,_strcpy_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,_strcpy_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,_strcpy_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,_strcpy_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,_strcpy_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_0040EAA2

Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_004707D0 SetUnhandledExceptionFilter,		0_2_004707D0
Source: C:\Users\user\Desktop\vidar.exe	Code function: 0_2_00466FF7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00466FF7

Source: vidar.exe, 00000000.00000002.498542790.0000000001190000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: vidar.exe, 00000000.00000002.498542790.0000000001190000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vidar.exe, 00000000.00000002.498542790.0000000001190000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: vidar.exe, 00000000.00000002.498542790.0000000001190000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\vidar.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00474040
Source: C:\Users\user\Desktop\vidar.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_0047409B
Source: C:\Users\user\Desktop\vidar.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_0047426C
Source: C:\Users\user\Desktop\vidar.exe	Code function: GetLocaleInfoA,	0_2_0046421E
Source: C:\Users\user\Desktop\vidar.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0047432C
Source: C:\Users\user\Desktop\vidar.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_004743CF
Source: C:\Users\user\Desktop\vidar.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00474393
Source: C:\Users\user\Desktop\vidar.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_00472530
Source: C:\Users\user\Desktop\vidar.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00472A4A
Source: C:\Users\user\Desktop\vidar.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_00470FF0

Source: C:\Users\user\Desktop\vidar.exe

Code function: 0_2_004600DE GetLocalTime,SystemTimeToFileTime,

0_2_004600DE

Source: C:\Users\user\Desktop\vidar.exe

Code function: 0_2_0045AFDC GetUserNameA,

0_2_0045AFDC

Source: C:\Users\user\Desktop\vidar.exe

Code function: 0_2_0046A9D2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0046A9D2

Source: C:\Users\user\Desktop\vidar.exe

Code function: 0_2_0040A35A _memset,GetVersionExA,

0_2_0040A35A

Stealing of Sensitive Information:

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.238401992.00000000025A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.496886988.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vidar.exe PID: 5108, type: MEMORY
Source: Yara match	File source: 0.2.vidar.exe.b40e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.vidar.exe.25a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vidar.exe.b40e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.vidar.exe.25a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vidar.exe.400000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: vidar.exe	String found in binary or memory: \Electrum-LTC\wallets\
Source: vidar.exe	String found in binary or memory: \ElectronCash\wallets\
Source: vidar.exe	String found in binary or memory: \Electrum\wallets\
Source: vidar.exe	String found in binary or memory: \jaxx\Local Storage\
Source: vidar.exe	String found in binary or memory: window-state.json
Source: vidar.exe	String found in binary or memory: exodus.conf.json
Source: vidar.exe	String found in binary or memory: \Exodus\
Source: vidar.exe	String found in binary or memory: info.seco
Source: vidar.exe	String found in binary or memory: ElectrumLTC
Source: vidar.exe	String found in binary or memory: \jaxx\Local Storage\
Source: vidar.exe	String found in binary or memory: passphrase.json
Source: vidar.exe	String found in binary or memory: \Ethereum\
Source: vidar.exe	String found in binary or memory: \Exodus\
Source: vidar.exe	String found in binary or memory: default_wallet
Source: vidar.exe	String found in binary or memory: file__0.localstorage
Source: vidar.exe	String found in binary or memory: \Ethereum\
Source: vidar.exe	String found in binary or memory: MultiDoge
Source: vidar.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: vidar.exe	String found in binary or memory: seed.seco
Source: vidar.exe	String found in binary or memory: keystore
Source: vidar.exe	String found in binary or memory: \Electrum-LTC\wallets\

Source: Yara match

File source: Process Memory Space: vidar.exe PID: 5108, type: MEMORY

Remote Access Functionality:

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.238401992.00000000025A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.496886988.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vidar.exe PID: 5108, type: MEMORY
Source: Yara match	File source: 0.2.vidar.exe.b40e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.vidar.exe.25a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vidar.exe.b40e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.vidar.exe.25a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vidar.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Process Injection1	Masquerading1	Input Capture1	System Time Discovery2	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel22	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Application Shimming1	Process Injection1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing21	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery14	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
vidar.exe	59%	Virustotal		Browse
vidar.exe	29%	Metadefender		Browse
vidar.exe	86%	ReversingLabs	Win32.Trojan.Glupteba
vidar.exe	100%	Avira	TR/AD.VidarStealer.jlejb
vidar.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.3.vidar.exe.25a0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.vidar.exe.400000.0.unpack	100%	Avira	TR/AD.VidarStealer.jlejb	Download File
0.2.vidar.exe.b40e50.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
clientconfig.passport.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://198.98.55.103/freebl3.dll.21.3.	0%	Avira URL Cloud	safe
http://198.98.55.103/	0%	Virustotal		Browse
http://198.98.55.103/	0%	Avira URL Cloud	safe
http://198.98.55.103/softokn3.dllknames/vyh62lapin	0%	Avira URL Cloud	safe
http://198.98.55.103/mozglue.dllo	0%	Avira URL Cloud	safe
http://198.98.55.103/828	0%	Avira URL Cloud	safe
http://198.98.55.103/msvcp140.dll000000	0%	Avira URL Cloud	safe
http://198.98.55.103/nss3.dllRBPA7X4H3Z	0%	Avira URL Cloud	safe
http://198.98.55.103/softokn3.dll6.1.5.	0%	Avira URL Cloud	safe
http://198.98.55.103/nss3.dll	0%	Avira URL Cloud	safe
http://198.98.55.103/freebl3.dll	0%	Avira URL Cloud	safe
http://198.98.55.103/softokn3.dll	0%	Avira URL Cloud	safe
http://198.98.55.103/freebl3.dllK	0%	Avira URL Cloud	safe
http://198.98.55.103/msvcp140.dll	0%	Avira URL Cloud	safe
http://198.98.55.103/mozglue.dllcknames/vyh62lapin	0%	Avira URL Cloud	safe
http://198.98.55.103/mozglue.dll	0%	Avira URL Cloud	safe
http://198.98.55.103/msvcp140.dllu	0%	Avira URL Cloud	safe
http://198.98.55.103/nss3.dlle	0%	Avira URL Cloud	safe
http://198.98.55.103/softokn3.dll1	0%	Avira URL Cloud	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.faceit.com	104.17.62.50	true	false		high
clientconfig.passport.net	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://report-uri.cloudflare.com/cd	vidar.exe, 00000000.00000002.498396039.0000000000CE2000.00000004.00000001.sdmp	false		high
http://198.98.55.103/freebl3.dll.21.3.	vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/	vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://198.98.55.103/softokn3.dllknames/vyh62lapin	vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.faceit.com/n	vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	false		high
https://api.faceit.com/core/v1/nicknames/vyh62lapinU	vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	false		high
http://198.98.55.103/mozglue.dllo	vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.faceit.com/core/v1/nicknames/vyh62lapin	vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	false		high
https://api.faceit.com/core/v1/nicknames/vyh62lapinbx0	vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	false		high
https://api.faceit.com/core/v1/nicknames/vyh62lapintx	vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	false		high
http://198.98.55.103/828	vidar.exe, 00000000.00000002.498067502.0000000000CB3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/msvcp140.dll000000	vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/nss3.dllRBPA7X4H3Z	vidar.exe, 00000000.00000002.497966657.0000000000CA1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/softokn3.dll6.1.5.	vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/nss3.dll	vidar.exe, 00000000.00000002.498396039.0000000000CE2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/freebl3.dll	vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp, vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/softokn3.dll	vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp, vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/freebl3.dllK	vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/msvcp140.dll	vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp, vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/mozglue.dllcknames/vyh62lapin	vidar.exe, 00000000.00000002.497391361.0000000000C77000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/mozglue.dll	vidar.exe, 00000000.00000002.498219747.0000000000CCE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/msvcp140.dllu	vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.faceit.com/M	vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	false		high
http://198.98.55.103/nss3.dlle	vidar.exe, 00000000.00000002.498396039.0000000000CE2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://198.98.55.103/softokn3.dll1	vidar.exe, 00000000.00000002.497979472.0000000000CA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.17.62.50	api.faceit.com	United States		13335	CLOUDFLARENETUS	false
198.98.55.103	unknown	United States		53667	PONYNETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	424408
Start date:	25.05.2021
Start time:	21:21:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	vidar.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@1/1@2/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 92
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.123.150.225, 51.103.5.186, 104.42.151.234, 204.79.197.200, 13.107.21.200, 92.122.145.220, 40.88.32.150, 13.88.21.125, 23.57.80.111, 168.61.161.212, 20.82.209.183, 67.26.75.254, 8.238.27.126, 8.253.207.120, 8.241.80.126, 8.241.78.126, 205.185.216.42, 205.185.216.10, 92.122.213.247, 92.122.213.194, 20.54.104.15, 20.54.26.129, 52.155.217.156, 20.82.210.154 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e13551.dscg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, msagfx.live.com-6.edgekey.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, authgfx.msa.akadns6.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.17.62.50	Xc4mKZJqZF.exe	Get hash	malicious	Browse
	i5g5WqCy2J.exe	Get hash	malicious	Browse
	ABUITiTl1w.exe	Get hash	malicious	Browse
	fba700af184835ef164e28b6e5fc6f18e4fece1ae08d1.exe	Get hash	malicious	Browse
	5conp6TiYf.exe	Get hash	malicious	Browse
	8LIt333TCN.exe	Get hash	malicious	Browse
	hI2XWshb7I.exe	Get hash	malicious	Browse
	6E1LllIw64.exe	Get hash	malicious	Browse
	10Qy7p3slc.exe	Get hash	malicious	Browse
	1OUOf1c5xf.exe	Get hash	malicious	Browse
	RRevYOwjz8.exe	Get hash	malicious	Browse
	f8onpz9o98.exe	Get hash	malicious	Browse
	OacQdX1pg0.exe	Get hash	malicious	Browse
	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	Get hash	malicious	Browse
	2D8nq5HbyE.exe	Get hash	malicious	Browse
	file5.exe	Get hash	malicious	Browse
	Uc18q04nYe.exe	Get hash	malicious	Browse
	P748jZ2XlY.exe	Get hash	malicious	Browse
	L3T91myq6o.exe	Get hash	malicious	Browse
	x86_x64_setup.exe	Get hash	malicious	Browse
198.98.55.103	e3LQ8EXOy3.exe	Get hash	malicious	Browse	198.98.55.103/
	ROpgySHM6N.exe	Get hash	malicious	Browse	198.98.55.103/
	DZ4xDpoGJ3.exe	Get hash	malicious	Browse	198.98.55.103/vcruntime140.dll
	wn1b07WNKv.exe	Get hash	malicious	Browse	198.98.55.103/vcruntime140.dll
	lJvtP3Ytl7.exe	Get hash	malicious	Browse	198.98.55.103/vcruntime140.dll
	3S8La8tVE4.exe	Get hash	malicious	Browse	198.98.55.103/vcruntime140.dll
	qLpyW8ZKA9.exe	Get hash	malicious	Browse	static.accelerator-introlab.ml/
	7yZsRpugG2.exe	Get hash	malicious	Browse	static.accelerator-introlab.ml/
	R31iR6jQNF.exe	Get hash	malicious	Browse	static.accelerator-introlab.ml/vcruntime140.dll
	XFkh7a5MnJ.exe	Get hash	malicious	Browse	static.accelerator-introlab.ml/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.faceit.com	Xc4mKZJqZF.exe	Get hash	malicious	Browse	104.17.62.50
	i5g5WqCy2J.exe	Get hash	malicious	Browse	104.17.62.50
	FP2SiNms8k.exe	Get hash	malicious	Browse	104.17.63.50
	Xh6wfZITsK.exe	Get hash	malicious	Browse	104.17.63.50
	fba700af184835ef164e28b6e5fc6f18e4fece1ae08d1.exe	Get hash	malicious	Browse	104.17.62.50
	sP2AXSWC73.exe	Get hash	malicious	Browse	104.17.62.50
	hI2XWshb7I.exe	Get hash	malicious	Browse	104.17.62.50
	dcc67d946b8fab4a036ce1e8a2f200fb446fb22248a42.exe	Get hash	malicious	Browse	104.17.63.50
	zKhFIX8zL9.exe	Get hash	malicious	Browse	104.17.63.50
	Lma2EzVvAK.exe	Get hash	malicious	Browse	104.17.63.50
	UQ2APcAdTT.exe	Get hash	malicious	Browse	104.17.63.50
	1OUOf1c5xf.exe	Get hash	malicious	Browse	104.17.62.50
	RRevYOwjz8.exe	Get hash	malicious	Browse	104.17.62.50
	f8onpz9o98.exe	Get hash	malicious	Browse	104.17.62.50
	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	Get hash	malicious	Browse	104.17.62.50
	file5.exe	Get hash	malicious	Browse	104.17.62.50
	Uc18q04nYe.exe	Get hash	malicious	Browse	104.17.62.50
	P748jZ2XlY.exe	Get hash	malicious	Browse	104.17.62.50
	uAC5ja2ZtD.exe	Get hash	malicious	Browse	104.17.63.50
	L3T91myq6o.exe	Get hash	malicious	Browse	104.17.62.50

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	PURCHASE REQUISITION ORDER 300321.exe	Get hash	malicious	Browse	162.159.135.233
	e1wxCcfD3a.exe	Get hash	malicious	Browse	104.21.12.23
	Banco SantanderSWIFT-034562MXT0.exe	Get hash	malicious	Browse	104.21.58.209
	r4R45DX9FpWVhN6.exe	Get hash	malicious	Browse	104.21.19.200
	061195d6_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.135.233
	Quotation.exe	Get hash	malicious	Browse	104.22.19.188
	42bceb60_by_Libranalysis.xlsx	Get hash	malicious	Browse	104.21.19.200
	Dr2roEBoQA.exe	Get hash	malicious	Browse	104.21.19.200
	FiYBg9R8m0.exe	Get hash	malicious	Browse	104.23.99.190
	Xc4mKZJqZF.exe	Get hash	malicious	Browse	104.17.62.50
	BWcwxZ6BEj.exe	Get hash	malicious	Browse	104.21.19.200
	ccJ7ULa68I.exe	Get hash	malicious	Browse	104.21.3.187
	Ohki Blower Skid Base Enquiry 052521.exe	Get hash	malicious	Browse	23.227.38.74
	n2fpCzXURP.exe	Get hash	malicious	Browse	172.67.161.4
	rfvytufhf.exe	Get hash	malicious	Browse	104.21.75.198
	SecuriteInfo.com.Trojan.Win32.Save.a.5690.exe	Get hash	malicious	Browse	104.21.19.200
	Purchase_Order.xlsx	Get hash	malicious	Browse	172.67.181.81
	Shipping Details.exe	Get hash	malicious	Browse	162.159.129.233
	Shipment Document BLINV and packing list.exe	Get hash	malicious	Browse	23.227.38.74
	SecuriteInfo.com.Trojan.Win32.Save.a.3642.exe	Get hash	malicious	Browse	104.21.19.200
PONYNETUS	701fbddf_by_Libranalysis.exe	Get hash	malicious	Browse	199.195.253.181
	7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe	Get hash	malicious	Browse	198.98.55.103
	000192.xls	Get hash	malicious	Browse	198.251.81.30
	test.sh	Get hash	malicious	Browse	209.141.47.35
	GXJ35z5wYG.exe	Get hash	malicious	Browse	199.195.251.96
	Lvzc7aE8rQ.exe	Get hash	malicious	Browse	199.195.251.96
	SqexqH7KPe.exe	Get hash	malicious	Browse	199.195.251.96
	0ccd2703_by_Libranalysis.exe	Get hash	malicious	Browse	198.251.84.92
	74Dhsai14R.exe	Get hash	malicious	Browse	107.189.31.181
	PL5016030751.exe	Get hash	malicious	Browse	209.141.61.124
	Payment Advice.exe	Get hash	malicious	Browse	209.141.49.199
	SecuriteInfo.com.Mal.Generic-S.3107.exe	Get hash	malicious	Browse	209.141.50.70
	PL_017542000.doc	Get hash	malicious	Browse	209.141.50.70
	H0kDylXIaQ.exe	Get hash	malicious	Browse	199.195.251.96
	DHL Delivery Document.exe	Get hash	malicious	Browse	209.141.49.199
	Y44KdzdByL.exe	Get hash	malicious	Browse	199.195.251.96
	Olqmvkwk.exe	Get hash	malicious	Browse	209.141.50.70
	eF23VSPJ5V.exe	Get hash	malicious	Browse	205.185.127.90
	866WzPfS3E.exe	Get hash	malicious	Browse	205.185.127.90

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	research-1748832384.xls	Get hash	malicious	Browse	104.17.62.50
	PURCHASE REQUISITION ORDER 300321.exe	Get hash	malicious	Browse	104.17.62.50
	e1wxCcfD3a.exe	Get hash	malicious	Browse	104.17.62.50
	c9d2a3fKe7.xls	Get hash	malicious	Browse	104.17.62.50
	061195d6_by_Libranalysis.exe	Get hash	malicious	Browse	104.17.62.50
	daa5376b_by_Libranalysis.xls	Get hash	malicious	Browse	104.17.62.50
	analysis-558814486.xls	Get hash	malicious	Browse	104.17.62.50
	14faa410_by_Libranalysis.xls	Get hash	malicious	Browse	104.17.62.50
	diagram-673579741.xls.xls	Get hash	malicious	Browse	104.17.62.50
	Z17dP4pSdq.exe	Get hash	malicious	Browse	104.17.62.50
	Xc4mKZJqZF.exe	Get hash	malicious	Browse	104.17.62.50
	analysis-1134364064.xls	Get hash	malicious	Browse	104.17.62.50
	f2079b30_by_Libranalysis.xls	Get hash	malicious	Browse	104.17.62.50
	2a8091dd_by_Libranalysis.xls	Get hash	malicious	Browse	104.17.62.50
	research-2042572821.xls	Get hash	malicious	Browse	104.17.62.50
	i5g5WqCy2J.exe	Get hash	malicious	Browse	104.17.62.50
	bd42b1ee_by_Libranalysis.xls	Get hash	malicious	Browse	104.17.62.50
	0b6536b0_by_Libranalysis.xls	Get hash	malicious	Browse	104.17.62.50
	9d2c79aa_by_Libranalysis.xls	Get hash	malicious	Browse	104.17.62.50
	porosi e re Fature Proforma.exe	Get hash	malicious	Browse	104.17.62.50

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\vyh62lapin[1].json Download File
Process:	C:\Users\user\Desktop\vidar.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	1084
Entropy (8bit):	4.92011924373637
Encrypted:	false
SSDEEP:	24:YuZzplXgwqCAxz/IEW4H//yRDwHHhq/fkrcK0/Tc/Azr13i69uB:YuflfqI74HnyGHHQfkrX0/kA04e
MD5:	55DEB27EDDF3E54B63045F5EBDCDBEB5
SHA1:	AA69B753F4A6580F4309EDED2C7C3A7DA6735813
SHA-256:	FB8744A969061AA5978893A32B0A2E365EA6F13CEDC2AAC64D00C109FDB61A29
SHA-512:	95EAAC2848F233E29B0C8B10BBBEFE2956D98652EE761788AA6666D4BBABC9D2148DFBADB72AD0839F81B4D2C0CC0CF0354FFEDF753B8D02DAD3A29F1CB4F109
Malicious:	false
Reputation:	low
IE Cache URL:	https://api.faceit.com/core/v1/nicknames/vyh62lapin
Preview:	{"result":"ok","payload":{"country":"at","registration_status":"active","about":"198.98.55.103\|","matches_left":0,"private_tournaments_invitations":{},"user_type":"user","games":{},"matches_not_played":0,"settings":{"language":"en"},"active_team_id":null,"newsletter_promotions":false,"version":4,"created_by":"anonymous","favorite_tournaments":[],"activated_at":"Tue Mar 30 20:46:17 UTC 2021","invitations_remaining":10,"steam_id":"","ongoing_rooms":{},"updated_by":"4def9d1a-be77-4fc7-8bf2-715d7f672e88","guid":"4def9d1a-be77-4fc7-8bf2-715d7f672e88","private_tournaments":[],"status":"AVAILABLE","guest_info":{},"notification_tournament_joined_starts":false,"friends_ids":[],"flag":"","created_at":"Tue Mar 30 20:46:17 UTC 2021","membership":{"type":"free"},"memberships":["free"],"newsletter_general":false,"nickname":"vyh62lapin","ongoing_tournaments":{},"socials":{},"website":"","verified":false,"entity_type":"user"},"server_epoch_time":1621970480,"message":"Operation performed correctly.","e

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.700301659275623
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vidar.exe
File size:	615424
MD5:	d6e3cc39633db14165cb84ff0aab7e32
SHA1:	3fd3927e30b8af15291840179b0685f402f36b00
SHA256:	d80e33c76d583d678e8286c52b4b65b2da4d5fcc70f2de1eecee419a0879b945
SHA512:	08ceb20f5bc9e4e1a2d5d4373f0423bb0ab8dc5d7934fba4ad91a5104628d66ec6193e3cad3f6caffc67a11ae0b178fca1cf6ebba090973b2bc78f8dee82bf76
SSDEEP:	12288:w40FyI77OFlEw7IdGAG/jpC/at3OmI3FhgcDBOisRuI9aXvjGg:r0cc7OFlcqjyN34czsuI9si
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E...+...+...+.......+.......+..gP...+...*...+.......+.......+.......+.Rich..+.................PE..L...T.{^...................

File Icon


Icon Hash:	ee9cdcac9cc4b4d4

Static PE Info

General
Entrypoint:	0x4059f3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5E7BED54 [Wed Mar 25 23:46:28 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7d1cba165583f87245c44788a2941cf3

Entrypoint Preview

Instruction
call 00007FB8D9091055h
jmp 00007FB8D90886DDh
cmp ecx, dword ptr [004937A8h]
jne 00007FB8D9088864h
rep ret
jmp 00007FB8D90910D7h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004937A8h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004937A8h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004937A8h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[LNK] VS2008 build 21022
[RES] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x306e4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48b000	0x3568	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2b280	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2f630	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x234	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29bd2	0x29c00	False	0.546740503368	data	6.65458595406	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x63cc	0x6400	False	0.4596484375	data	5.66497190646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x32000	0x4585ec	0x62a00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x48b000	0x3568	0x3600	False	0.646918402778	data	5.76052213881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x48d8f0	0x134	data	Tamil	India
RT_CURSOR	0x48d8f0	0x134	data	Tamil	Sri Lanka
RT_ICON	0x48b2a0	0x25a8	data	Tamil	India
RT_ICON	0x48b2a0	0x25a8	data	Tamil	Sri Lanka
RT_STRING	0x48db88	0x1ea	data	Tamil	India
RT_STRING	0x48db88	0x1ea	data	Tamil	Sri Lanka
RT_STRING	0x48dd78	0x35e	data	Tamil	India
RT_STRING	0x48dd78	0x35e	data	Tamil	Sri Lanka
RT_STRING	0x48e0d8	0x30a	data	Tamil	India
RT_STRING	0x48e0d8	0x30a	data	Tamil	Sri Lanka
RT_STRING	0x48e3e8	0x17c	data	Tamil	India
RT_STRING	0x48e3e8	0x17c	data	Tamil	Sri Lanka
RT_ACCELERATOR	0x48d860	0x90	data	Tamil	India
RT_ACCELERATOR	0x48d860	0x90	data	Tamil	Sri Lanka
RT_GROUP_CURSOR	0x48da28	0x14	Lotus unknown worksheet or configuration, revision 0x1	Tamil	India
RT_GROUP_CURSOR	0x48da28	0x14	Lotus unknown worksheet or configuration, revision 0x1	Tamil	Sri Lanka
RT_GROUP_ICON	0x48d848	0x14	data	Tamil	India
RT_GROUP_ICON	0x48d848	0x14	data	Tamil	Sri Lanka
RT_VERSION	0x48da40	0x144	data	Tamil	India
RT_VERSION	0x48da40	0x144	data	Tamil	Sri Lanka

Imports

DLL

Import

KERNEL32.dll

CreateJobObjectA, GetProcessPriorityBoost, WriteConsoleW, GetVolumeInformationA, GetSystemPowerStatus, DeleteVolumeMountPointW, GetDefaultCommConfigW, CreateMutexW, GetStdHandle, InterlockedDecrement, GetSystemTimeAdjustment, FileTimeToSystemTime, GetNamedPipeHandleStateA, CallNamedPipeW, EnumResourceNamesW, BuildCommDCBAndTimeoutsA, EnterCriticalSection, DebugSetProcessKillOnExit, EnumTimeFormatsW, TlsSetValue, GetACP, WriteFile, GetCurrentActCtx, ReleaseActCtx, AddRefActCtx, GetHandleInformation, OpenFile, VerifyVersionInfoA, GetVersionExA, FreeLibrary, LoadLibraryExW, GetComputerNameA, CommConfigDialogA, VirtualProtect, lstrcpyA, LoadLibraryW, LocalAlloc, SetEndOfFile, CancelWaitableTimer, GetCurrentDirectoryW, VirtualFree, GetCommMask, HeapFree, RaiseException, GetBinaryTypeA, GlobalSize, SetConsoleMode, GetLargestConsoleWindowSize, MoveFileW, SetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, WriteConsoleInputW, OpenMutexW, SetThreadContext, AddAtomW, FindVolumeMountPointClose, SetSystemTime, GlobalAlloc, GetCommandLineA, SetLocalTime, GetSystemTimeAsFileTime, DisconnectNamedPipe, SetConsoleCursorInfo, TerminateProcess, GetFileAttributesW, GetLastError, lstrlenA, CompareStringW, CompareStringA, RtlUnwind, GetStartupInfoA, HeapAlloc, LeaveCriticalSection, SetHandleCount, GetFileType, DeleteCriticalSection, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetProcAddress, GetModuleHandleA, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetCurrentThread, Sleep, ExitProcess, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, FatalAppExitA, VirtualAlloc, HeapReAlloc, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetOEMCP, IsValidCodePage, MultiByteToWideChar, HeapSize, SetConsoleCtrlHandler, InterlockedExchange, LoadLibraryA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, ReadFile, SetFilePointer, GetLocaleInfoW, CloseHandle, WriteConsoleA, GetConsoleOutputCP, SetStdHandle, GetTimeZoneInformation, CreateFileA, SetEnvironmentVariableA

USER32.dll

GetComboBoxInfo

Version Infos

Description	Data
FileVerus	1.0.52.18
ProductVersys	1.6.27.29
Translations	0x0166 0x0122

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 79
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2021 21:22:12.354717016 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:12.466480017 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:12.466629982 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:12.482568979 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:12.594783068 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:12.601564884 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:12.601603985 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:12.601625919 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:12.601758957 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:12.601819038 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:12.670912027 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:12.783035994 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:12.783576012 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:12.783698082 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:12.798702002 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:12.912496090 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:13.047610044 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:13.047666073 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:13.047686100 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:13.047702074 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:13.047719955 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:13.047729969 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:22:13.047743082 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:13.047771931 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:22:13.177448034 CEST	49716	80	192.168.2.7	198.98.55.103
May 25, 2021 21:22:16.245131969 CEST	49716	80	192.168.2.7	198.98.55.103
May 25, 2021 21:22:22.245712042 CEST	49716	80	192.168.2.7	198.98.55.103
May 25, 2021 21:22:34.255513906 CEST	49731	80	192.168.2.7	198.98.55.103
May 25, 2021 21:22:37.315562963 CEST	49731	80	192.168.2.7	198.98.55.103
May 25, 2021 21:22:43.363696098 CEST	49731	80	192.168.2.7	198.98.55.103
May 25, 2021 21:22:55.446259975 CEST	49740	80	192.168.2.7	198.98.55.103
May 25, 2021 21:22:58.576832056 CEST	49740	80	192.168.2.7	198.98.55.103
May 25, 2021 21:23:04.577326059 CEST	49740	80	192.168.2.7	198.98.55.103
May 25, 2021 21:23:16.587881088 CEST	49752	80	192.168.2.7	198.98.55.103
May 25, 2021 21:23:19.594254971 CEST	49752	80	192.168.2.7	198.98.55.103
May 25, 2021 21:23:25.610409021 CEST	49752	80	192.168.2.7	198.98.55.103
May 25, 2021 21:23:37.630085945 CEST	49758	80	192.168.2.7	198.98.55.103
May 25, 2021 21:23:40.642926931 CEST	49758	80	192.168.2.7	198.98.55.103
May 25, 2021 21:23:46.643379927 CEST	49758	80	192.168.2.7	198.98.55.103
May 25, 2021 21:23:58.647275925 CEST	49761	80	192.168.2.7	198.98.55.103
May 25, 2021 21:24:01.660248041 CEST	49761	80	192.168.2.7	198.98.55.103
May 25, 2021 21:24:02.083074093 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:24:02.186400890 CEST	443	49715	104.17.62.50	192.168.2.7
May 25, 2021 21:24:02.186522007 CEST	49715	443	192.168.2.7	104.17.62.50
May 25, 2021 21:24:07.661186934 CEST	49761	80	192.168.2.7	198.98.55.103

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 25, 2021 21:21:57.729280949 CEST	60501	53	192.168.2.7	8.8.8.8
May 25, 2021 21:21:57.879302979 CEST	53	60501	8.8.8.8	192.168.2.7
May 25, 2021 21:21:59.365799904 CEST	53775	53	192.168.2.7	8.8.8.8
May 25, 2021 21:21:59.495385885 CEST	53	53775	8.8.8.8	192.168.2.7
May 25, 2021 21:21:59.531275034 CEST	51837	53	192.168.2.7	8.8.8.8
May 25, 2021 21:21:59.654115915 CEST	53	51837	8.8.8.8	192.168.2.7
May 25, 2021 21:22:00.182545900 CEST	55411	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:00.314812899 CEST	53	55411	8.8.8.8	192.168.2.7
May 25, 2021 21:22:01.006141901 CEST	63668	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:01.073807955 CEST	54640	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:01.142441988 CEST	53	63668	8.8.8.8	192.168.2.7
May 25, 2021 21:22:01.195900917 CEST	53	54640	8.8.8.8	192.168.2.7
May 25, 2021 21:22:03.397062063 CEST	58739	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:03.517426014 CEST	53	58739	8.8.8.8	192.168.2.7
May 25, 2021 21:22:04.944226027 CEST	60338	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:05.081922054 CEST	53	60338	8.8.8.8	192.168.2.7
May 25, 2021 21:22:06.515163898 CEST	58717	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:06.635440111 CEST	53	58717	8.8.8.8	192.168.2.7
May 25, 2021 21:22:07.748025894 CEST	59762	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:07.863831043 CEST	53	59762	8.8.8.8	192.168.2.7
May 25, 2021 21:22:11.805011034 CEST	54329	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:11.924093962 CEST	53	54329	8.8.8.8	192.168.2.7
May 25, 2021 21:22:12.200756073 CEST	58052	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:12.339931011 CEST	53	58052	8.8.8.8	192.168.2.7
May 25, 2021 21:22:13.430053949 CEST	54008	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:13.548043966 CEST	53	54008	8.8.8.8	192.168.2.7
May 25, 2021 21:22:14.942342997 CEST	59451	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:15.059194088 CEST	53	59451	8.8.8.8	192.168.2.7
May 25, 2021 21:22:16.454349995 CEST	52914	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:16.587582111 CEST	53	52914	8.8.8.8	192.168.2.7
May 25, 2021 21:22:18.099071980 CEST	64569	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:18.224106073 CEST	53	64569	8.8.8.8	192.168.2.7
May 25, 2021 21:22:19.739213943 CEST	52816	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:19.860472918 CEST	53	52816	8.8.8.8	192.168.2.7
May 25, 2021 21:22:22.389113903 CEST	50781	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:22.506057024 CEST	53	50781	8.8.8.8	192.168.2.7
May 25, 2021 21:22:24.868535995 CEST	54230	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:25.014803886 CEST	53	54230	8.8.8.8	192.168.2.7
May 25, 2021 21:22:27.489850998 CEST	54911	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:27.611530066 CEST	53	54911	8.8.8.8	192.168.2.7
May 25, 2021 21:22:28.836240053 CEST	49958	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:28.959496021 CEST	53	49958	8.8.8.8	192.168.2.7
May 25, 2021 21:22:30.410797119 CEST	50860	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:30.531542063 CEST	53	50860	8.8.8.8	192.168.2.7
May 25, 2021 21:22:32.274048090 CEST	50452	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:32.399282932 CEST	53	50452	8.8.8.8	192.168.2.7
May 25, 2021 21:22:33.884952068 CEST	59730	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:33.998354912 CEST	53	59730	8.8.8.8	192.168.2.7
May 25, 2021 21:22:35.395159960 CEST	59310	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:35.527271986 CEST	53	59310	8.8.8.8	192.168.2.7
May 25, 2021 21:22:37.295701981 CEST	51919	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:37.416249990 CEST	53	51919	8.8.8.8	192.168.2.7
May 25, 2021 21:22:38.878722906 CEST	64296	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:39.001749039 CEST	53	64296	8.8.8.8	192.168.2.7
May 25, 2021 21:22:39.852130890 CEST	56680	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:39.986241102 CEST	53	56680	8.8.8.8	192.168.2.7
May 25, 2021 21:22:54.320614100 CEST	58820	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:54.465017080 CEST	53	58820	8.8.8.8	192.168.2.7
May 25, 2021 21:22:54.694904089 CEST	60983	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:54.811883926 CEST	53	60983	8.8.8.8	192.168.2.7
May 25, 2021 21:22:55.195137024 CEST	49247	53	192.168.2.7	8.8.8.8
May 25, 2021 21:22:55.314908981 CEST	53	49247	8.8.8.8	192.168.2.7
May 25, 2021 21:23:09.351732969 CEST	52286	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:10.358045101 CEST	56064	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:10.376064062 CEST	52286	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:10.499262094 CEST	53	56064	8.8.8.8	192.168.2.7
May 25, 2021 21:23:10.596381903 CEST	53	52286	8.8.8.8	192.168.2.7
May 25, 2021 21:23:11.556754112 CEST	63744	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:11.642148018 CEST	61457	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:11.684068918 CEST	53	63744	8.8.8.8	192.168.2.7
May 25, 2021 21:23:11.850933075 CEST	53	61457	8.8.8.8	192.168.2.7
May 25, 2021 21:23:13.474244118 CEST	58367	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:13.603161097 CEST	53	58367	8.8.8.8	192.168.2.7
May 25, 2021 21:23:14.438884020 CEST	60599	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:14.570132017 CEST	53	60599	8.8.8.8	192.168.2.7
May 25, 2021 21:23:15.560354948 CEST	59571	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:15.688266993 CEST	53	59571	8.8.8.8	192.168.2.7
May 25, 2021 21:23:16.894424915 CEST	52689	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:17.010474920 CEST	53	52689	8.8.8.8	192.168.2.7
May 25, 2021 21:23:17.791368008 CEST	50290	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:17.923086882 CEST	53	50290	8.8.8.8	192.168.2.7
May 25, 2021 21:23:19.602740049 CEST	60427	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:19.729371071 CEST	53	60427	8.8.8.8	192.168.2.7
May 25, 2021 21:23:21.222070932 CEST	56209	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:21.323182106 CEST	53	56209	8.8.8.8	192.168.2.7
May 25, 2021 21:23:22.132055044 CEST	59582	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:22.255390882 CEST	53	59582	8.8.8.8	192.168.2.7
May 25, 2021 21:23:37.621407986 CEST	60949	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:37.758371115 CEST	53	60949	8.8.8.8	192.168.2.7
May 25, 2021 21:23:42.572879076 CEST	58542	53	192.168.2.7	8.8.8.8
May 25, 2021 21:23:42.708034039 CEST	53	58542	8.8.8.8	192.168.2.7
May 25, 2021 21:24:01.142847061 CEST	59179	53	192.168.2.7	8.8.8.8
May 25, 2021 21:24:01.284307957 CEST	53	59179	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 25, 2021 21:21:57.729280949 CEST	192.168.2.7	8.8.8.8	0x11e	Standard query (0)	clientconfig.passport.net	A (IP address)	IN (0x0001)
May 25, 2021 21:22:12.200756073 CEST	192.168.2.7	8.8.8.8	0x4429	Standard query (0)	api.faceit.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 25, 2021 21:21:57.879302979 CEST	8.8.8.8	192.168.2.7	0x11e	No error (0)	clientconfig.passport.net	authgfx.msa.akadns6.net		CNAME (Canonical name)	IN (0x0001)
May 25, 2021 21:22:12.339931011 CEST	8.8.8.8	192.168.2.7	0x4429	No error (0)	api.faceit.com		104.17.62.50	A (IP address)	IN (0x0001)
May 25, 2021 21:22:12.339931011 CEST	8.8.8.8	192.168.2.7	0x4429	No error (0)	api.faceit.com		104.17.63.50	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 25, 2021 21:22:12.601625919 CEST	104.17.62.50	443	192.168.2.7	49715	CN=*.faceit.com, O=FACE IT LIMITED, L=London, C=GB CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Jun 17 02:00:00 CEST 2019 Mon Nov 06 13:23:45 CET 2017	Wed Jul 21 14:00:00 CEST 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
May 25, 2021 21:22:12.601625919 CEST	104.17.62.50	443	192.168.2.7	49715	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

• vidar.exe

Click to jump to process

Memory Usage

• vidar.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

System Behavior

Analysis Process: vidar.exe PID: 5108 Parent PID: 5712

Function Logs

General

Start time:	21:22:07
Start date:	25/05/2021
Path:	C:\Users\user\Desktop\vidar.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vidar.exe'
Imagebase:	0x400000
File size:	615424 bytes
MD5 hash:	D6E3CC39633DB14165CB84FF0AAB7E32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.238401992.00000000025A0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.496886988.0000000000B40000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

File Activities

File Created

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Value Queried

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Delayed

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: vidar.exe PID: 5108 Parent PID: 5712 vidar.exeCOMMON

Executed Functions

Function 0045E310, Relevance: 19.6, APIs: 13, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000001,?,004063EF), ref: 0045E318
GetProcAddress.KERNEL32(00000000), ref: 0045E331
GetProcAddress.KERNEL32(00000000), ref: 0045E33F
LoadLibraryA.KERNEL32(?,004063EF), ref: 0045E34C
LoadLibraryA.KERNEL32(?,004063EF), ref: 0045E35A
GetProcAddress.KERNEL32(00000000), ref: 0045E36D
GetProcAddress.KERNEL32(00000000), ref: 0045E37F
GetProcAddress.KERNEL32(00000000), ref: 0045E391
GetProcAddress.KERNEL32(00000000), ref: 0045E3A3
GetProcAddress.KERNEL32(00000000), ref: 0045E3B5
GetProcAddress.KERNEL32(00000000), ref: 0045E3C7
GetProcAddress.KERNEL32(00000000), ref: 0045E3DD
GetProcAddress.KERNEL32(00000000), ref: 0045E3EF

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 2f3ed67d73aa7259a8f084c777a96950122bd8a547c58e0213e56c209fe86f88
Instruction ID: 4c4c1f23af473e8db54e1b9c62f4f4942ebe534d1b0fd7de91a97a40a0962cdb
Opcode Fuzzy Hash: 2f3ed67d73aa7259a8f084c777a96950122bd8a547c58e0213e56c209fe86f88
Instruction Fuzzy Hash: D621AD75801A10BF8B025F61FD4886A3EB5EBA92613234537FD0982638EB364911EF5C

Uniqueness

Uniqueness Score: -1.00%

Function 004042D5, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 124networkfileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004042F4
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000014), ref: 00404317
InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00800000,00000001), ref: 00404351
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00800000,00000001), ref: 00404384
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404398
InternetReadFile.WININET(00000000,?,000007FF,?), ref: 004043D0
InternetCloseHandle.WININET(?), ref: 004043DC
InternetCloseHandle.WININET(?), ref: 004043E5
InternetCloseHandle.WININET(?), ref: 004043EE

Strings

GET, xrefs: 0040437E

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileH_prolog3ReadSend
String ID: GET
API String ID: 3492638638-1805413626
Opcode ID: bc31c52141b230d1ac64e9605e77c2fcfcf876d3fe4816d674bcaf674765c704
Instruction ID: 97972f60182788cfa1fa754f1102d84e3138d6964d1ea4e04721c33d0341326a
Opcode Fuzzy Hash: bc31c52141b230d1ac64e9605e77c2fcfcf876d3fe4816d674bcaf674765c704
Instruction Fuzzy Hash: 9A4109B1A00149AFEB209F65DC84AEE77ADFB48344F10453AEA05AB290D7755E448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040638D, Relevance: 162.7, APIs: 47, Strings: 45, Instructions: 1746sleepfileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00406397
CreateDirectoryA.KERNEL32(025C1058,00000000,00000001,00000000,00000000), ref: 00406473
SetCurrentDirectoryA.KERNEL32(025C1058), ref: 00406486
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 004064A8

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

Part of subcall function 0040412A: __EH_prolog3.LIBCMT ref: 00404131
Part of subcall function 0040412A: _strtok.LIBCMT ref: 00404152
Part of subcall function 0040412A: _strtok.LIBCMT ref: 0040422F

Part of subcall function 00404530: __EH_prolog3.LIBCMT ref: 00404537

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000), ref: 004068F8
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000), ref: 00406922
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,00000000,00000000,00000001,00000000,00000000,00000001,00000000), ref: 0040694C
CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000), ref: 00406986
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000), ref: 004069B0
CreateDirectoryA.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000), ref: 004069E1
SetCurrentDirectoryA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000), ref: 00406A0A
SetCurrentDirectoryA.KERNEL32(?,?,?,?,?,?,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000), ref: 00406A96
__time64.LIBCMT ref: 00406AC3
__localtime64_s.LIBCMT ref: 00406AD6
_asctime_s.LIBCMT ref: 00406AE8
_fprintf.LIBCMT ref: 00406B1F
_fprintf.LIBCMT ref: 00406B41
_fprintf.LIBCMT ref: 00406B6F
_fprintf.LIBCMT ref: 00406BA8
_fprintf.LIBCMT ref: 00406BE1
GetCurrentProcessId.KERNEL32(00000001,00000000), ref: 00406BF4
_fprintf.LIBCMT ref: 00406C1E
_fprintf.LIBCMT ref: 00406C52
_fprintf.LIBCMT ref: 00406CE4
_fprintf.LIBCMT ref: 00406DFD
_fprintf.LIBCMT ref: 00406E75
_fprintf.LIBCMT ref: 00406EED
_fprintf.LIBCMT ref: 00406F65
_fprintf.LIBCMT ref: 00406FDD
_fprintf.LIBCMT ref: 00407059
_fprintf.LIBCMT ref: 004070B7
_fprintf.LIBCMT ref: 00407111
_fprintf.LIBCMT ref: 00407189
_fprintf.LIBCMT ref: 00407202
_fprintf.LIBCMT ref: 00407279
_fprintf.LIBCMT ref: 004072D2
_fprintf.LIBCMT ref: 0040730E

Part of subcall function 00403950: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00403962

Part of subcall function 00402AAB: _memmove.LIBCMT ref: 00402AFC

_fprintf.LIBCMT ref: 00407358
_fprintf.LIBCMT ref: 00407394
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 004073F0
SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040741C
SetCurrentDirectoryA.KERNEL32(00000000), ref: 0040745D

Part of subcall function 00408C38: __EH_prolog3.LIBCMT ref: 00408C3F

Part of subcall function 004056CA: __EH_prolog3_GS.LIBCMT ref: 004056D4
Part of subcall function 004056CA: __wgetenv.LIBCMT ref: 004056E2
Part of subcall function 004056CA: __wgetenv.LIBCMT ref: 00405743

Part of subcall function 0045AB0F: __EH_prolog3.LIBCMT ref: 0045AB2E

_fprintf.LIBCMT ref: 00406D85

Part of subcall function 0045AFDC: GetUserNameA.ADVAPI32(?,?), ref: 0045B011

SetCurrentDirectoryA.KERNEL32(025C1058,00000001,00000000,ccount,00000000,00000000,?,00000001,00000000,00000000,00000001,00000000,00000000,00000000,?,00000001), ref: 0040776E
Sleep.KERNEL32(00014FF0,2E383931,logs,?,00000001,00000000,00000001,00000000), ref: 0040794D
DeleteFileA.KERNEL32(?,2E383931,logs,?,00000001,00000000,00000001,00000000), ref: 00407991
SetCurrentDirectoryA.KERNEL32(C:\ProgramData), ref: 0040799C

Strings

\msvcp140.dll, xrefs: 004066D8
\files, xrefs: 0040648C, 0040743C, 00407844
User Name: , xrefs: 00406DCD
ccount, xrefs: 0040772C
\softokn3.dll, xrefs: 004067F2
Work Dir: %s , xrefs: 00406C47
Display Language: , xrefs: 00406EBD
\files\Wallets\, xrefs: 0040749A
G, xrefs: 00407902
logs, xrefs: 004078D0
\nss3.dll, xrefs: 00406765
/freebl3.dll, xrefs: 00406577
Processor: , xrefs: 004070E1
.zip, xrefs: 004077BF
Windows: , xrefs: 00406C88
files\information.txt, xrefs: 00406AAC
/mozglue.dll, xrefs: 00406608
Keyboard Languages: , xrefs: 00406F35
GUID: %s, xrefs: 00406B99
198.98.55.103, xrefs: 0040657F, 00406610, 0040669D, 0040672A, 004067B7, 00406844, 004078FD, 00407908, 0040790D
CPU Count: , xrefs: 00407159
RAM: , xrefs: 004071D1
Display Resolution: , xrefs: 00406E45
\freebl3.dll, xrefs: 004065BE
/msvcp140.dll, xrefs: 00406695
C:\ProgramData, xrefs: 00407997
[Processes], xrefs: 004072AA
Computer Name: , xrefs: 00406D50
\mozglue.dll, xrefs: 0040664B
Date: %s, xrefs: 00406B36
TimeZone: , xrefs: 00407025
[Hardware], xrefs: 0040708A
\vcruntime140.dll, xrefs: 0040687F
HWID: %s, xrefs: 00406BD2
*.*, xrefs: 00407836
/softokn3.dll, xrefs: 004067AF
/nss3.dll, xrefs: 00406722
[Software], xrefs: 00407330
VideoCard: , xrefs: 0040724A
Local Time: , xrefs: 00406FAD
Version: %s, xrefs: 00406B14
Path: %s , xrefs: 00406C13
/vcruntime140.dll, xrefs: 0040683C
MachineID: %s, xrefs: 00406B60
\files\Wallets, xrefs: 004069C5, 00407480

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _fprintf$Directory$Create$Current$H_prolog3$H_prolog3___wgetenv_memmove_strtok$DeleteFileIos_base_dtorNameProcessSleepUser__localtime64_s__time64_asctime_sstd::ios_base::_
String ID: [Software]$*.*$.zip$/freebl3.dll$/mozglue.dll$/msvcp140.dll$/nss3.dll$/softokn3.dll$/vcruntime140.dll$198.98.55.103$C:\ProgramData$CPU Count: $Computer Name: $Date: %s$Display Language: $Display Resolution: $G$GUID: %s$HWID: %s$Keyboard Languages: $Local Time: $MachineID: %s$Path: %s $Processor: $RAM: $TimeZone: $User Name: $Version: %s$VideoCard: $Windows: $Work Dir: %s $[Hardware]$[Processes]$\files$\files\Wallets$\files\Wallets\$\freebl3.dll$\mozglue.dll$\msvcp140.dll$\nss3.dll$\softokn3.dll$\vcruntime140.dll$ccount$files\information.txt$logs
API String ID: 1520791077-520124604
Opcode ID: a4025f055707f979965e31943cab2a1e2ab498124b162b097aee3aab7bbc3a6e
Instruction ID: b587e324b983d5a7f763d4085537e03a3112bf7f0bd46b9372d1b78d3bcc2fa9
Opcode Fuzzy Hash: a4025f055707f979965e31943cab2a1e2ab498124b162b097aee3aab7bbc3a6e
Instruction Fuzzy Hash: 0FE25171800248AEDB15EBA5DD49EEE7B7CEF15308F1000BAF505B71D2DA785B88CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0045D9A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65sleepCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0045D9A7
Sleep.KERNEL32(00000064,ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,00000024,?,?,?,00000038,00403FBF,?,00000010), ref: 0045D9EF
__time64.LIBCMT ref: 0045D9F7

Part of subcall function 004637BC: GetSystemTimeAsFileTime.KERNEL32(?), ref: 004637C7
Part of subcall function 004637BC: __aulldiv.LIBCMT ref: 004637E7

Part of subcall function 0045BC4D: _malloc.LIBCMT ref: 0045BC55
Part of subcall function 0045BC4D: GetTickCount.KERNEL32 ref: 0045BC60
Part of subcall function 0045BC4D: _rand.LIBCMT ref: 0045BC75
Part of subcall function 0045BC4D: _sprintf.LIBCMT ref: 0045BC88

Part of subcall function 00466288: __getptd.LIBCMT ref: 0046628D

_rand.LIBCMT ref: 0045DA24

Part of subcall function 0046629A: __getptd.LIBCMT ref: 0046629A

Part of subcall function 0045BF8A: std::_Xinvalid_argument.LIBCPMT ref: 0045BF98

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 0045D9C2

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Time__getptd_rand$CountFileH_prolog3_catch_SleepSystemTickXinvalid_argument__aulldiv__time64_malloc_sprintfstd::_
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
API String ID: 503986416-374730529
Opcode ID: 47a463bb1699fb66ac8ec2fa43461f5c9cccbfd1d6525db0b097ada7523d6acb
Instruction ID: cfd7df66c7b214daec2039bd3b6577b17ec5cd5f7b09003de719c5105f123efd
Opcode Fuzzy Hash: 47a463bb1699fb66ac8ec2fa43461f5c9cccbfd1d6525db0b097ada7523d6acb
Instruction Fuzzy Hash: 7321D271D00344ABDB14EFA6DC86B9DB7B4BF54706F10401FF1016A1C2CBBC5A098B59

Uniqueness

Uniqueness Score: -1.00%

Function 00462BD1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00462BEB

Part of subcall function 0046444E: __FF_MSGBANNER.LIBCMT ref: 00464467
Part of subcall function 0046444E: __NMSG_WRITE.LIBCMT ref: 0046446E
Part of subcall function 0046444E: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00462550,00000001,00000000,?,?,?,004625AE,00402496), ref: 00464493

std::exception::exception.LIBCMT ref: 00462C20
std::exception::exception.LIBCMT ref: 00462C3A
__CxxThrowException@8.LIBCMT ref: 00462C4B

Strings

,$@, xrefs: 00462C03

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: ,$@
API String ID: 615853336-1227015840
Opcode ID: 7474357d69f8d141853b3d21a438f76b9d00b582cd591537642c24ba0344785c
Instruction ID: 9bcca392a0fb13a26b29044f6f53b4750f0933e1304bb1243acee5542adb5a81
Opcode Fuzzy Hash: 7474357d69f8d141853b3d21a438f76b9d00b582cd591537642c24ba0344785c
Instruction Fuzzy Hash: 4FF02631500A1A7ADB10AF15DD12A9E37A9AB40B58F11442FF400A60D1EFF8EA018B4F

Uniqueness

Uniqueness Score: -1.00%

Function 004093E7, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004093F5
_strcpy_s.LIBCMT ref: 0040940B
_memset.LIBCMT ref: 00409426

Strings

1BEF0A57BE110FD467A, xrefs: 004093FD

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memset$_strcpy_s
String ID: 1BEF0A57BE110FD467A
API String ID: 1261871945-2910601657
Opcode ID: 4fe0ff5fd85d0c69176a51025f418d3529d8cc4f401ed4e96bb11868b70f06c9
Instruction ID: baa5ca3a96dbc75d4bd130c36dc419a6b49442ac82b28bb474f4e7cb401c84ec
Opcode Fuzzy Hash: 4fe0ff5fd85d0c69176a51025f418d3529d8cc4f401ed4e96bb11868b70f06c9
Instruction Fuzzy Hash: F7F031B0A40704AFC760DF65C841F8B77E4EB08710F00491EF959D7740E6B8F8008B95

Uniqueness

Uniqueness Score: -1.00%

Function 00407A39, Relevance: 3.8, APIs: 3, Instructions: 13sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E7), ref: 00407A53
Sleep.KERNEL32(0000029A), ref: 00407A5A
Sleep.KERNEL32(000000DE), ref: 00407A61

Part of subcall function 0040638D: __EH_prolog3_GS.LIBCMT ref: 00406397
Part of subcall function 0040638D: CreateDirectoryA.KERNEL32(025C1058,00000000,00000001,00000000,00000000), ref: 00406473
Part of subcall function 0040638D: SetCurrentDirectoryA.KERNEL32(025C1058), ref: 00406486
Part of subcall function 0040638D: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 004064A8

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: DirectorySleep$Create$CurrentH_prolog3_
String ID:
API String ID: 2648378283-0
Opcode ID: 5029aa13f2833c01c23297b1e8bf224d0a6ce6550a0d0e8b5f5608ea5af3f303
Instruction ID: e65eaaed9d8d7b1197785b1f1ca1cf381d9ed1d4c0233fb467f4fd14d765c28c
Opcode Fuzzy Hash: 5029aa13f2833c01c23297b1e8bf224d0a6ce6550a0d0e8b5f5608ea5af3f303
Instruction Fuzzy Hash: 9FC01201A88264A2E1213BB38C06A8E0D084F4A750F0420332A083A0C18AFCAA408AFB

Uniqueness

Uniqueness Score: -1.00%

Function 0045A7CC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32 ref: 0045A808

Strings

Unknown, xrefs: 0045A820

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ComputerName
String ID: Unknown
API String ID: 3545744682-1654365787
Opcode ID: 5e4b0679d210a396bee0641e65fc8a2b6d05a0064c0952d70589f5c0831b269e
Instruction ID: 024ae53e96e6f6a79b55fd40fb9491f33bd3cf271597c35c3be7ab752a0bb746
Opcode Fuzzy Hash: 5e4b0679d210a396bee0641e65fc8a2b6d05a0064c0952d70589f5c0831b269e
Instruction Fuzzy Hash: 230186706002199BCB50DF65CD40AAAB7F8FF08309F4085BF9549D3241DE74AE4C8F99

Uniqueness

Uniqueness Score: -1.00%

Function 00470CEC, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004668A5,00000000,?,00000000,00000000,00000000,?,00469A58,00000001,00000214), ref: 00470D2F

Part of subcall function 004671C4: __getptd_noexit.LIBCMT ref: 004671C4

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 1dd082eec92a1a9ad932275066d52da102e1fbd221ecc55a51ee99ad3f5876cb
Instruction ID: d46785e86ab63e8fbfc304d2f8b1befcc2398228be573f757ffa4537b94511bc
Opcode Fuzzy Hash: 1dd082eec92a1a9ad932275066d52da102e1fbd221ecc55a51ee99ad3f5876cb
Instruction Fuzzy Hash: 8001B131202716DBEB389FA5DC54BEB3754AB91764F11C62BE81E8B2D0DB78E841C748

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040EAA2, Relevance: 75.4, APIs: 50, Instructions: 410memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040EABB

Part of subcall function 0040D45C: __EH_prolog3_GS.LIBCMT ref: 0040D463

GetProcessHeap.KERNEL32(00000008,00000104,00000001,?,00000104,0000002C), ref: 0040EB27
HeapAlloc.KERNEL32(00000000), ref: 0040EB2A
GetProcessHeap.KERNEL32(00000000,?), ref: 0040EB40
HeapFree.KERNEL32(00000000), ref: 0040EB43
_strcpy_s.LIBCMT ref: 0040EB85
GetProcessHeap.KERNEL32(00000000,?), ref: 0040EB9C
HeapFree.KERNEL32(00000000), ref: 0040EB9F
GetProcessHeap.KERNEL32(00000000,00000010,00000010,?,00000104), ref: 0040EBC9
HeapFree.KERNEL32(00000000), ref: 0040EBCC
GetProcessHeap.KERNEL32(00000008,00000104), ref: 0040EBD3
HeapAlloc.KERNEL32(00000000), ref: 0040EBD6
GetProcessHeap.KERNEL32(00000000,?), ref: 0040EBEC
HeapFree.KERNEL32(00000000), ref: 0040EBEF
_strcpy_s.LIBCMT ref: 0040EC18
GetProcessHeap.KERNEL32(00000000,?), ref: 0040EC29
HeapFree.KERNEL32(00000000), ref: 0040EC2C
GetProcessHeap.KERNEL32(00000000,00000010,00000010,?,00000104), ref: 0040EC4B
HeapFree.KERNEL32(00000000), ref: 0040EC4E
GetProcessHeap.KERNEL32(00000008,00000104), ref: 0040EC55
HeapAlloc.KERNEL32(00000000), ref: 0040EC58
_strcpy_s.LIBCMT ref: 0040EC70
GetProcessHeap.KERNEL32(00000000,?), ref: 0040EC81
HeapFree.KERNEL32(00000000), ref: 0040EC84
GetProcessHeap.KERNEL32(00000000,00000010,00000010,?,00000104), ref: 0040ECAA
HeapFree.KERNEL32(00000000), ref: 0040ECAD
GetProcessHeap.KERNEL32(00000008,00000104), ref: 0040ECB4
HeapAlloc.KERNEL32(00000000), ref: 0040ECB7
_strcpy_s.LIBCMT ref: 0040ECCF
GetProcessHeap.KERNEL32(00000000,?), ref: 0040ECE0
HeapFree.KERNEL32(00000000), ref: 0040ECE3
GetProcessHeap.KERNEL32(00000008,?), ref: 0040ECFE
HeapAlloc.KERNEL32(00000000), ref: 0040ED01
_strcpy_s.LIBCMT ref: 0040ED61
GetProcessHeap.KERNEL32(00000000,00000010,00000001,00000000,00000001,00000000,?,?,00000010), ref: 0040ED87
HeapFree.KERNEL32(00000000,?,?,00000010), ref: 0040ED8A
GetProcessHeap.KERNEL32(00000008,?,?,?,00000010), ref: 0040EDA2
HeapAlloc.KERNEL32(00000000,?,?,00000010), ref: 0040EDA5
_strcpy_s.LIBCMT ref: 0040EDBD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000010), ref: 0040EDC9
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 0040EDCC
GetProcessHeap.KERNEL32(00000000,00000010,00000010,?,00000104,?,?,?,?,?,00000010), ref: 0040EDF3
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 0040EDF6
GetProcessHeap.KERNEL32(00000008,00000104,?,?,?,?,?,00000010), ref: 0040EDFD
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 0040EE00
_strcpy_s.LIBCMT ref: 0040EE18
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000010), ref: 0040EE29
GetProcessHeap.KERNEL32(00000000,00000010,?,?,?,?,?,00000010), ref: 0040EEC6
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 0040EEC9
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000010), ref: 0040EE2C

Part of subcall function 00403DD4: _memmove.LIBCMT ref: 00403DF6

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Heap$Process$Free$Alloc_strcpy_s$_memmove$H_prolog3H_prolog3_
String ID:
API String ID: 264996938-0
Opcode ID: 243a0cc8e4ac65da34627ed74816f5e5dc57d06b47ae3db2cb845e16c6ab7a6f
Instruction ID: 2cac488937337112f0b578b30d4c2e26fdedf5afb2da7edbdbc34e7dfbc9136c
Opcode Fuzzy Hash: 243a0cc8e4ac65da34627ed74816f5e5dc57d06b47ae3db2cb845e16c6ab7a6f
Instruction Fuzzy Hash: AEE10771C0021EAFDF11EFA5CD859AEBFB9FF08304F10082AF515B2291D6799A54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040474C, Relevance: 56.6, APIs: 31, Strings: 1, Instructions: 602stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040476B
_memset.LIBCMT ref: 0040479A
_memset.LIBCMT ref: 004047AD
_memset.LIBCMT ref: 004047BB
_memset.LIBCMT ref: 004047C9
lstrcpyW.KERNEL32 ref: 004047D9
lstrcatW.KERNEL32(?,\*.*), ref: 004047EB
FindFirstFileW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000018), ref: 004047FC
lstrcpyW.KERNEL32 ref: 0040480F
lstrcatW.KERNEL32(?,00480590), ref: 00404822
lstrcatW.KERNEL32(?,?), ref: 00404833
lstrcpyW.KERNEL32 ref: 00404843
lstrcatW.KERNEL32(?,00480590), ref: 00404857
lstrcatW.KERNEL32(?,?), ref: 00404864
lstrcmpW.KERNEL32(?,0048058C,?,?,?,?,?,?,?,?,?,?,?,00000018), ref: 0040487B
lstrcmpW.KERNEL32(?,00480584,?,?,?,?,?,?,?,?,?,?,?,00000018), ref: 0040488E
PathMatchSpecW.SHLWAPI(?,00000000,00000001,00000000,?), ref: 00404959
PathMatchSpecW.SHLWAPI(?,00000000), ref: 00404D55

Part of subcall function 00402680: _memmove.LIBCMT ref: 004026A2

Part of subcall function 0045BE9A: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0045BEB5

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00404D8A

Part of subcall function 0045DA61: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0045DA92
Part of subcall function 0045DA61: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0045DAB5

FindNextFileW.KERNEL32(?,00000000,00000001,00000000), ref: 00404EB3
FindClose.KERNEL32(?), ref: 00404EC4
_memset.LIBCMT ref: 00404ED4
_memset.LIBCMT ref: 00404EE2
_memset.LIBCMT ref: 00404EF0
_memset.LIBCMT ref: 00404EFE
_memset.LIBCMT ref: 00404F4F
_memset.LIBCMT ref: 00404F5D
_memset.LIBCMT ref: 00404F6B
_memset.LIBCMT ref: 00404F79
FindClose.KERNEL32(00000008), ref: 00404F84

Part of subcall function 0040474C: DeleteFileW.KERNEL32(?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,?,00000001,00000000), ref: 00404A60

Strings

\*.*, xrefs: 004047DF

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memset$lstrcat$FileFind$lstrcpy$ByteCharCloseMatchMultiPathSpecWidelstrcmp$CreateDeleteFirstH_prolog3NextUnothrow_t@std@@@__ehfuncinfo$??2@_memmove
String ID: \*.*
API String ID: 2798174453-1173974218
Opcode ID: ee945bf87134c17880fb04762518a3a802157662f0b6b690b5d94f558ace3389
Instruction ID: 131a779d31a98d20ffa3ab4c97d32e3d1f17986d6a4e88eae9c73ae7d8a57d13
Opcode Fuzzy Hash: ee945bf87134c17880fb04762518a3a802157662f0b6b690b5d94f558ace3389
Instruction Fuzzy Hash: 3A322AB1401189AEDF21EFA0DC85EEE777CFB54305F24053BE905AA191EB38AB44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00404F9D, Relevance: 39.0, APIs: 14, Strings: 8, Instructions: 510fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00404FBC
_sprintf.LIBCMT ref: 00404FF6
FindFirstFileA.KERNEL32(?,00000000,?,?,00000018), ref: 00405009
_sprintf.LIBCMT ref: 0040505E

Part of subcall function 00463BC1: __output_l.LIBCMT ref: 00463C1C

_sprintf.LIBCMT ref: 00405083

Part of subcall function 00463BC1: __flsbuf.LIBCMT ref: 00463C37

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

_sprintf.LIBCMT ref: 00405092
PathMatchSpecA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000018), ref: 004050A1
CopyFileA.KERNEL32(?,00000000,00000001), ref: 0040525A
CopyFileA.KERNEL32(?,00000000,00000001), ref: 004053BA
CopyFileA.KERNEL32(?,00000000,00000001), ref: 00405515
_sprintf.LIBCMT ref: 00405638
FindNextFileA.KERNEL32(?,00000000,?,?,00000018), ref: 00405681
FindClose.KERNEL32(?,?,?,00000018), ref: 00405692

Strings

Metamask, xrefs: 00405139
%s\*, xrefs: 00404FF0
%s\%s, xrefs: 00405051, 0040505C, 00405090
fhbohimaelbohpjbbldcngcnapndodjp, xrefs: 004053C6
nkbihfbeogaeaoehlefnkodbefgpgknn, xrefs: 00405108
BinanceChainWallet, xrefs: 004053F7
ibnejdfjmmkpcnlpebklmnkoeoihofec, xrefs: 0040526B
Tronlink, xrefs: 0040529C

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File_sprintf$CopyFind$CloseFirstH_prolog3MatchNextPathSpec__flsbuf__output_l_memmove
String ID: %s\%s$%s\*$BinanceChainWallet$Metamask$Tronlink$fhbohimaelbohpjbbldcngcnapndodjp$ibnejdfjmmkpcnlpebklmnkoeoihofec$nkbihfbeogaeaoehlefnkodbefgpgknn
API String ID: 883585182-461212080
Opcode ID: 09f0c237ad2cde59c2c0246a3eba096ca0806d37c8d398292226ad033a7546ff
Instruction ID: 8f9f92c453e32991f11d1d338e676c94a5de44c381a9a75ea18ad7c3d0d61355
Opcode Fuzzy Hash: 09f0c237ad2cde59c2c0246a3eba096ca0806d37c8d398292226ad033a7546ff
Instruction Fuzzy Hash: 4E124B71500288AADB31EF65CD59FDF3BACEF19309F50052BE90DAA181EB785708CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E80D, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 193fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040E82C

Part of subcall function 00404530: __EH_prolog3.LIBCMT ref: 00404537

__wgetenv.LIBCMT ref: 0040E872
_sprintf.LIBCMT ref: 0040E8AD
FindFirstFileA.KERNEL32(?,00000000,?,?,00000000), ref: 0040E8C0
_sprintf.LIBCMT ref: 0040E910

Part of subcall function 00463BC1: __output_l.LIBCMT ref: 00463C1C

_sprintf.LIBCMT ref: 0040E939

Part of subcall function 00463BC1: __flsbuf.LIBCMT ref: 00463C37

_sprintf.LIBCMT ref: 0040E948
PathMatchSpecA.SHLWAPI(?,00000010,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E957
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040E99F
CopyFileA.KERNEL32(?,00000000,00000001), ref: 0040EA06
FindNextFileA.KERNEL32(?,00000000,?,?,00000000), ref: 0040EA4A
FindClose.KERNEL32(?,?,?,00000000), ref: 0040EA5B

Strings

%s\*, xrefs: 0040E8A3
%s\%s, xrefs: 0040E903, 0040E90E, 0040E946

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _sprintf$FileFind$H_prolog3$CloseCopyCreateDirectoryFirstMatchNextPathSpec__flsbuf__output_l__wgetenv
String ID: %s\%s$%s\*
API String ID: 457607895-2848263008
Opcode ID: 9d91162c2fd2e9286ecf4ef0c568ac8d17a075e23d78d07dc0a1d4fa12a9e334
Instruction ID: 81f0bacfdca69da21938a0abc3f4a6c04b0aced4579add96136a46c516074d6b
Opcode Fuzzy Hash: 9d91162c2fd2e9286ecf4ef0c568ac8d17a075e23d78d07dc0a1d4fa12a9e334
Instruction Fuzzy Hash: 517162B2900248AFDB21EFA5DC45FDE376CEF48304F44452AF909A7191E7789714CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E623, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 154fileCOMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 0040E679
FindFirstFileA.KERNEL32(?,?,?,?,00000000), ref: 0040E68C
_sprintf.LIBCMT ref: 0040E6DD

Part of subcall function 00463BC1: __output_l.LIBCMT ref: 00463C1C

Part of subcall function 0040DE4C: __EH_prolog3.LIBCMT ref: 0040DE6B
Part of subcall function 0040DE4C: GetCurrentDirectoryA.KERNEL32(00000104,?,00000020), ref: 0040DE9A
Part of subcall function 0040DE4C: lstrcatA.KERNEL32(?,\temp), ref: 0040DEA9
Part of subcall function 0040DE4C: CopyFileA.KERNEL32(?,?,00000001), ref: 0040DEB6

Part of subcall function 0040A89E: GetCurrentDirectoryA.KERNEL32(00000104,?,00480644,?,?), ref: 0040A8DE
Part of subcall function 0040A89E: lstrcatA.KERNEL32(?,\temp), ref: 0040A8F0
Part of subcall function 0040A89E: CopyFileA.KERNEL32(?,?,00000001), ref: 0040A900
Part of subcall function 0040A89E: _memset.LIBCMT ref: 0040A90E
Part of subcall function 0040A89E: _sprintf.LIBCMT ref: 0040A920
Part of subcall function 0040A89E: DeleteFileA.KERNEL32(?), ref: 0040A9CA

FindNextFileA.KERNEL32(?,?,00000104,00000000,?,?,00000000), ref: 0040E7DC
FindClose.KERNEL32(?,?,?,00000000), ref: 0040E7ED

Strings

%s\*, xrefs: 0040E670
%s\%s, xrefs: 0040E6D7
History, xrefs: 0040E746

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Find_sprintf$CopyCurrentDirectorylstrcat$CloseDeleteFirstH_prolog3Next__output_l_memset
String ID: %s\%s$%s\*$History
API String ID: 2764124315-2206966733
Opcode ID: 60a5564c4d7b52adc441f04f00e107e982142b75d8b39fc316fb5e32c4384147
Instruction ID: 8e97a62fd4d4f0e858b33d6fcc18a400879b78c38e1920006d8c5b11cff34186
Opcode Fuzzy Hash: 60a5564c4d7b52adc441f04f00e107e982142b75d8b39fc316fb5e32c4384147
Instruction Fuzzy Hash: CD512B72C0024EAEDF25AFA1DC45EDE7B7DEB08304F10482BE918B7191E73596159B58

Uniqueness

Uniqueness Score: -1.00%

Function 00424F72, Relevance: 13.2, APIs: 5, Strings: 2, Instructions: 903COMMON

Download Yara Rule

Strings

gH, xrefs: 004255FF
8/H, xrefs: 00425160

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8/H$gH
API String ID: 0-3368496611
Opcode ID: cdc127969d4fc3ceaadda649363de714e017542a2ae281ce29b0ae2abf3d97ca
Instruction ID: fed46913d3b35d1d05b2f4e22da6b06a846fee28eecd8a19c7b402406ced67ca
Opcode Fuzzy Hash: cdc127969d4fc3ceaadda649363de714e017542a2ae281ce29b0ae2abf3d97ca
Instruction Fuzzy Hash: 08723971F04655EACF12DF58E5403EE7FB0AF11340FA8844BE884A7352D2798E95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044E85B, Relevance: 9.5, Strings: 7, Instructions: 712COMMON

Download Yara Rule

Strings

integrity_check, xrefs: 0044E891
NULL value in %s.%s, xrefs: 0044EBD5
non-unique entry in index , xrefs: 0044EE56
*** in database %s ***, xrefs: 0044E9F6
missing from index , xrefs: 0044ED1C
wrong # of entries in index , xrefs: 0044EED0
row , xrefs: 0044ECF1

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: missing from index $*** in database %s ***$NULL value in %s.%s$integrity_check$non-unique entry in index $row $wrong # of entries in index
API String ID: 0-1643436090
Opcode ID: e1d68d268b4900250e7d3e47c5bb9ffcf414997289913c2069cd2c24c3c1e529
Instruction ID: b0a90f73a1de6fc37ae6dd795335e9fd805863b76aca31910a48c11e0c2bf1ef
Opcode Fuzzy Hash: e1d68d268b4900250e7d3e47c5bb9ffcf414997289913c2069cd2c24c3c1e529
Instruction Fuzzy Hash: 0F425170B40619AFEB11EB95CCC2FEEB7B5AF44704F14001AF614AB2C1D7B99E418B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3C8, Relevance: 7.6, APIs: 5, Instructions: 98stringencryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A408
CryptStringToBinaryA.CRYPT32(?,?,00000001,?,?,00000000,00000000), ref: 0040A42C
_memmove.LIBCMT ref: 0040A486
lstrcatA.KERNEL32(0048044C,0048044C), ref: 0040A49C
lstrcatA.KERNEL32(0048044C,0048044C), ref: 0040A4AE

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$BinaryCryptString_memmove_memset
String ID:
API String ID: 3096129145-0
Opcode ID: 10dbc838e9f5d349c976a305ce8c3a33fca2b745ff8fd839bea993db6f436b97
Instruction ID: 04a9f46ace3f3e53465158158cbb5a0e840195cdc65471e4ead58f89ab79fde0
Opcode Fuzzy Hash: 10dbc838e9f5d349c976a305ce8c3a33fca2b745ff8fd839bea993db6f436b97
Instruction Fuzzy Hash: 41315C719002199FDB11DFA5DC889EEBBBDEF18354F14003AF909E7241EB785909CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6DA, Relevance: 7.6, APIs: 5, Instructions: 50encryptionCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040A6E7

Part of subcall function 0046444E: __FF_MSGBANNER.LIBCMT ref: 00464467
Part of subcall function 0046444E: __NMSG_WRITE.LIBCMT ref: 0046446E
Part of subcall function 0046444E: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00462550,00000001,00000000,?,?,?,004625AE,00402496), ref: 00464493

_memmove.LIBCMT ref: 0040A6F2
_malloc.LIBCMT ref: 0040A6FE
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A717
_memmove.LIBCMT ref: 0040A72D

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _malloc_memmove$AllocateCryptDataHeapUnprotect
String ID:
API String ID: 2315474888-0
Opcode ID: ff7cd9992bc790a57c88d5a63d3b6e457e42df5f26b2685429ade31182578046
Instruction ID: 263aa80153be7f1c8dd3e995182a9f3481f4774029727d9e352175f5e665719d
Opcode Fuzzy Hash: ff7cd9992bc790a57c88d5a63d3b6e457e42df5f26b2685429ade31182578046
Instruction Fuzzy Hash: 24F08177D002247B8B01AAEA8C45CEF7B7CEE85254B15447BF501A7241E674EA1187AA

Uniqueness

Uniqueness Score: -1.00%

Function 004560B3, Relevance: 6.1, Strings: 4, Instructions: 1127COMMON

Download Yara Rule

Strings

%d values for %d columns, xrefs: 0045659F
rows inserted, xrefs: 00456CDC
table %S has no column named %s, xrefs: 004564B4
table %S has %d columns but %d values were supplied, xrefs: 0045657F

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %d values for %d columns$rows inserted$table %S has %d columns but %d values were supplied$table %S has no column named %s
API String ID: 0-2709362559
Opcode ID: 0e5b7393dfcff36028891e4f3908deafcbede05f6fc638e649455383c40213b0
Instruction ID: f23e83a892efa5099dbbeb954274bde61d63f0a7b9fde050778f0c0acb1a7d08
Opcode Fuzzy Hash: 0e5b7393dfcff36028891e4f3908deafcbede05f6fc638e649455383c40213b0
Instruction Fuzzy Hash: A592B870600249AFDF15DF69C881AEA3BA1FF08309F55412AFD1597292D779EC89CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040A560, Relevance: 6.0, APIs: 4, Instructions: 48encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0040A580
LocalAlloc.KERNEL32(00000040,?), ref: 0040A58E
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0040A5A4
LocalFree.KERNEL32(?), ref: 0040A5B3

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 5cb71f8996b1e51d70ccae6a8e57cce57a824cc420f1fe0d7538dde116840175
Instruction ID: e12b27a9435c37edc3fb6111eb2d4ed8dbf863d19f1bce9a003fa53881d3e3db
Opcode Fuzzy Hash: 5cb71f8996b1e51d70ccae6a8e57cce57a824cc420f1fe0d7538dde116840175
Instruction Fuzzy Hash: D6012870101224FBDB214F56DC8CE8B7FBCEF4ABA1B110462F908A6250D3B08A50DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5C3, Relevance: 6.0, APIs: 4, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A5E6
LocalAlloc.KERNEL32(00000040,?), ref: 0040A5FE
_memmove.LIBCMT ref: 0040A613
LocalFree.KERNEL32(?), ref: 0040A61F

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect_memmove
String ID:
API String ID: 3008826695-0
Opcode ID: 26f67c2e20673ab97bc4673ef5d82241727023e9a38ca8b04740d33aca57436f
Instruction ID: 3e784cfb351295053ea789c720b33c9f05c9473f0c42e95931f91e6890dce82a
Opcode Fuzzy Hash: 26f67c2e20673ab97bc4673ef5d82241727023e9a38ca8b04740d33aca57436f
Instruction Fuzzy Hash: 78014FB6900208AFCB009FE9DC4989EBBBDEF88210B184966F915E7254E77599508B54

Uniqueness

Uniqueness Score: -1.00%

Function 0043E09A, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0043E1CB
_memset.LIBCMT ref: 0043E363

Strings

:memory:, xrefs: 0043E0E5

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove_memset
String ID: :memory:
API String ID: 3555123492-2920599690
Opcode ID: 85216006d8843eabab1c8111ac19a1908a56f624e222632d396b1ee5f6272f1a
Instruction ID: 76e8a4374ec85b0c6ed1d8fc17926c95d86daf6acd7ac70f348a902379047de7
Opcode Fuzzy Hash: 85216006d8843eabab1c8111ac19a1908a56f624e222632d396b1ee5f6272f1a
Instruction Fuzzy Hash: 8C02AB70901205DFDB25DFA6C8456ABBBB1BF08304F2450AFE855AB392E779D940CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0045E21E, Relevance: 4.6, APIs: 3, Instructions: 72fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0045E228

Part of subcall function 0045DE6E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0045DE9D
Part of subcall function 0045DE6E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0045DECC

FindFirstFileW.KERNEL32(00000000,?,00000298,004100D8,?), ref: 0045E261
FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000), ref: 0045E2F2

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharFileFindMultiWide$FirstH_prolog3_Next
String ID:
API String ID: 1519118924-0
Opcode ID: 72a63f26ee530362ff3b9cb40cca97e86dd2bebbf84479c14814f9c629f8d28d
Instruction ID: e21b198aabd6c5282072b6fda0f5484e052d324ac8c12cc13b64585a7814c9d6
Opcode Fuzzy Hash: 72a63f26ee530362ff3b9cb40cca97e86dd2bebbf84479c14814f9c629f8d28d
Instruction Fuzzy Hash: 92315EB1C002089FCB11DFA6C889ADEBBB8AF59304F00849FE419A7251DB785748CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00460D55, Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

ct_init: dist != 256, xrefs: 00460E5A
ct_init: 256+dist != 512, xrefs: 00460ED4
ct_init: length != 256, xrefs: 00460DE5

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ct_init: 256+dist != 512$ct_init: dist != 256$ct_init: length != 256
API String ID: 0-2704465662
Opcode ID: 5cc1e16c3e18baf8c5318db3784cc81ce413ce2e2095cc773d72f2aaec88a352
Instruction ID: 330605b1ce7d32cc4bfbeba138dd3ee0f55adc09d17bbc2d0a9050c84c36ae07
Opcode Fuzzy Hash: 5cc1e16c3e18baf8c5318db3784cc81ce413ce2e2095cc773d72f2aaec88a352
Instruction Fuzzy Hash: A961D772640605ABEB188F26C4416EB73A5EFC5319F10C93FE45ACB281EB78AA45CB45

Uniqueness

Uniqueness Score: -1.00%

Function 004600DE, Relevance: 3.1, APIs: 2, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0046013A
SystemTimeToFileTime.KERNEL32(?,?), ref: 00460148

Part of subcall function 0045FA79: FileTimeToSystemTime.KERNEL32(?,?), ref: 0045FA99

Part of subcall function 0045FA57: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045FA73

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: 0caebe55ab26b58fbe38dd37b5852e904c6a433ca2b311843779d310a6ff524f
Instruction ID: 4f114fda251a1bdd5020f3ec4409ea9057cbf42d345166cc924a9658bf991e17
Opcode Fuzzy Hash: 0caebe55ab26b58fbe38dd37b5852e904c6a433ca2b311843779d310a6ff524f
Instruction Fuzzy Hash: D721C7B1900B499FCB25DF69C841AABBBF4FF0C304F10492EE59AD2610E779A944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A35A, Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A37B
GetVersionExA.KERNEL32(?), ref: 0040A394

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Version_memset
String ID:
API String ID: 963298953-0
Opcode ID: 61367a53cccef90d1a107c326ac187f3f30f6fcb2f440ff347c393e95cf141ae
Instruction ID: 442336f32e48f01c215f4542451caaf4eb4c0def3a18024eb14105ca670bb2e8
Opcode Fuzzy Hash: 61367a53cccef90d1a107c326ac187f3f30f6fcb2f440ff347c393e95cf141ae
Instruction Fuzzy Hash: 05F05471A501189EDF14DF74EC46FAD73F49B09705F5005BDA20ED72C2EA749A8C8B05

Uniqueness

Uniqueness Score: -1.00%

Function 0045AFDC, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 0045B011

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 5b1af8711d42eb053a8f3201d0d8150f4f9b2e6ec251c33f1bd673d037ed394f
Instruction ID: 66d5e0666ef42e8aeb27828ec0da93c7a1112009d5cb9a6d980516f01d22db58
Opcode Fuzzy Hash: 5b1af8711d42eb053a8f3201d0d8150f4f9b2e6ec251c33f1bd673d037ed394f
Instruction Fuzzy Hash: CCF0FF7150025D8BDB30DF68DC45BDDB7F8BB08309F00452ED459D7281EFB866488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0045A544, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 0045A552

Part of subcall function 0045DDE3: __EH_prolog3_GS.LIBCMT ref: 0045DDED

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_InfoSystem
String ID:
API String ID: 2966166590-0
Opcode ID: 233830f8ed5ce8c43c5805943f3680eecafd198fb8f9bddc0c513d4480125826
Instruction ID: 64a513e424e79801a29eba7ed49c9a8ec66d562563ebbbc6ac77191ed2833ec8
Opcode Fuzzy Hash: 233830f8ed5ce8c43c5805943f3680eecafd198fb8f9bddc0c513d4480125826
Instruction Fuzzy Hash: 14D01731C0010EABCF00EFA5C846EDDBB78AB18309F008014EA00A2061D774E29DCB94

Uniqueness

Uniqueness Score: -1.00%

Function 004707D0, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0007078E), ref: 004707D5

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 82926748b780a881aa69f87b8c9f204e07d6cbbba1ac74db843bedcf62bc6ae8
Instruction ID: 98336bce427d61e839d2059ec29abb958e4d67e96ef1cdb3922e7e9386c877a2
Opcode Fuzzy Hash: 82926748b780a881aa69f87b8c9f204e07d6cbbba1ac74db843bedcf62bc6ae8
Instruction Fuzzy Hash: 6A900260252101964A141BB15D0964525985A5C60675146E16509C4095DB585080991A

Uniqueness

Uniqueness Score: -1.00%

Function 004222BC, Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c0f7f1893f43993177ca0c522c8803af8cd0399e6ebfb10079c1bac3341c93
Instruction ID: 2a355046cc3474510153ca4457c75da31d8cd0cac5ca53eda76c01b2b283065d
Opcode Fuzzy Hash: e6c0f7f1893f43993177ca0c522c8803af8cd0399e6ebfb10079c1bac3341c93
Instruction Fuzzy Hash: 58D19B637182915FD71ACA38D9953BA3B93EFA2310F49C6AED4910B3C7C1BD8549C31A

Uniqueness

Uniqueness Score: -1.00%

Function 00474DF3, Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 1159b461e241235975787461cb4dfa9a418b43b3eead9c9a475a082c94c3b16d
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: AFC1A433D4A9F2098B36452D08582BFEEA16ED1B4131FC396CCD83F68ED72A6D0595D8

Uniqueness

Uniqueness Score: -1.00%

Function 00474A55, Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: de8ca0a77f801cbae5e9b4b2800c3dd986c0e8b6c4c857b2c1d9f7e4cc1a9ee5
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 6FB1A333D4B4B2098776812D08582BFEE626ED1B4131FC396CCD83F68DD72AAD1596D8

Uniqueness

Uniqueness Score: -1.00%

Function 004121D5, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a672d3dac023a4d38920dd1066266ad25c595a87af01b34618c343f8d88aaa
Instruction ID: a0cbbf0053579e33b9489c72c1f05452384810a58388c769b84ca04407b0628f
Opcode Fuzzy Hash: 38a672d3dac023a4d38920dd1066266ad25c595a87af01b34618c343f8d88aaa
Instruction Fuzzy Hash: C351F5B1A006149BE71CCF2AC9252A9FFE2ABD1300B18C17ED4E6C7281C6B49646EB04

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF1C, Relevance: 73.8, APIs: 27, Strings: 15, Instructions: 298registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040EF3B
_memset.LIBCMT ref: 0040EF5B
_memset.LIBCMT ref: 0040EF7B
_memset.LIBCMT ref: 0040EF8F
_memset.LIBCMT ref: 0040EF9D
RegOpenKeyExW.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040EFC9
RegGetValueW.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040EFEB
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 0040EFFD
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 0040F013
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 0040F024
RegOpenKeyExW.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040F03A
RegEnumKeyExA.ADVAPI32 ref: 0040F057
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 0040F06D
_fprintf.LIBCMT ref: 0040F0C7
_fprintf.LIBCMT ref: 0040F0D2
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,?,00000001,00000000,passwords.txt), ref: 0040F0F7
_fprintf.LIBCMT ref: 0040F106
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?,?,?,?,00000001,00000000,passwords.txt), ref: 0040F132
_fprintf.LIBCMT ref: 0040F156
_fprintf.LIBCMT ref: 0040F171
_fprintf.LIBCMT ref: 0040F17E
RegGetValueA.ADVAPI32(?,?,UserName,00000002,00000000,?,?,?,?,?,?,00000001,00000000,passwords.txt), ref: 0040F1A2
_fprintf.LIBCMT ref: 0040F1B1
RegGetValueA.ADVAPI32(?,?,Password,00000002,00000000,00000001,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0040F1E3

Part of subcall function 0040EAA2: __EH_prolog3.LIBCMT ref: 0040EABB
Part of subcall function 0040EAA2: GetProcessHeap.KERNEL32(00000008,00000104,00000001,?,00000104,0000002C), ref: 0040EB27
Part of subcall function 0040EAA2: HeapAlloc.KERNEL32(00000000), ref: 0040EB2A
Part of subcall function 0040EAA2: GetProcessHeap.KERNEL32(00000000,?), ref: 0040EB40
Part of subcall function 0040EAA2: HeapFree.KERNEL32(00000000), ref: 0040EB43

Part of subcall function 00403DD4: _memmove.LIBCMT ref: 00403DF6

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

_fprintf.LIBCMT ref: 0040F22E
RegEnumKeyExA.ADVAPI32 ref: 0040F255
RegCloseKey.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,00000001,00000000,passwords.txt), ref: 0040F282

Strings

PortNumber, xrefs: 0040F11C
:%s, xrefs: 0040F150
Security, xrefs: 0040EFE3
:22, xrefs: 0040F16B
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040F034
UserName, xrefs: 0040F193
HostName, xrefs: 0040F0E8
Password: %s, xrefs: 0040F228
Host: , xrefs: 0040F0CC
Soft: WinSCP, xrefs: 0040F0C1
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040EFBE
passwords.txt, xrefs: 0040F07A
UseMasterPassword, xrefs: 0040EFDE
Login: , xrefs: 0040F178
Password, xrefs: 0040F1D1

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _fprintf$CloseValue$Heap_memset$EnumH_prolog3OpenProcess_memmove$AllocFree
String ID: Login: $Password: %s$:%s$:22$Host: $HostName$Password$PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 2505226420-1600676177
Opcode ID: d5b8aa724ac5df90f0cfc90c11792b5e02726a9dbc22b347187a88f567e8500d
Instruction ID: 8d23b757f4139698f5ba7683bbba7c10fc0f9bf0d80d43c652a0a5d8eb2186ac
Opcode Fuzzy Hash: d5b8aa724ac5df90f0cfc90c11792b5e02726a9dbc22b347187a88f567e8500d
Instruction Fuzzy Hash: 2BB12FB190424DAEEB21DFA0CC81EFE77BCFB04704F10053BF915A6191E7799A498B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9E8, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 211COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,0040B384,?,?,?), ref: 0040AA26
__snprintf.LIBCMT ref: 0040AA3B
GetPrivateProfileSectionNamesA.KERNEL32 ref: 0040AA4D

Part of subcall function 0046459E: __fsopen.LIBCMT ref: 004645AB

_fseek.LIBCMT ref: 0040AAA4
_fseek.LIBCMT ref: 0040AAB4

Part of subcall function 00464A9F: __lock_file.LIBCMT ref: 00464AE0
Part of subcall function 00464A9F: __fseek_nolock.LIBCMT ref: 00464AF1

__fread_nolock.LIBCMT ref: 0040AACA
_fprintf.LIBCMT ref: 0040AB38
_fprintf.LIBCMT ref: 0040AB46
_fprintf.LIBCMT ref: 0040AB4D
_fprintf.LIBCMT ref: 0040AB5B
_fprintf.LIBCMT ref: 0040AB62
_fprintf.LIBCMT ref: 0040ABBA
_fprintf.LIBCMT ref: 0040ABC1
_fprintf.LIBCMT ref: 0040AC19
_fprintf.LIBCMT ref: 0040AC24

Strings

Login: %s, xrefs: 0040ABB4
Password: %s, xrefs: 0040AC13
Soft: %s, xrefs: 0040AB40
Host: %s, xrefs: 0040AB55
%s\Mozilla\Firefox\profiles.ini, xrefs: 0040AA33

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _fprintf$_fseek$FolderNamesPathPrivateProfileSection__fread_nolock__fseek_nolock__fsopen__lock_file__snprintf
String ID: %s\Mozilla\Firefox\profiles.ini$Host: %s$Login: %s$Password: %s$Soft: %s
API String ID: 964051248-3857554549
Opcode ID: b54ed812edba857e78a654fdad548a553c9dc33e1c338555c636a6294297a9e3
Instruction ID: aac1e8511de5b2dfbe90a6a1175714df8f48ef441b9593d67d05952a011ef2a9
Opcode Fuzzy Hash: b54ed812edba857e78a654fdad548a553c9dc33e1c338555c636a6294297a9e3
Instruction Fuzzy Hash: C26132714046457BDF21AFB18C82EDE7BADAF45318F20052FF505A3283EB7D99448B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E403, Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 173filestringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00480644,?,?), ref: 0040E455
lstrcatA.KERNEL32(?,\temp), ref: 0040E467
CopyFileA.KERNEL32(?,?,00000001), ref: 0040E477
_memset.LIBCMT ref: 0040E484
_sprintf.LIBCMT ref: 0040E496
DeleteFileA.KERNEL32(?), ref: 0040E605

Part of subcall function 0046459E: __fsopen.LIBCMT ref: 004645AB

_fprintf.LIBCMT ref: 0040E538
_fprintf.LIBCMT ref: 0040E53F

Part of subcall function 0046327B: __lock_file.LIBCMT ref: 004632C2
Part of subcall function 0046327B: __stbuf.LIBCMT ref: 00463346
Part of subcall function 0046327B: __output_l.LIBCMT ref: 00463356
Part of subcall function 0046327B: __ftbuf.LIBCMT ref: 00463360

_fprintf.LIBCMT ref: 0040E54B
_fprintf.LIBCMT ref: 0040E552
_fprintf.LIBCMT ref: 0040E563
_fprintf.LIBCMT ref: 0040E56A

Part of subcall function 0040DD01: __EH_prolog3_GS.LIBCMT ref: 0040DD08
Part of subcall function 0040DD01: _memset.LIBCMT ref: 0040DD63
Part of subcall function 0040DD01: LocalAlloc.KERNEL32(00000040,?,00000000,?,?), ref: 0040DD9E

_fprintf.LIBCMT ref: 0040E5AE

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

_fprintf.LIBCMT ref: 0040E5CA

Strings

Year: , xrefs: 0040E55D
Month: , xrefs: 0040E545
Name: , xrefs: 0040E52F
Card: , xrefs: 0040E5A2
CC\%s_%s.txt, xrefs: 0040E490
\temp, xrefs: 0040E45B

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _fprintf$File_memset$AllocCopyCurrentDeleteDirectoryH_prolog3_Local__fsopen__ftbuf__lock_file__output_l__stbuf_memmove_sprintflstrcat
String ID: CC\%s_%s.txt$Card: $Month: $Name: $Year: $\temp
API String ID: 3490499488-2265742005
Opcode ID: 6e1f2534476974ccb729b6f131a55b96c46cbb1b0d0ffb6e04afd1374d565adc
Instruction ID: d1f33be36e39effac637753185e27863f71088fa4b01c6f18b2454c85804a43d
Opcode Fuzzy Hash: 6e1f2534476974ccb729b6f131a55b96c46cbb1b0d0ffb6e04afd1374d565adc
Instruction Fuzzy Hash: 4D518272900258BADF21AFA1DC46FCE777CEF08304F20042BF914B7192EB799A448B59

Uniqueness

Uniqueness Score: -1.00%

Function 0042487C, Relevance: 33.7, APIs: 7, Strings: 12, Instructions: 497COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00424957
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00424991
_strncmp.LIBCMT ref: 00424C1C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00424CBB
__allrem.LIBCMT ref: 00424CC6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00424D35

Part of subcall function 00424731: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004247D5
Part of subcall function 00424731: __localtime64_s.LIBCMT ref: 004247F8

Strings

second, xrefs: 00424ABE
hour, xrefs: 00424A7B
minute, xrefs: 00424AA2
day, xrefs: 00424A53, 00424E38
localtime, xrefs: 00424BCC
weekday , xrefs: 00424C16
unixepoch, xrefs: 00424D0A
year, xrefs: 00424B56, 00424E12
month, xrefs: 00424ADF, 00424DEE
utc, xrefs: 00424D5C
start of , xrefs: 00424DC6
-, xrefs: 004249A9

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem__localtime64_s_memset_strncmp
String ID: -$day$hour$localtime$minute$month$second$start of $unixepoch$utc$weekday $year
API String ID: 3149664924-3507268942
Opcode ID: dd94227042e4405bef1839b7596089624e953c9060055ca3cdbd28e8eefbc255
Instruction ID: 22379e70fce852762a282ff616c42e6e19c04eb11afbe9bdeead5e82dfeb8056
Opcode Fuzzy Hash: dd94227042e4405bef1839b7596089624e953c9060055ca3cdbd28e8eefbc255
Instruction Fuzzy Hash: 98021672E042289BEF14DF64E9407DD7BB4EF88324F6640ABE500BB291D7389D858B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041097C, Relevance: 33.7, APIs: 9, Strings: 10, Instructions: 449fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041099B

Part of subcall function 0046459E: __fsopen.LIBCMT ref: 004645AB

__wgetenv.LIBCMT ref: 00410B36

Part of subcall function 00410374: _fprintf.LIBCMT ref: 0041065F
Part of subcall function 00410374: _fprintf.LIBCMT ref: 0041066F
Part of subcall function 00410374: _fprintf.LIBCMT ref: 00410774
Part of subcall function 00410374: _fprintf.LIBCMT ref: 00410787
Part of subcall function 00410374: _fprintf.LIBCMT ref: 004107AA
Part of subcall function 00410374: _fprintf.LIBCMT ref: 004107BB
Part of subcall function 00410374: _fprintf.LIBCMT ref: 004107DF
Part of subcall function 00410374: _fprintf.LIBCMT ref: 004107EB

Part of subcall function 0040F2B5: __EH_prolog3.LIBCMT ref: 0040F2D4
Part of subcall function 0040F2B5: _memset.LIBCMT ref: 0040F2FE
Part of subcall function 0040F2B5: lstrcatA.KERNEL32(?,?,?,0000001C,?,?,00000014), ref: 0040F31F
Part of subcall function 0040F2B5: _memset.LIBCMT ref: 0040F32A
Part of subcall function 0040F2B5: lstrcatA.KERNEL32(?,?,?,?,?,?,?,00000014), ref: 0040F33D
Part of subcall function 0040F2B5: lstrcatA.KERNEL32(?,0048057C,?,?,?,?,?,00000014), ref: 0040F34B
Part of subcall function 0040F2B5: lstrcatA.KERNEL32(?,?,?,?,?,?,00000014), ref: 0040F35A

CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00410EF7
_memset.LIBCMT ref: 00410F12
__wgetenv.LIBCMT ref: 00410A82

Part of subcall function 00463CEA: _strnlen.LIBCMT ref: 00463D1F
Part of subcall function 00463CEA: __lock.LIBCMT ref: 00463D30
Part of subcall function 00463CEA: __getenv_helper_nolock.LIBCMT ref: 00463D3D

__wgetenv.LIBCMT ref: 004109DD

Part of subcall function 00404530: __EH_prolog3.LIBCMT ref: 00404537

Part of subcall function 00403DD4: _memmove.LIBCMT ref: 00403DF6

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

Part of subcall function 00410374: __EH_prolog3_catch_GS.LIBCMT ref: 0041037E

__wgetenv.LIBCMT ref: 00410F1C
DeleteFileA.KERNEL32(0048158C), ref: 00410FBA
DeleteFileA.KERNEL32(00481588), ref: 00410FC1

Part of subcall function 00410057: __EH_prolog3.LIBCMT ref: 00410076
Part of subcall function 00410057: __wgetenv.LIBCMT ref: 00410082
Part of subcall function 00410057: CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?), ref: 0041012E
Part of subcall function 00410057: CreateDirectoryA.KERNEL32(00000000,00000000,?,00000001,00000000,?,?,?), ref: 00410165

Part of subcall function 0040A35A: _memset.LIBCMT ref: 0040A37B
Part of subcall function 0040A35A: GetVersionExA.KERNEL32(?), ref: 0040A394

Part of subcall function 0040DA1D: LoadLibraryA.KERNEL32(?,00000000), ref: 0040DA4E
Part of subcall function 0040DA1D: GetProcAddress.KERNEL32(00000000,004930CC), ref: 0040DA6F
Part of subcall function 0040DA1D: GetProcAddress.KERNEL32(00000000), ref: 0040DA7D
Part of subcall function 0040DA1D: GetProcAddress.KERNEL32(00000000), ref: 0040DA8B
Part of subcall function 0040DA1D: GetProcAddress.KERNEL32(00000000), ref: 0040DA99
Part of subcall function 0040DA1D: GetProcAddress.KERNEL32(00000000), ref: 0040DAA7

Strings

\Thunderbird\Profiles\, xrefs: 00410EC2
*.txt, xrefs: 00410A4E, 00410B9A
*.cookie, xrefs: 00410AF3
APPDATA, xrefs: 004109D8, 00410F17
D877F783D5D3EF8C*, xrefs: 00410F7B
LOCALAPPDATA, xrefs: 00410A7D, 00410B31
key_datas, xrefs: 00410F63
\Telegram Desktop\, xrefs: 00410F58
Thunderbird, xrefs: 00410EBD
map*, xrefs: 00410F8D

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _fprintf$AddressProc__wgetenv$H_prolog3_memsetlstrcat$CreateDirectory$DeleteFile_memmove$H_prolog3_catch_LibraryLoadVersion__fsopen__getenv_helper_nolock__lock_strnlen
String ID: *.cookie$*.txt$APPDATA$D877F783D5D3EF8C*$LOCALAPPDATA$Thunderbird$\Telegram Desktop\$\Thunderbird\Profiles\$key_datas$map*
API String ID: 3974311532-2658590742
Opcode ID: a799eb917382dde263472bed8e4bc49af91482eb34e9d4cfe75c2fbe196f0bef
Instruction ID: adc501cbe8f01ae85c1579b1cf17041966ab74ebbe9ef1f179968295c197226f
Opcode Fuzzy Hash: a799eb917382dde263472bed8e4bc49af91482eb34e9d4cfe75c2fbe196f0bef
Instruction Fuzzy Hash: 5AF1D230500645AFCF02BF66DC1AAAD3F66EB94308B24407FF801262F1DB7A5A54DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E14D, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 228stringfileCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00480644,?,?), ref: 0040E19F
lstrcatA.KERNEL32(?,\temp), ref: 0040E1B4
CopyFileA.KERNEL32(?,?,00000001), ref: 0040E1BD
_memset.LIBCMT ref: 0040E1CD
lstrcatA.KERNEL32(?), ref: 0040E1E2
lstrcatA.KERNEL32(?,0048057C), ref: 0040E1F0
lstrcatA.KERNEL32(?,?), ref: 0040E1FC
lstrcatA.KERNEL32(?,0048133C), ref: 0040E20A
lstrcatA.KERNEL32(?,?), ref: 0040E216
lstrcatA.KERNEL32(?,.txt), ref: 0040E224
DeleteFileA.KERNEL32(?), ref: 0040E3E5

Part of subcall function 0046459E: __fsopen.LIBCMT ref: 004645AB

lstrcatA.KERNEL32(?), ref: 0040E303
lstrcatA.KERNEL32(?), ref: 0040E32D
lstrcatA.KERNEL32(?,00481028), ref: 0040E342
_fprintf.LIBCMT ref: 0040E391
_fprintf.LIBCMT ref: 0040E3AD

Strings

%s%s%s%s%s%s%s, xrefs: 0040E389
.txt, xrefs: 0040E218
\temp, xrefs: 0040E1AB

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$File_fprintf$CopyCurrentDeleteDirectory__fsopen_memset
String ID: %s%s%s%s%s%s%s$.txt$\temp
API String ID: 1987428508-1558371589
Opcode ID: d1b91e926a4152068f8cf8c83855288a78cf14f4b390e543ead063f8c7934764
Instruction ID: 7ee186fbf0e7de05126c15cd0798bd0ad2bc2596db5599a7d299efd0dce24834
Opcode Fuzzy Hash: d1b91e926a4152068f8cf8c83855288a78cf14f4b390e543ead063f8c7934764
Instruction Fuzzy Hash: 07717371D00248ABEF21AFE5DC45FDD7BB9EF08314F10042BF904AB1A1EB759A549B18

Uniqueness

Uniqueness Score: -1.00%

Function 00410374, Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 413COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041037E

Part of subcall function 00407E88: __EH_prolog3.LIBCMT ref: 00407E8F

Part of subcall function 0045E21E: __EH_prolog3_GS.LIBCMT ref: 0045E228
Part of subcall function 0045E21E: FindFirstFileW.KERNEL32(00000000,?,00000298,004100D8,?), ref: 0045E261
Part of subcall function 0045E21E: FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000), ref: 0045E2F2

Part of subcall function 0045DE6E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0045DE9D
Part of subcall function 0045DE6E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0045DECC

Part of subcall function 0040295F: std::_Xinvalid_argument.LIBCPMT ref: 00402979

_fprintf.LIBCMT ref: 0041065F
_fprintf.LIBCMT ref: 0041066F
_fprintf.LIBCMT ref: 004106D2
_fprintf.LIBCMT ref: 004106E2
_fprintf.LIBCMT ref: 00410725
_fprintf.LIBCMT ref: 00410754
_fprintf.LIBCMT ref: 00410764
_fprintf.LIBCMT ref: 00410774
_fprintf.LIBCMT ref: 00410787
_fprintf.LIBCMT ref: 004107AA
_fprintf.LIBCMT ref: 004107BB
_fprintf.LIBCMT ref: 004107DF
_fprintf.LIBCMT ref: 004107EB
_fprintf.LIBCMT ref: 00410814
_fprintf.LIBCMT ref: 00410824

Part of subcall function 00403DD4: _memmove.LIBCMT ref: 00403DF6

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

Strings

FALSE, xrefs: 00410664, 004106D7, 00410759, 0041077C

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _fprintf$ByteCharFileFindMultiWide_memmove$FirstH_prolog3H_prolog3_H_prolog3_catch_NextXinvalid_argumentstd::_
String ID: FALSE
API String ID: 1663285408-4287395501
Opcode ID: 5c570509e11eac05ccc5bacbcdad71b2357f976fb49ffd69659bc8f201e1adbc
Instruction ID: 160393b3be7ecfbe76fd010a3d71ac95627fde56fa8d125ba851844e90f03154
Opcode Fuzzy Hash: 5c570509e11eac05ccc5bacbcdad71b2357f976fb49ffd69659bc8f201e1adbc
Instruction Fuzzy Hash: 9FF12971800258AADB25EB65DD91FEEBB78BB15304F1040EFF40AB2191DB781E84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041CAC4, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 185COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0041CB1F
__fprintf_l.LIBCMT ref: 0041CB8D
__fprintf_l.LIBCMT ref: 0041CBBE
_memmove.LIBCMT ref: 0041CC64
__fprintf_l.LIBCMT ref: 0041CCEB

Strings

NULL, xrefs: 0041CCC8
vtab:%p:%p, xrefs: 0041CCE4
program, xrefs: 0041CB2C
intarray, xrefs: 0041CB18
k(%d, xrefs: 0041CBB7
BINARY, xrefs: 0041CC18
(%.20s), xrefs: 0041CB86
%lld, xrefs: 0041CB04
%s(%d), xrefs: 0041CBA4
%.16g, xrefs: 0041CB3D
eH, xrefs: 0041CBFB

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l$_memmove
String ID: %.16g$%lld$%s(%d)$(%.20s)$BINARY$NULL$intarray$k(%d$program$vtab:%p:%p$eH
API String ID: 3461008893-666948024
Opcode ID: 84373050a8f826af1c429a31e31714f4353fe445f0c07221d984275648ed9dd7
Instruction ID: 052078f03bf2be5bf0a4af32b947aebde7cf9cb74fce9977372ddfee7e98d658
Opcode Fuzzy Hash: 84373050a8f826af1c429a31e31714f4353fe445f0c07221d984275648ed9dd7
Instruction Fuzzy Hash: B961C270944204AFCB149F58DCC1ABEB7B0FF05314F25458BE816AB2A1E3789D81CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042CA86, Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 177COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0042CB72
__fprintf_l.LIBCMT ref: 0042CB8D
__fprintf_l.LIBCMT ref: 0042CC06
__fprintf_l.LIBCMT ref: 0042CC8E

Strings

USING , xrefs: 0042CBEB
TABLE %s, xrefs: 0042CB68
(rowid>? AND rowid<?), xrefs: 0042CC3B
(rowid>?), xrefs: 0042CC42
SCAN, xrefs: 0042CB43
(rowid=?), xrefs: 0042CC2E
SEARCH, xrefs: 0042CB3C
(rowid<?), xrefs: 0042CC4C
SUBQUERY %d, xrefs: 0042CB5E
AS %s, xrefs: 0042CB82
USING INTEGER PRIMARY KEY , xrefs: 0042CC51
VIRTUAL TABLE INDEX %d:%s, xrefs: 0042CC86

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l
String ID: AS %s$ SUBQUERY %d$ TABLE %s$ USING $ USING INTEGER PRIMARY KEY $ VIRTUAL TABLE INDEX %d:%s$(rowid<?)$(rowid=?)$(rowid>? AND rowid<?)$(rowid>?)$SCAN$SEARCH
API String ID: 3906573944-257182156
Opcode ID: b05fbb334fdb4ad1a130a5deb6096730ddd0908c8c8f3d33013792d2cc96a44b
Instruction ID: 52d43b1517bebc172bde747c97a8cced08b70fe2ca49c6614b52134285230b83
Opcode Fuzzy Hash: b05fbb334fdb4ad1a130a5deb6096730ddd0908c8c8f3d33013792d2cc96a44b
Instruction Fuzzy Hash: 06610271E00318ABDB10DF95E885BDEBBB4AF08324FA4845BE90577281E33CA944CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC74, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 170stringfileCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00480644,?,?), ref: 0040ACB7
lstrcatA.KERNEL32(?,\temp), ref: 0040ACCF
CopyFileA.KERNEL32(?,?,00000001), ref: 0040ACDB
_memset.LIBCMT ref: 0040ACE8
_sprintf.LIBCMT ref: 0040ACFC
DeleteFileA.KERNEL32(?), ref: 0040AE75

Part of subcall function 0046459E: __fsopen.LIBCMT ref: 004645AB

lstrcatA.KERNEL32(?,FALSE), ref: 0040ADE7
lstrcatA.KERNEL32(?,FALSE), ref: 0040AE0E
_fprintf.LIBCMT ref: 0040AE2D
_fprintf.LIBCMT ref: 0040AE3A

Strings

Cookies\%s_%s.txt, xrefs: 0040ACF6
TRUE, xrefs: 0040ADD5, 0040ADFE
%s%s%s%s%s%s%s, xrefs: 0040AE25
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies, xrefs: 0040AD23
FALSE, xrefs: 0040ADDC, 0040AE05
\temp, xrefs: 0040ACC3

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$File_fprintf$CopyCurrentDeleteDirectory__fsopen_memset_sprintf
String ID: %s%s%s%s%s%s%s$Cookies\%s_%s.txt$FALSE$SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies$TRUE$\temp
API String ID: 3460225999-2261803944
Opcode ID: ad1550930950e9c3f433fde13ad41dbbd54cea4397e031db4896cfcf4ffcdbce
Instruction ID: 2370f80172b9f4fc57a2b3b83b8600c5acb249948f9d267cc168527fb8189096
Opcode Fuzzy Hash: ad1550930950e9c3f433fde13ad41dbbd54cea4397e031db4896cfcf4ffcdbce
Instruction Fuzzy Hash: 90518F72D00308AADF21AFE1DC45FCEB7B9AF08304F20442BF514BB1A1E7798A559B19

Uniqueness

Uniqueness Score: -1.00%

Function 0045AC12, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 185registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0045AC34

Part of subcall function 0040D576: __EH_prolog3.LIBCMT ref: 0040D57D

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,00000001,00000000,00000000,00000003,00000001,0048044C,00000000,000000CC), ref: 0045ACB7
RegEnumKeyExA.ADVAPI32 ref: 0045AD00
wsprintfA.USER32 ref: 0045AD27
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 0045AD3F
RegCloseKey.ADVAPI32(?), ref: 0045AD4E
RegCloseKey.ADVAPI32(?), ref: 0045AD53

Part of subcall function 0040D5E0: __EH_prolog3.LIBCMT ref: 0040D5E7

Strings

DisplayVersion, xrefs: 0045ADA8
%s\%s, xrefs: 0045AD21
DisplayName, xrefs: 0045AD6A
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0045AC94, 0045AC99, 0045AD18, 0045AD1D

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseH_prolog3Open$EnumH_prolog3_catch_memmovewsprintf
String ID: %s\%s$DisplayName$DisplayVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 951852247-3586320934
Opcode ID: ba2aebf8cf5025cd5691ec50b627cbf232c94306e29c4de7151e41ea43ac0afc
Instruction ID: 94bc10612ba53f32fed42edd65a8ce6a163605ea9226ebf2089eb939fd794d26
Opcode Fuzzy Hash: ba2aebf8cf5025cd5691ec50b627cbf232c94306e29c4de7151e41ea43ac0afc
Instruction Fuzzy Hash: 506151B190025CAFDB10EF91DC85EEEBBBCEF08304F10416BE905B7141DB785A498BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040818A, Relevance: 23.2, APIs: 4, Strings: 9, Instructions: 411fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004081A9
__wgetenv.LIBCMT ref: 004081BD

Part of subcall function 00407E88: __EH_prolog3.LIBCMT ref: 00407E8F

Part of subcall function 0045E21E: __EH_prolog3_GS.LIBCMT ref: 0045E228
Part of subcall function 0045E21E: FindFirstFileW.KERNEL32(00000000,?,00000298,004100D8,?), ref: 0045E261
Part of subcall function 0045E21E: FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000), ref: 0045E2F2

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

Part of subcall function 0045DA61: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0045DA92
Part of subcall function 0045DA61: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0045DAB5

Part of subcall function 00403DD4: _memmove.LIBCMT ref: 00403DF6

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000), ref: 004084BC
CopyFileW.KERNEL32(00000000,00000000,00000001), ref: 004085D4

Strings

APPDATA, xrefs: 004081B1
banlist, xrefs: 0040834D
mempool, xrefs: 00408335
fee_estimates, xrefs: 00408302
mnpayments, xrefs: 00408395
peers, xrefs: 0040831D
mncache, xrefs: 0040837D
governance, xrefs: 00408365
netfulfilled, xrefs: 004083AD

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ByteCharFindH_prolog3MultiWide_memmove$CopyCreateDirectoryFirstH_prolog3_Next__wgetenv
String ID: APPDATA$banlist$fee_estimates$governance$mempool$mncache$mnpayments$netfulfilled$peers
API String ID: 1477989549-1297871447
Opcode ID: 0319da1e99ef8c5b9b5550094e45f239ab1a093cbed9dc42d33167b290b314e1
Instruction ID: 47ee3bfdfaf95dee31b2ca31cbdce534d547b941163bc313f4166d16d1ddf11b
Opcode Fuzzy Hash: 0319da1e99ef8c5b9b5550094e45f239ab1a093cbed9dc42d33167b290b314e1
Instruction Fuzzy Hash: 9EF16EB240118CAEDB25EF94CD85EEF776CEF55308F10056ABC05A6182DA785B08CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 004086E1, Relevance: 23.2, APIs: 4, Strings: 9, Instructions: 411fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00408700
__wgetenv.LIBCMT ref: 00408714

Part of subcall function 00407E88: __EH_prolog3.LIBCMT ref: 00407E8F

Part of subcall function 0045E21E: __EH_prolog3_GS.LIBCMT ref: 0045E228
Part of subcall function 0045E21E: FindFirstFileW.KERNEL32(00000000,?,00000298,004100D8,?), ref: 0045E261
Part of subcall function 0045E21E: FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000), ref: 0045E2F2

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

Part of subcall function 0045DA61: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0045DA92
Part of subcall function 0045DA61: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0045DAB5

Part of subcall function 00403DD4: _memmove.LIBCMT ref: 00403DF6

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000), ref: 00408A13
CopyFileW.KERNEL32(00000000,00000000,00000001), ref: 00408B2B

Strings

banlist, xrefs: 004088A4
LOCALAPPDATA, xrefs: 00408708
mempool, xrefs: 0040888C
fee_estimates, xrefs: 00408859
mnpayments, xrefs: 004088EC
peers, xrefs: 00408874
mncache, xrefs: 004088D4
governance, xrefs: 004088BC
netfulfilled, xrefs: 00408904

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ByteCharFindH_prolog3MultiWide_memmove$CopyCreateDirectoryFirstH_prolog3_Next__wgetenv
String ID: LOCALAPPDATA$banlist$fee_estimates$governance$mempool$mncache$mnpayments$netfulfilled$peers
API String ID: 1477989549-2646380060
Opcode ID: a1595d5b967d1190a7ea27ed29d840ab24090a9840cbadbf1eeecaf2ecaab477
Instruction ID: ceca7c3dd8b4fcfa4f8031b91fbfe1d0e4b3718c255e8ebb3ec64e6c1670e89a
Opcode Fuzzy Hash: a1595d5b967d1190a7ea27ed29d840ab24090a9840cbadbf1eeecaf2ecaab477
Instruction Fuzzy Hash: 10F160B240118CAEDB25EF95CD85EEF776CEF55308F10416EB809B6182DA785B08CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0043C30E, Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 360COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0043C69F

Strings

mode, xrefs: 0043C5C8
invalid uri authority: %.*s, xrefs: 0043C3E0
file:, xrefs: 0043C34F
<DI, xrefs: 0043C5B7
vfs, xrefs: 0043C575
no such %s mode: %s, xrefs: 0043C627
localhost, xrefs: 0043C3CD
cache, xrefs: 0043C59B
no such vfs: %s, xrefs: 0043C6C8
%s mode not allowed: %s, xrefs: 0043C66D
TDI, xrefs: 0043C5E0

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID: %s mode not allowed: %s$<DI$TDI$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
API String ID: 4104443479-3547166450
Opcode ID: cb1df5cedba0dd23c3811e488255bbc8cf3c366387c22489168a63f80e5f5e25
Instruction ID: 6196a1f221fef78cfb53a55fb09839d195ca825daedbd6ff03e6f924c9fad5db
Opcode Fuzzy Hash: cb1df5cedba0dd23c3811e488255bbc8cf3c366387c22489168a63f80e5f5e25
Instruction Fuzzy Hash: 02C10571D042199BCF24CF68C4D13EEBBA1AF5D314F24A06BE855BB341D7389D828B99

Uniqueness

Uniqueness Score: -1.00%

Function 0042A5ED, Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 269COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0042A6D5
__fprintf_l.LIBCMT ref: 0042A806
_memmove.LIBCMT ref: 0042A8B0

Strings

not authorized, xrefs: 0042A62A
no entry point [%s] in shared library [%s], xrefs: 0042A7FF
sqlite3_, xrefs: 0042A744
%s.%s, xrefs: 0042A676
unable to open shared library [%s], xrefs: 0042A6CE
;I, xrefs: 0042A66E, 0042A671
lib, xrefs: 0042A769
_init, xrefs: 0042A7BC
error during initialization: %s, xrefs: 0042A859

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l$_memmove
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$unable to open shared library [%s]$;I
API String ID: 3461008893-4202003194
Opcode ID: 62b4055d6975a8f7044ca76b2afe09c113ede8e3ce0156bc97d8a5df7d76c365
Instruction ID: cf60e0ea8c1892f350a7cb8d9d22dad065129973c89f3ec499d9de8f9caba553
Opcode Fuzzy Hash: 62b4055d6975a8f7044ca76b2afe09c113ede8e3ce0156bc97d8a5df7d76c365
Instruction Fuzzy Hash: 5591D171A00215AFCF11AF64E845AAEBBB8EF44304F64446AEC45EB301D738DE51CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFD0, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00480644,?,?), ref: 0040B010
lstrcatA.KERNEL32(?,\temp), ref: 0040B022
CopyFileA.KERNEL32(?,?,00000001), ref: 0040B032
_memset.LIBCMT ref: 0040B040
_sprintf.LIBCMT ref: 0040B052
DeleteFileA.KERNEL32(?), ref: 0040B10B

Part of subcall function 0046459E: __fsopen.LIBCMT ref: 004645AB

_fprintf.LIBCMT ref: 0040B0CB
_fprintf.LIBCMT ref: 0040B0D6

Strings

%s%s, xrefs: 0040B0C5
SELECT fieldname, value FROM moz_formhistory, xrefs: 0040B079
\temp, xrefs: 0040B016
Autofill\%s_%s.txt, xrefs: 0040B04C

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File_fprintf$CopyCurrentDeleteDirectory__fsopen_memset_sprintflstrcat
String ID: %s%s$Autofill\%s_%s.txt$SELECT fieldname, value FROM moz_formhistory$\temp
API String ID: 2288810340-1758122038
Opcode ID: 81c641c1455f3423bea99d25068f9d223a6dd7bec8943186338336a13031a04c
Instruction ID: 85b1e6ff657a4abb66ebb3e533504039c512cb07d18c21fc2d3f24b21ad34c44
Opcode Fuzzy Hash: 81c641c1455f3423bea99d25068f9d223a6dd7bec8943186338336a13031a04c
Instruction Fuzzy Hash: C4319572900148AEDF30ABB1DC46EDE777CEF09304F20052FF619A7052EB799A458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00410057, Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 240fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00410076
__wgetenv.LIBCMT ref: 00410082

Part of subcall function 00404530: __EH_prolog3.LIBCMT ref: 00404537

Part of subcall function 0045E21E: __EH_prolog3_GS.LIBCMT ref: 0045E228
Part of subcall function 0045E21E: FindFirstFileW.KERNEL32(00000000,?,00000298,004100D8,?), ref: 0045E261
Part of subcall function 0045E21E: FindNextFileW.KERNEL32(?,?,00000001,00000000,?,?,00000001,00000000), ref: 0045E2F2

CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?), ref: 0041012E
CreateDirectoryA.KERNEL32(00000000,00000000,?,00000001,00000000,?,?,?), ref: 00410165

Part of subcall function 0045DE6E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0045DE9D
Part of subcall function 0045DE6E: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0045DECC

CopyFileW.KERNEL32(00000000,?,00000001), ref: 00410294

Strings

APPDATA, xrefs: 0041007B
files\Soft\Authy, xrefs: 0041017A
\Authy Desktop\Local Storage\*.localstorage, xrefs: 004100B4
\Authy Desktop\Local Storage\, xrefs: 0041023A
\files\Soft\Authy, xrefs: 00410144
\files\Soft, xrefs: 00410109

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ByteCharCreateDirectoryFindH_prolog3MultiWide$CopyFirstH_prolog3_Next__wgetenv
String ID: APPDATA$\Authy Desktop\Local Storage\$\Authy Desktop\Local Storage\*.localstorage$\files\Soft$\files\Soft\Authy$files\Soft\Authy
API String ID: 2019322786-2614104896
Opcode ID: a9a26505aebade2ec1da760a9edaa1ec1fb9fa8cb8015658df596ff96cb8a612
Instruction ID: 17a88d21d00847be3d9d7335a5e753c05019c52aa5945d1e7aeb432fde3dd487
Opcode Fuzzy Hash: a9a26505aebade2ec1da760a9edaa1ec1fb9fa8cb8015658df596ff96cb8a612
Instruction Fuzzy Hash: F8915CB1800148AFDB24EFA5DD45FEE77BCAF15308F00016EF809A7181EA785B08CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A743, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 112filestringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00480644,?,?), ref: 0040A783
lstrcatA.KERNEL32(?,\temp), ref: 0040A795
CopyFileA.KERNEL32(?,?,00000001), ref: 0040A7A5
_memset.LIBCMT ref: 0040A7B3
_sprintf.LIBCMT ref: 0040A7C5
DeleteFileA.KERNEL32(?), ref: 0040A880

Part of subcall function 0046459E: __fsopen.LIBCMT ref: 004645AB

_fprintf.LIBCMT ref: 0040A840
_fprintf.LIBCMT ref: 0040A84B

Strings

%s%s, xrefs: 0040A83A
\temp, xrefs: 0040A789
Autofill\%s_%s.txt, xrefs: 0040A7BF

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File_fprintf$CopyCurrentDeleteDirectory__fsopen_memset_sprintflstrcat
String ID: %s%s$Autofill\%s_%s.txt$\temp
API String ID: 2288810340-2986410175
Opcode ID: 2ca696744b0046920ffbee390d977f2b7d9ea85c263d5c850ba429472387b715
Instruction ID: bb38b418e945e0ff56199349516b34f55544d66a704b934aec0e76dd2595a08a
Opcode Fuzzy Hash: 2ca696744b0046920ffbee390d977f2b7d9ea85c263d5c850ba429472387b715
Instruction Fuzzy Hash: 6231B672900148AFEF30ABB2DC45EDE776CEF09314F10053FF519A7052EA799A458B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A89E, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 106filestringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00480644,?,?), ref: 0040A8DE
lstrcatA.KERNEL32(?,\temp), ref: 0040A8F0
CopyFileA.KERNEL32(?,?,00000001), ref: 0040A900
_memset.LIBCMT ref: 0040A90E
_sprintf.LIBCMT ref: 0040A920
DeleteFileA.KERNEL32(?), ref: 0040A9CA

Part of subcall function 0046459E: __fsopen.LIBCMT ref: 004645AB

_fprintf.LIBCMT ref: 0040A995

Strings

%s, xrefs: 0040A98F
History\%s_%s.txt, xrefs: 0040A91A
SELECT url FROM urls, xrefs: 0040A947
\temp, xrefs: 0040A8E4

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CopyCurrentDeleteDirectory__fsopen_fprintf_memset_sprintflstrcat
String ID: %s$History\%s_%s.txt$SELECT url FROM urls$\temp
API String ID: 440339207-2199967400
Opcode ID: 1a74ab875a09da761327855cac0035746f0dd669ca2336daf0bf6eb494a980ef
Instruction ID: 695248ca6aeb91539ada557e5687665eacbb8784ed00c79b8c31a704e6a6bbba
Opcode Fuzzy Hash: 1a74ab875a09da761327855cac0035746f0dd669ca2336daf0bf6eb494a980ef
Instruction Fuzzy Hash: 273192B2900108AFEF30ABB1DC45EDE776CEF09314F20053FF519A6052EA3996558B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE93, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103filestringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00480644,?,?), ref: 0040AED3
lstrcatA.KERNEL32(?,\temp), ref: 0040AEE5
CopyFileA.KERNEL32(?,?,00000001), ref: 0040AEF5
_memset.LIBCMT ref: 0040AF03
_sprintf.LIBCMT ref: 0040AF15
DeleteFileA.KERNEL32(?), ref: 0040AFB2

Part of subcall function 0046459E: __fsopen.LIBCMT ref: 004645AB

_fprintf.LIBCMT ref: 0040AF7D

Strings

%s, xrefs: 0040AF77
History\%s_%s.txt, xrefs: 0040AF0F
\temp, xrefs: 0040AED9
SELECT url FROM moz_places, xrefs: 0040AF38

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CopyCurrentDeleteDirectory__fsopen_fprintf_memset_sprintflstrcat
String ID: %s$History\%s_%s.txt$SELECT url FROM moz_places$\temp
API String ID: 440339207-2547735589
Opcode ID: c41489985d6825a7793078dca2ae0a53592c57e96611a3529aaa25b491d97c0f
Instruction ID: 551da370a6c3895fbe52cc6fd5d2bf4c10988799be7cd255e173042015da883c
Opcode Fuzzy Hash: c41489985d6825a7793078dca2ae0a53592c57e96611a3529aaa25b491d97c0f
Instruction Fuzzy Hash: 8F3192B2900108AEDB31ABB1DC45EDE776CEF09308F20042FF519A6052EA389A548B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C260, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040C267
std::_Lockit::_Lockit.LIBCPMT ref: 0040C271
int.LIBCPMT ref: 0040C288

Part of subcall function 0040A1B8: std::_Lockit::_Lockit.LIBCPMT ref: 0040A1C9

std::locale::_Getfacet.LIBCPMT ref: 0040C291
ctype.LIBCPMT ref: 0040C2AB
std::bad_exception::bad_exception.LIBCMT ref: 0040C2BF
__CxxThrowException@8.LIBCMT ref: 0040C2CD
std::locale::facet::_Incref.LIBCPMT ref: 0040C2DD
std::locale::facet::_Facet_Register.LIBCPMT ref: 0040C2E3

Strings

4tI, xrefs: 0040C280
bad cast, xrefs: 0040C2B7

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_
String ID: 4tI$bad cast
API String ID: 2043575007-1105523093
Opcode ID: 34910971202a0f911cd4e3a4a868961ec90156b4488731d06dc82d931b1d7a8e
Instruction ID: 80e142984b791b55f481308cd5f08bb56737fda278de587863664bf203c34890
Opcode Fuzzy Hash: 34910971202a0f911cd4e3a4a868961ec90156b4488731d06dc82d931b1d7a8e
Instruction Fuzzy Hash: AA01A131900215D7CF00FBA1C942AEE7325AF40724F64422FE5147B2D1DF7C9A05979E

Uniqueness

Uniqueness Score: -1.00%

Function 0045C555, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0045C55C
std::_Lockit::_Lockit.LIBCPMT ref: 0045C566
int.LIBCPMT ref: 0045C57D

Part of subcall function 0040A1B8: std::_Lockit::_Lockit.LIBCPMT ref: 0040A1C9

std::locale::_Getfacet.LIBCPMT ref: 0045C586
codecvt.LIBCPMT ref: 0045C5A0
std::bad_exception::bad_exception.LIBCMT ref: 0045C5B4
__CxxThrowException@8.LIBCMT ref: 0045C5C2
std::locale::facet::_Incref.LIBCPMT ref: 0045C5D2
std::locale::facet::_Facet_Register.LIBCPMT ref: 0045C5D8

Strings

deI, xrefs: 0045C575
bad cast, xrefs: 0045C5AC

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast$deI
API String ID: 1335069804-4049518467
Opcode ID: 7673a82c37143d513500e728492fe19e94360a531f719296935d811584764430
Instruction ID: c229b1cd2eea0bcb6e3ad7d11ac47ff8914101869a00a8bfed682a1f46428f92
Opcode Fuzzy Hash: 7673a82c37143d513500e728492fe19e94360a531f719296935d811584764430
Instruction Fuzzy Hash: 4701A131900319ABCB00FFB58842AED7325AB40725F25852FE8147B2D1EF7CAA059B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6F8, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040C6FF
std::_Lockit::_Lockit.LIBCPMT ref: 0040C709
int.LIBCPMT ref: 0040C720

Part of subcall function 0040A1B8: std::_Lockit::_Lockit.LIBCPMT ref: 0040A1C9

std::locale::_Getfacet.LIBCPMT ref: 0040C729
messages.LIBCPMT ref: 0040C743
std::bad_exception::bad_exception.LIBCMT ref: 0040C757
__CxxThrowException@8.LIBCMT ref: 0040C765
std::locale::facet::_Incref.LIBCPMT ref: 0040C775
std::locale::facet::_Facet_Register.LIBCPMT ref: 0040C77B

Strings

\`I, xrefs: 0040C718
bad cast, xrefs: 0040C74F

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrowmessagesstd::bad_exception::bad_exceptionstd::locale::_
String ID: \`I$bad cast
API String ID: 2153951062-1905613866
Opcode ID: 5869d3976c7d74776ef44762cb8b993a73656a97898ebc0ad219b47d3e357e72
Instruction ID: d7f50fd8f6f81d929c6ed8a7588abcaf2a8ae55eb63c9cc60d954824e8373eca
Opcode Fuzzy Hash: 5869d3976c7d74776ef44762cb8b993a73656a97898ebc0ad219b47d3e357e72
Instruction Fuzzy Hash: E201613190021597CB01FBB1C882AED73256B40724F65463FE5257B2D1DF7C9A069B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0045C6BB, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0045C6C2
std::_Lockit::_Lockit.LIBCPMT ref: 0045C6CC
int.LIBCPMT ref: 0045C6E3

Part of subcall function 0040A1B8: std::_Lockit::_Lockit.LIBCPMT ref: 0040A1C9

std::locale::_Getfacet.LIBCPMT ref: 0045C6EC
numpunct.LIBCPMT ref: 0045C706
std::bad_exception::bad_exception.LIBCMT ref: 0045C71A
__CxxThrowException@8.LIBCMT ref: 0045C728
std::locale::facet::_Incref.LIBCPMT ref: 0045C738
std::locale::facet::_Facet_Register.LIBCPMT ref: 0045C73E

Strings

heI, xrefs: 0045C6DB
bad cast, xrefs: 0045C712

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_GetfacetH_prolog3IncrefRegisterThrownumpunctstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast$heI
API String ID: 2348202366-4165224167
Opcode ID: 107be3f1529158f635b292e261d7161cf7cdf149bd7bedd88b9399ed22c06d63
Instruction ID: 64d0f7ba726863280dd43fa2694720d9febabb9b4086efd321d93543d3f2874f
Opcode Fuzzy Hash: 107be3f1529158f635b292e261d7161cf7cdf149bd7bedd88b9399ed22c06d63
Instruction Fuzzy Hash: 7901A131900219ABCB01FFA58882AED7324AB44769F25412FE4117B2D2EF7C9A05D75E

Uniqueness

Uniqueness Score: -1.00%

Function 0042660A, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00419DA5: _memset.LIBCMT ref: 00419DC2

__fprintf_l.LIBCMT ref: 004266A1
__fprintf_l.LIBCMT ref: 0042671D
__fprintf_l.LIBCMT ref: 00426796
__fprintf_l.LIBCMT ref: 00426826

Strings

winGetTempname4, xrefs: 0042680D
winGetTempname2, xrefs: 0042676A
winGetTempname3, xrefs: 004266FE
etilqs_, xrefs: 00426613, 00426817
winGetTempname1, xrefs: 00426682
winGetTempname5, xrefs: 004267F6

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l$_memset
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname3$winGetTempname4$winGetTempname5
API String ID: 639243752-3409217566
Opcode ID: 69e1510c563a994ecc3c1722008e04c48c972127c64e5f3099033c636e2085a1
Instruction ID: 1053a48bc4330ec6c7f55882d81d2059b77b31fbb75f973a0b40fe7f022e7dc9
Opcode Fuzzy Hash: 69e1510c563a994ecc3c1722008e04c48c972127c64e5f3099033c636e2085a1
Instruction Fuzzy Hash: 5F612671705211AED7057F29AC51ABE3BA9DF80348F52402FF44587292EF3DC9828AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041E240, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0041E2FF
__fprintf_l.LIBCMT ref: 0041E344
_memmove.LIBCMT ref: 0041E387
__fprintf_l.LIBCMT ref: 0041E3B4

Strings

CREATE TABLE , xrefs: 0041E2F6
LfHPfH, xrefs: 0041E3A2
PfH, xrefs: 0041E2BE
XfH, xrefs: 0041E337

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l$_memmove
String ID: CREATE TABLE $LfHPfH$PfH$XfH
API String ID: 3461008893-4249198180
Opcode ID: 80efa8cf07635cd31b000c0f5d7d4239449becf97f27fbb7c3dfa421bbc46f75
Instruction ID: 09cfd911f007277119fb9cb4633595691028b995376c485d8c905c46db08702f
Opcode Fuzzy Hash: 80efa8cf07635cd31b000c0f5d7d4239449becf97f27fbb7c3dfa421bbc46f75
Instruction Fuzzy Hash: 78518175D00259EFCB10DF99C551AEFBBF9EF48308F21459BE804E7201E3389A858B95

Uniqueness

Uniqueness Score: -1.00%

Function 0045AE74, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0045AE8D
GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,00000010), ref: 0045AEC0
GetProcAddress.KERNEL32(00000000), ref: 0045AEC7
_memset.LIBCMT ref: 0045AEDB

Part of subcall function 0045DDE3: __EH_prolog3_GS.LIBCMT ref: 0045DDED

Part of subcall function 00403DD4: _memmove.LIBCMT ref: 00403DF6

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

GlobalMemoryStatus.KERNEL32 ref: 0045AF67

Strings

kernel32.dll, xrefs: 0045AEB5
MB, xrefs: 0045AF0F, 0045AF80
GlobalMemoryStatusEx, xrefs: 0045AEAF

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove$AddressGlobalH_prolog3H_prolog3_HandleMemoryModuleProcStatus_memset
String ID: MB$GlobalMemoryStatusEx$kernel32.dll
API String ID: 1919256930-2756951423
Opcode ID: 6a6a3f8d55e120a7cc78f6531eb0ab514827d583225f9854cbda8802626bee35
Instruction ID: ad2a5851cfe99686e14c5059469467960d9498511f0e5d6211438615dbdc338a
Opcode Fuzzy Hash: 6a6a3f8d55e120a7cc78f6531eb0ab514827d583225f9854cbda8802626bee35
Instruction Fuzzy Hash: 864134B1900248ABDB15EFA5CC45BDE77F8AF54304F10452FF906B7281DB789A08C765

Uniqueness

Uniqueness Score: -1.00%

Function 00426AA8, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 181COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00426B0F
__fprintf_l.LIBCMT ref: 00426C9D

Part of subcall function 00419DA5: _memset.LIBCMT ref: 00419DC2

Strings

winFullPathname2, xrefs: 00426C49
winFullPathname1, xrefs: 00426BFD
%s%c%s, xrefs: 00426B06
winFullPathname3, xrefs: 00426B65
winFullPathname4, xrefs: 00426BBF

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l$_memset
String ID: %s%c%s$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
API String ID: 639243752-2604382604
Opcode ID: bdec08eb893a0111fe4ee3f35249d31266c455bc7947cae12f50614f2fbfbc4e
Instruction ID: abcc22e7e10503354565b6b5789f5cc32b753e044b8a2ae6e6480fa463feb179
Opcode Fuzzy Hash: bdec08eb893a0111fe4ee3f35249d31266c455bc7947cae12f50614f2fbfbc4e
Instruction Fuzzy Hash: B05116717002206AD711BF25BC49EAB3BE8DF86354B56802FF849CB252DB3CD9418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0046A747, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 0046D0B6: __mtinitlocknum.LIBCMT ref: 0046D0CC
Part of subcall function 0046D0B6: __amsg_exit.LIBCMT ref: 0046D0D8
Part of subcall function 0046D0B6: EnterCriticalSection.KERNEL32(00000000,00000000,?,004699C3,0000000D), ref: 0046D0E0

__mtinitlocknum.LIBCMT ref: 0046A79E
__malloc_crt.LIBCMT ref: 0046A7DF
InitializeCriticalSectionAndSpinCount.KERNEL32(00494600,00000FA0,00491040,00000010,00464533,00490C28,0000000C,004645B0,?,0040AF5A,00000040,?,0040AF5A,?,00480F58), ref: 0046A803
_free.LIBCMT ref: 0046A815
EnterCriticalSection.KERNEL32(00494600), ref: 0046A82C

Strings

U), xrefs: 0046A75C
vI, xrefs: 0046A7CA

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$Enter__mtinitlocknum$CountInitializeSpin__amsg_exit__malloc_crt_free
String ID: U)$vI
API String ID: 2015852156-2520028155
Opcode ID: ed92c90262a1a63957666ed5798683535132fa8df77cd51daffce4dbd76aebc4
Instruction ID: 21befa1b19f8bc5dad73c1433c37bc5564bf94dd8e326a54691f1ad436b4d1bf
Opcode Fuzzy Hash: ed92c90262a1a63957666ed5798683535132fa8df77cd51daffce4dbd76aebc4
Instruction Fuzzy Hash: F631A235504B019FC720EF9AD881A1ABBB0FF18324B55413FE5519B3A1DB38E8528F4B

Uniqueness

Uniqueness Score: -1.00%

Function 0045A6FD, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045A73F
RegOpenKeyExA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?,?,00000001,00000000), ref: 0045A75B
RegQueryValueExA.ADVAPI32(?,ProcessorNameString,00000000,00000000,?,?,?,00000001,00000000), ref: 0045A77A
RegCloseKey.ADVAPI32(?,?,00000001,00000000), ref: 0045A783
CharToOemA.USER32 ref: 0045A794

Strings

HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0045A751
ProcessorNameString, xrefs: 0045A772

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString
API String ID: 2235053359-2804670039
Opcode ID: cb0cb436d3d57ec50cd965ab9750c93cb5c4ed579ced9d9a984e97d811887ea1
Instruction ID: 55038930f4c83a97eb7e7178f70ae273f99b2b5ca0b11ffb831b6e926694ee0c
Opcode Fuzzy Hash: cb0cb436d3d57ec50cd965ab9750c93cb5c4ed579ced9d9a984e97d811887ea1
Instruction Fuzzy Hash: F01160B150025DAFEB309F64DC84FEE77BCEB08308F10452AE919D7151EA745A488B65

Uniqueness

Uniqueness Score: -1.00%

Function 0045A845, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045A887
RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,004930CC,00000000), ref: 0045A8A3
RegQueryValueExA.ADVAPI32(?,ProductName,00000000,00000000,?,?,?,004930CC,00000000), ref: 0045A8C2
RegCloseKey.ADVAPI32(?,?,004930CC,00000000), ref: 0045A8CB
CharToOemA.USER32 ref: 0045A8DC

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0045A899
ProductName, xrefs: 0045A8BA

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 2235053359-1787575317
Opcode ID: 85b284173e2ff93875b859ef4ad273a631479924e715149df03868098df3006a
Instruction ID: e6d281c1f7aabfe8ee2b464bfd5a40d86e630d1bcb2be1791bc370a2e83c1d6e
Opcode Fuzzy Hash: 85b284173e2ff93875b859ef4ad273a631479924e715149df03868098df3006a
Instruction Fuzzy Hash: 261130B150025DAFEB30AF64DC85FEE7BBCFB08308F10452AE919D7151EE745A488B65

Uniqueness

Uniqueness Score: -1.00%

Function 0045A9C4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045AA06
RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,00000000,00000000), ref: 0045AA22
RegQueryValueExA.ADVAPI32(?,MachineGuid,00000000,00000000,?,?,?,00000000,00000000), ref: 0045AA41
RegCloseKey.ADVAPI32(?,?,00000000,00000000), ref: 0045AA4A
CharToOemA.USER32 ref: 0045AA5B

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0045AA18
MachineGuid, xrefs: 0045AA39

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2235053359-1211650757
Opcode ID: cc68c69f26ff665a082d63b67b6f7f21467064f455998870c8f3eec68c28415c
Instruction ID: 010514671076f2072c9c902619029040362dacca11dcaadc755bae1f0df2badc
Opcode Fuzzy Hash: cc68c69f26ff665a082d63b67b6f7f21467064f455998870c8f3eec68c28415c
Instruction Fuzzy Hash: EB1130B150025DAFEB309F64DC85FEE77BCFB08308F10452AE519D7152EA785A488B65

Uniqueness

Uniqueness Score: -1.00%

Function 0044451D, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 405COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 004446E1

Strings

MJ collide: %s, xrefs: 004446AC
-mj%06X9%02X, xrefs: 004446D7
MJ delete: %s, xrefs: 00444703
%s-mjXXXXXX9XXz, xrefs: 00444677
uhD, xrefs: 0044452D, 00444530, 004446ED, 00444712, 00444830, 00444855, 004448B7

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l
String ID: %s-mjXXXXXX9XXz$-mj%06X9%02X$MJ collide: %s$MJ delete: %s$uhD
API String ID: 3906573944-4283756371
Opcode ID: 7b94a9f0d2927699763725bd55cb302c610f4fd549948f37cd77ad700cbdaf67
Instruction ID: fb1e8b21301f7114f5dda2b33529baaecc3af96578b752c83d3b188b88cf6bce
Opcode Fuzzy Hash: 7b94a9f0d2927699763725bd55cb302c610f4fd549948f37cd77ad700cbdaf67
Instruction Fuzzy Hash: CBE14B71E00219EBEF15DFA9C881BAEBBB1AF84714F24445BE904A7341C7389E41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00444E98, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00444F3E
__fprintf_l.LIBCMT ref: 00444F7E

Strings

cannot detach database %s, xrefs: 00444F23
database %s is locked, xrefs: 00444F70
no such database: %s, xrefs: 00444F14
cannot DETACH database within transaction, xrefs: 00444F30

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l
String ID: cannot DETACH database within transaction$cannot detach database %s$database %s is locked$no such database: %s
API String ID: 3906573944-3374617522
Opcode ID: d86b268125a9451854d5418100674f7d50ff8b78cbf932655baef2ecb596ad14
Instruction ID: 9dfbab8d6e14313635faa1a42d75bb9cacd066d69d0d41ef437d5e334173c361
Opcode Fuzzy Hash: d86b268125a9451854d5418100674f7d50ff8b78cbf932655baef2ecb596ad14
Instruction Fuzzy Hash: 7D31C271D00209EFEB10DF95C881BAEB7F0BF58318F60491BE511A7282D77DA949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047AE4D, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 0047AE54

Part of subcall function 00469A2D: GetLastError.KERNEL32(?,00000001,004671C9,004644D7,?,?,00462550,00000001,00000000,?,?,?,004625AE,00402496), ref: 00469A31
Part of subcall function 00469A2D: ___set_flsgetvalue.LIBCMT ref: 00469A3F
Part of subcall function 00469A2D: __calloc_crt.LIBCMT ref: 00469A53
Part of subcall function 00469A2D: DecodePointer.KERNEL32(00000000,?,?,00462550,00000001,00000000,?,?,?,004625AE,00402496), ref: 00469A6D
Part of subcall function 00469A2D: GetCurrentThreadId.KERNEL32 ref: 00469A83
Part of subcall function 00469A2D: SetLastError.KERNEL32(00000000,?,?,00462550,00000001,00000000,?,?,?,004625AE,00402496), ref: 00469A9B

__calloc_crt.LIBCMT ref: 0047AE76
__get_sys_err_msg.LIBCMT ref: 0047AE94
_strcpy_s.LIBCMT ref: 0047AE9C
__invoke_watson.LIBCMT ref: 0047AEB1

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 0047AE61, 0047AE84

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 0399d10ea183154f6e9a15282253e5825dbd43e58773fd4551dc9f8229771f1f
Instruction ID: 37c1fd1ef2dfc24dad86e5a306308a54116701866b4bc17c3fb197ee264cd4b2
Opcode Fuzzy Hash: 0399d10ea183154f6e9a15282253e5825dbd43e58773fd4551dc9f8229771f1f
Instruction Fuzzy Hash: 13F024726852146BC72039665D818AF738CCBC4728B11863FF60DA7201F66D9C50829F

Uniqueness

Uniqueness Score: -1.00%

Function 00468C5C, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00468C7D

Part of subcall function 00469AA6: __getptd_noexit.LIBCMT ref: 00469AA9
Part of subcall function 00469AA6: __amsg_exit.LIBCMT ref: 00469AB6

__getptd.LIBCMT ref: 00468C8E
__getptd.LIBCMT ref: 00468C9C

Strings

csm, xrefs: 00468C76
RCC, xrefs: 00468C68
MOC, xrefs: 00468C6F

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: c9e67d05d496803d453f7fd20f46eb28589b5f089758845be631d745d3a58dda
Instruction ID: e0ba6d6e3544c3fa734d0dc3168dd621c2156b76ae35652341fdb3be1af6cc6c
Opcode Fuzzy Hash: c9e67d05d496803d453f7fd20f46eb28589b5f089758845be631d745d3a58dda
Instruction Fuzzy Hash: 03E012311001088FD710A7A9C04AB6937E8BF84318F1902ABE40CCB322EB7DDC50995B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4CF, Relevance: 9.1, APIs: 6, Instructions: 62filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A4E7
GetFileSizeEx.KERNEL32(00000000,?), ref: 0040A4FE
LocalAlloc.KERNEL32(00000040,?), ref: 0040A51A
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040A534
LocalFree.KERNEL32(?), ref: 0040A54A
CloseHandle.KERNEL32(?), ref: 0040A555

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: a91f54da7db303437cf2903622208ddcd8c9637f0af06082c195dd1c0b52f98b
Instruction ID: d14dcebefb77d9f3e88a3c79f89fda3fdaccdbc6277bedbe3e3bf3fdd0218fe0
Opcode Fuzzy Hash: a91f54da7db303437cf2903622208ddcd8c9637f0af06082c195dd1c0b52f98b
Instruction Fuzzy Hash: 04113D71500215FFEF10AFA9DC88AAEBB78FB08314F14057AFA15B2290D7749D648B29

Uniqueness

Uniqueness Score: -1.00%

Function 00468F1F, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 00468F47

Part of subcall function 00462F7C: __getptd.LIBCMT ref: 00462F8A
Part of subcall function 00462F7C: __getptd.LIBCMT ref: 00462F98

__getptd.LIBCMT ref: 00468F51

Part of subcall function 00469AA6: __getptd_noexit.LIBCMT ref: 00469AA9
Part of subcall function 00469AA6: __amsg_exit.LIBCMT ref: 00469AB6

__getptd.LIBCMT ref: 00468F5F
__getptd.LIBCMT ref: 00468F6D
__getptd.LIBCMT ref: 00468F78
_CallCatchBlock2.LIBCMT ref: 00468F9E

Part of subcall function 00463021: __CallSettingFrame@12.LIBCMT ref: 0046306D

Part of subcall function 00469045: __getptd.LIBCMT ref: 00469054
Part of subcall function 00469045: __getptd.LIBCMT ref: 00469062

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: a4cc87ab0c8127e44a66cb83c131059099515b5048e1ed6a5e7e579593d51c45
Instruction ID: a4f3aa68bce2efd6863539d3f934c98a36ade3ae3a0e9763762a8fa94a7306e4
Opcode Fuzzy Hash: a4cc87ab0c8127e44a66cb83c131059099515b5048e1ed6a5e7e579593d51c45
Instruction Fuzzy Hash: AB1119B1C00249DFDF00EFA5C545AAE7BF4FF08314F10806AF814A7251EB799A119F55

Uniqueness

Uniqueness Score: -1.00%

Function 00428763, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00428869
_memmove.LIBCMT ref: 00428987

Strings

unknown column "%s" in foreign key definition, xrefs: 00428957
foreign key on %s should reference only one column of table %T, xrefs: 004287C0
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004287E8

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 4104443479-272990098
Opcode ID: be48fbf36fd07c17c2a30768e218292668f175fda2df58cec6efcdcb97ae542a
Instruction ID: 5dbd5a5cd9f5108488575797bfc532c7ffc43afe4eae138e4bc32d554110dfa2
Opcode Fuzzy Hash: be48fbf36fd07c17c2a30768e218292668f175fda2df58cec6efcdcb97ae542a
Instruction Fuzzy Hash: 2D91B1B1A01216DFCB11DF59D980AAEBBF1FF48304B54805FE805AB316DB35E981CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00446ED9, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 176COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00446FF7
_memmove.LIBCMT ref: 00447012

Strings

out of memory, xrefs: 0044AC4B
string or blob too big, xrefs: 00447433
statement aborts at %d: [%s] %s, xrefs: 0044A818

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
API String ID: 4104443479-3170954634
Opcode ID: e1c59305f325a914e50f1ebfe4410ef28988d68669f2343fc8597b2848ceb812
Instruction ID: af25c3107194d3b7c7c6d17b7f9aae5a53c3b10aa81bee29392daacb5b3f2c55
Opcode Fuzzy Hash: e1c59305f325a914e50f1ebfe4410ef28988d68669f2343fc8597b2848ceb812
Instruction Fuzzy Hash: E261F071A043148BDB14DF69D881BADBBB1BF05318F15805FE858AB352DB39EC91CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0045C4B5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0045C4CC

Part of subcall function 0047A296: std::exception::exception.LIBCMT ref: 0047A2AB
Part of subcall function 0047A296: __CxxThrowException@8.LIBCMT ref: 0047A2C0
Part of subcall function 0047A296: std::exception::exception.LIBCMT ref: 0047A2D1

std::_Xinvalid_argument.LIBCPMT ref: 0045C4E2
_memmove.LIBCMT ref: 0045C523

Strings

string too long, xrefs: 0045C4DD
invalid string position, xrefs: 0045C4C7

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: acbd979a7cd762ada96d76f7fabed2ce5050388f803f4770f5d76dc6c9ac8b6b
Instruction ID: 6d993e1c8620b758c46380f6c0b6ac3f55a5f2f2488ad8c5f3e25317e1bce101
Opcode Fuzzy Hash: acbd979a7cd762ada96d76f7fabed2ce5050388f803f4770f5d76dc6c9ac8b6b
Instruction Fuzzy Hash: 9C11D6313003246FDB209E9DDDC5A2EB3A9EB81714B14491FF89197682E778E808875D

Uniqueness

Uniqueness Score: -1.00%

Function 004645B5, Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00464610
_memcpy_s.LIBCMT ref: 00464681
__read.LIBCMT ref: 004646E4
__filbuf.LIBCMT ref: 00464700

Part of subcall function 004671C4: __getptd_noexit.LIBCMT ref: 004671C4

_memset.LIBCMT ref: 00464741

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 9da3e77b58990ecc488e0d50261fb8f06aa1325f374426013d320b94a7aa3fc2
Instruction ID: f0fff8cc90a8db8fbb050c1e6225cdba5d14cef5b38f234fea094db0f0400d3b
Opcode Fuzzy Hash: 9da3e77b58990ecc488e0d50261fb8f06aa1325f374426013d320b94a7aa3fc2
Instruction Fuzzy Hash: 6B51B771A00205EBCF249F69C84469FB7B1AFC2325F24866BE82157290F77C9E51CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00464BC7, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00464BD5

Part of subcall function 0046444E: __FF_MSGBANNER.LIBCMT ref: 00464467
Part of subcall function 0046444E: __NMSG_WRITE.LIBCMT ref: 0046446E
Part of subcall function 0046444E: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00462550,00000001,00000000,?,?,?,004625AE,00402496), ref: 00464493

_free.LIBCMT ref: 00464BE8

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 5c99a2df36e1d04147695570c7b8ea751d7b8c746d0da19686cd1f66327e8149
Instruction ID: 4266368856bf5b95114dcd2f8074030576c6bb6bbcc233619454cdeef847105c
Opcode Fuzzy Hash: 5c99a2df36e1d04147695570c7b8ea751d7b8c746d0da19686cd1f66327e8149
Instruction Fuzzy Hash: B4115B32405111ABCF226F76AC05A5A3B94DBC5368B21457BF84887350FE3CD840875F

Uniqueness

Uniqueness Score: -1.00%

Function 0045CB39, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 399COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0045CB43

Part of subcall function 0040A2A3: std::locale::facet::_Incref.LIBCPMT ref: 0040A2B6

Part of subcall function 0045C6BB: __EH_prolog3.LIBCMT ref: 0045C6C2
Part of subcall function 0045C6BB: std::_Lockit::_Lockit.LIBCPMT ref: 0045C6CC
Part of subcall function 0045C6BB: int.LIBCPMT ref: 0045C6E3
Part of subcall function 0045C6BB: std::locale::_Getfacet.LIBCPMT ref: 0045C6EC

_localeconv.LIBCMT ref: 0045CBEB
_strcspn.LIBCMT ref: 0045CCF3

Strings

e, xrefs: 0045CBFD

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: GetfacetH_prolog3H_prolog3_IncrefLockitLockit::__localeconv_strcspnstd::_std::locale::_std::locale::facet::_
String ID: e
API String ID: 3634193280-4024072794
Opcode ID: ffc9fd2a311ad21bc132db62c346a6bcd18592ed611940fb91af93f4b02b9d2d
Instruction ID: c5d38be7ae1d264dafca2dbb9b379d463b238776337bd83804109f10a09344e1
Opcode Fuzzy Hash: ffc9fd2a311ad21bc132db62c346a6bcd18592ed611940fb91af93f4b02b9d2d
Instruction Fuzzy Hash: 73024471D00249AFDF11DFE8C981AEEBBB5FF08304F04806AE909AB252D7759A19DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00448286, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00448313

Strings

cannot release savepoint - SQL statements in progress, xrefs: 004483DA
cannot open savepoint - SQL statements in progress, xrefs: 004482A8
no such savepoint: %s, xrefs: 004483AF

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID: cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s
API String ID: 4104443479-3151731220
Opcode ID: bd2c792b8671861e9876392b7f598d63898563abf454195be3ef4e47fd821b7b
Instruction ID: 55bfa3d33cb1f212b3efc9b59553b9fb6dfa00ebf10497b3a080e10cfc009101
Opcode Fuzzy Hash: bd2c792b8671861e9876392b7f598d63898563abf454195be3ef4e47fd821b7b
Instruction Fuzzy Hash: 83D13671E0071ADBEB24CF69C981B9EB7B1BF44314F25416ED819AB342DB38A981CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0042603B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0042607E
_memmove.LIBCMT ref: 00426096

Strings

winWrite1, xrefs: 00426192
winWrite2, xrefs: 00426143

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID: winWrite1$winWrite2
API String ID: 4104443479-3457389245
Opcode ID: aece583ae29bb3b2b9afaefa0a4a7e3402b121097b5e8b7b060c928c065f4baa
Instruction ID: d4ae6c105ced69ac4711e9790853aca9ec1b5220dbbf27dae64a817442d15c37
Opcode Fuzzy Hash: aece583ae29bb3b2b9afaefa0a4a7e3402b121097b5e8b7b060c928c065f4baa
Instruction Fuzzy Hash: 3941C171B00229DBDF00DF94D8816AE77B1FF04354F65812BE804A7241D778EE65DB88

Uniqueness

Uniqueness Score: -1.00%

Function 00424731, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 004114DE: __allrem.LIBCMT ref: 00411507

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004247D5
__localtime64_s.LIBCMT ref: 004247F8

Strings

local time unavailable, xrefs: 00424805
utc, xrefs: 0042474B

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__localtime64_s
String ID: local time unavailable$utc
API String ID: 1840914312-1312764671
Opcode ID: 5bcfac523ccb624f5137cef1047aa6be704d302c4cb4b488d2cbc218cf7e6fbb
Instruction ID: cd6c247da991a15904ed860c7b681b5692cc4259d9ba55d52c02f16e3e9aec5f
Opcode Fuzzy Hash: 5bcfac523ccb624f5137cef1047aa6be704d302c4cb4b488d2cbc218cf7e6fbb
Instruction Fuzzy Hash: B2411572A0024CAFCF04DF69D8819CE7BE4FF48354F51412AF925E7250DB759A85CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004261A8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004261D4

Strings

winTruncate2, xrefs: 0042627F
winTruncate1, xrefs: 00426249
winSeekFile, xrefs: 0042622A

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: winSeekFile$winTruncate1$winTruncate2
API String ID: 885266447-2471937615
Opcode ID: b69ea3e424aae15b6c4c6d456d4f63874be548ca2860b93e182294ed12e7e86c
Instruction ID: 7ace17dfe31298a1fb083a75f708bdf7391afdb377f07e9421a84270a82937aa
Opcode Fuzzy Hash: b69ea3e424aae15b6c4c6d456d4f63874be548ca2860b93e182294ed12e7e86c
Instruction Fuzzy Hash: D931E271700714AFDB20EF64D885B6B73E9EB84750F55892EF54ACB380D639ED008B68

Uniqueness

Uniqueness Score: -1.00%

Function 0045A914, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 0045A926
IsWow64Process.KERNEL32(00000000), ref: 0045A92D

Strings

x86, xrefs: 0045A943
x64, xrefs: 0045A93C

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentWow64
String ID: x64$x86
API String ID: 1905925150-1778291495
Opcode ID: 8e2fe055f98afda5dc517598f75ed9a969ce0a01b1ffd7a730d724d18ad01d31
Instruction ID: 85fa9516aa533993137d067aea86bbefc133fdff603d2da013896fba4a2bed94
Opcode Fuzzy Hash: 8e2fe055f98afda5dc517598f75ed9a969ce0a01b1ffd7a730d724d18ad01d31
Instruction Fuzzy Hash: 10F0E2B1600318EBDB109FA8884599FBBBCFB05751750497FA901E3241C2B89E089796

Uniqueness

Uniqueness Score: -1.00%

Function 00422FF8, Relevance: 6.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00423096
_memmove.LIBCMT ref: 004230CB
_memset.LIBCMT ref: 004230DF
_memmove.LIBCMT ref: 00423114

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove$_memset
String ID:
API String ID: 1357608183-0
Opcode ID: e769008e82a8ff6d808ddc5cc8c0f730334dca78707252ffe17bef877549aa54
Instruction ID: 0f38d9b1fcd045025a112ac157c09eaff17f7738e307a7a873f5768f6d32b6e8
Opcode Fuzzy Hash: e769008e82a8ff6d808ddc5cc8c0f730334dca78707252ffe17bef877549aa54
Instruction Fuzzy Hash: 4251E0B2A00219AFDF10DF65EC41BABBBB5FF04314F44802AF91596250D73DEA60DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00466389, Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00466397

Part of subcall function 004639FA: __getptd.LIBCMT ref: 00463A0D

Part of subcall function 004671C4: __getptd_noexit.LIBCMT ref: 004671C4

__stricmp_l.LIBCMT ref: 00466404

Part of subcall function 00463ABA: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00463AC9

___crtLCMapStringA.LIBCMT ref: 0046645A
___crtLCMapStringA.LIBCMT ref: 004664DB

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
String ID:
API String ID: 2544346105-0
Opcode ID: db6bd5034fea1ef33f56b1b237e09af9bf9e2d9afae5cc8cb262107543115fa3
Instruction ID: cffc35d0c82c93a6e2278d6bed3dda8822e447097e6ac8f211ba6e74478d3518
Opcode Fuzzy Hash: db6bd5034fea1ef33f56b1b237e09af9bf9e2d9afae5cc8cb262107543115fa3
Instruction Fuzzy Hash: 49514E70D04148ABDF25CB65C445BBE7FB49B01328F29418BE4625A2D6E738CD42D71B

Uniqueness

Uniqueness Score: -1.00%

Function 00470301, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00470327

Part of subcall function 00470153: __fltout2.LIBCMT ref: 0047017E

__cftog_l.LIBCMT ref: 0047034D
__cftoe_l.LIBCMT ref: 0047037F

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: b408486b184a10df18cb9bf0362e84b0f3904d287d49c9963c5ae3ec1314d6b3
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: A0114C3240114EFBCF265E85DC41CEE3F22BB18358B598456FE1C59131D27AC9B2AB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404255, Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040425C
_strtok.LIBCMT ref: 00404270

Part of subcall function 0046380D: __getptd.LIBCMT ref: 0046382B

CreateDirectoryA.KERNEL32(?,00000000,0048057C,00000001,00000000,?,?,?,?,?,?,00000024), ref: 004042AE
_strtok.LIBCMT ref: 004042B9

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _strtok$CreateDirectoryH_prolog3___getptd
String ID:
API String ID: 2807274917-0
Opcode ID: b4ab111d086511d91cdf3930124beabdf9dc83b6bebc164baa72c716fb4a8e5c
Instruction ID: 5ea7169065c03629dc78d08bc46b2e48d8d042e90efd3848fc38bf534d5fef80
Opcode Fuzzy Hash: b4ab111d086511d91cdf3930124beabdf9dc83b6bebc164baa72c716fb4a8e5c
Instruction Fuzzy Hash: 95014071904249AEDB04EFE5E896EED7778AF04304F50842FF210B70C1D67856488B69

Uniqueness

Uniqueness Score: -1.00%

Function 0045C23D, Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

numpunct.LIBCPMT ref: 0045C240
__CxxThrowException@8.LIBCMT ref: 0045C249

Part of subcall function 00462C51: RaiseException.KERNEL32(?,?,004024AB,?,?,?,?,?,004024AB,?,0048E7E8,00000000), ref: 00462C93

GdipCloneImage.GDIPLUS(00000000,00000000), ref: 0045C261
GdipAlloc.GDIPLUS(00000010,00000000,00000000), ref: 0045C26F

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Gdip$AllocCloneExceptionException@8ImageRaiseThrownumpunct
String ID:
API String ID: 2212125544-0
Opcode ID: 790dd2c3ad6468bced3a78380498bc6d71339d21da586409688808fcfdac11f2
Instruction ID: af761b94f4af348c5ddf5047f549a87e39db83b770b26d0eb8b13da5cbf87af3
Opcode Fuzzy Hash: 790dd2c3ad6468bced3a78380498bc6d71339d21da586409688808fcfdac11f2
Instruction Fuzzy Hash: 29F0B470900308AFDB209B91CD829AE77EDEF40305F1080AEBC0557252D7B8EE04DA59

Uniqueness

Uniqueness Score: -1.00%

Function 004346D4, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 475COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043479F
_memmove.LIBCMT ref: 00434A19

Strings

no query solution, xrefs: 00434AB4

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove_memset
String ID: no query solution
API String ID: 3555123492-1895316939
Opcode ID: 7ee113663946c713673e8cc71047b80a3b99e5e1d296c2ffa3dfa000e216e7fc
Instruction ID: 85ac52b1795a703633716b0958799cb45e0713086c52f3e661a4779b1151f216
Opcode Fuzzy Hash: 7ee113663946c713673e8cc71047b80a3b99e5e1d296c2ffa3dfa000e216e7fc
Instruction Fuzzy Hash: 901288B4D006199FCB24DF99C481AEEBBF1FF88314F14915AE855AB351D338B981CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043CB8B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043CC53
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043CC9B

Strings

recovered %d pages from %s, xrefs: 0043CDDC

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: recovered %d pages from %s
API String ID: 885266447-1623757624
Opcode ID: a3318e081003a9c8e3a1f23d8aa1777ff1894d191963ec4d2c688f98864d4a61
Instruction ID: 48ad5219d4464468bef4668135b685d8b2899e12d3789fbe01a5321ae50bd1c5
Opcode Fuzzy Hash: a3318e081003a9c8e3a1f23d8aa1777ff1894d191963ec4d2c688f98864d4a61
Instruction Fuzzy Hash: E281AE71A007059FEF20DBA5C8C5BAFBBB4EF18314F10542EE646A3381D779A985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF7E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

, xrefs: 0040D0FC

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6455ab2bbf0d3d8f20d348a8c0d6d4ddb54511f7c392d67f8794412b25238fdf
Instruction ID: 5f844a957e937ffeeb74b9aba08fb4d2b6512cb302ef0435b242ff1b31b1c32b
Opcode Fuzzy Hash: 6455ab2bbf0d3d8f20d348a8c0d6d4ddb54511f7c392d67f8794412b25238fdf
Instruction Fuzzy Hash: 24519A31D00205DFCB24CFA8C8819AEB7B5AF59318F10852BE556BB2C1DB79A849CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE01, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040CE08

Part of subcall function 0040A4CF: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A4E7
Part of subcall function 0040A4CF: GetFileSizeEx.KERNEL32(00000000,?), ref: 0040A4FE
Part of subcall function 0040A4CF: LocalAlloc.KERNEL32(00000040,?), ref: 0040A51A
Part of subcall function 0040A4CF: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040A534
Part of subcall function 0040A4CF: CloseHandle.KERNEL32(?), ref: 0040A555

Part of subcall function 0045BC0F: LocalAlloc.KERNEL32(00000040,00000105,00000000,00000104,0040CE45,0000000F,?,00000000,?,?,?,?,?,?,?,00000014), ref: 0045BC27

Part of subcall function 0040259C: std::_Xinvalid_argument.LIBCPMT ref: 004025AF
Part of subcall function 0040259C: _memmove.LIBCMT ref: 004025EA

Strings

DPAPI, xrefs: 0040CECC
"os_crypt":{"encrypted_key":", xrefs: 0040CE4F

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$AllocLocal$CloseCreateH_prolog3_HandleReadSizeXinvalid_argument_memmovestd::_
String ID: "os_crypt":{"encrypted_key":"$DPAPI
API String ID: 70629341-1727391133
Opcode ID: 88c8f2ede15e7e4df3c00cb1c20aed3edb675ddd39dd7ecefa3d40bbecff6cc4
Instruction ID: 33675e948c33357ad7666d69797443046134bc4323bf2fce0907ddd8e723515c
Opcode Fuzzy Hash: 88c8f2ede15e7e4df3c00cb1c20aed3edb675ddd39dd7ecefa3d40bbecff6cc4
Instruction Fuzzy Hash: 4B317C72D10209ABCF14EFA4DD81AEEB775AB04310F14822FF911762D1EB785908CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040620F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00406216

Part of subcall function 004042D5: __EH_prolog3.LIBCMT ref: 004042F4
Part of subcall function 004042D5: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000014), ref: 00404317
Part of subcall function 004042D5: InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00800000,00000001), ref: 00404351
Part of subcall function 004042D5: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00800000,00000001), ref: 00404384
Part of subcall function 004042D5: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404398
Part of subcall function 004042D5: InternetReadFile.WININET(00000000,?,000007FF,?), ref: 004043D0
Part of subcall function 004042D5: InternetCloseHandle.WININET(?), ref: 004043DC
Part of subcall function 004042D5: InternetCloseHandle.WININET(?), ref: 004043E5
Part of subcall function 004042D5: InternetCloseHandle.WININET(?), ref: 004043EE

Part of subcall function 00403DD4: _memmove.LIBCMT ref: 00403DF6

Part of subcall function 004023CE: _memmove.LIBCMT ref: 004023ED

Part of subcall function 0040259C: std::_Xinvalid_argument.LIBCPMT ref: 004025AF
Part of subcall function 0040259C: _memmove.LIBCMT ref: 004025EA

_strtok.LIBCMT ref: 004062DA

Strings

198.98.55.103, xrefs: 004062E4

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Internet$CloseHandle_memmove$HttpOpenRequest$ConnectFileH_prolog3H_prolog3_ReadSendXinvalid_argument_strtokstd::_
String ID: 198.98.55.103
API String ID: 1152501625-3971627680
Opcode ID: 9f60035fcbd20546f3f15b6e05ade1924499bb096b9636dd183296f8aed71022
Instruction ID: 5aa81c0ce0e5e39cdeb54ca4dcfcb3660ee63139de205cca9807257d55efa00a
Opcode Fuzzy Hash: 9f60035fcbd20546f3f15b6e05ade1924499bb096b9636dd183296f8aed71022
Instruction Fuzzy Hash: 44216171C00248AEDB05EFB9C952AEDBB78AF14304F10816EF415771C2DA791B48CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A881, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0041A928
__fprintf_l.LIBCMT ref: 0041A93D

Strings

OsError 0x%lx (%lu), xrefs: 0041A91D

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l
String ID: OsError 0x%lx (%lu)
API String ID: 3906573944-3720535092
Opcode ID: 4c0491b21e85c5b144a917c1f346577b60e1eeb4f05df6ae0f538493be382533
Instruction ID: 0517094ac0f2c9d8ec96483968ab8a5d7c11b4e35492bde69a45f9964b5281b9
Opcode Fuzzy Hash: 4c0491b21e85c5b144a917c1f346577b60e1eeb4f05df6ae0f538493be382533
Instruction Fuzzy Hash: 04219DB1902118BBCF117BA1DC4ACDFBF7AEF44394B114067F505A2120DB394BA1DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040295F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00402979

Part of subcall function 0047A296: std::exception::exception.LIBCMT ref: 0047A2AB
Part of subcall function 0047A296: __CxxThrowException@8.LIBCMT ref: 0047A2C0
Part of subcall function 0047A296: std::exception::exception.LIBCMT ref: 0047A2D1

Part of subcall function 00402896: std::_Xinvalid_argument.LIBCPMT ref: 004028A5

_memmove.LIBCMT ref: 004029D4

Strings

invalid string position, xrefs: 00402974

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: bf4aca818b536bd31f5658c02cfa547cb9579e652e3d832870b86d98f8e59fd9
Instruction ID: d6f69300e8300a22b228327b4e1e1b1933055253f3051649a683071ac655ad00
Opcode Fuzzy Hash: bf4aca818b536bd31f5658c02cfa547cb9579e652e3d832870b86d98f8e59fd9
Instruction Fuzzy Hash: 4411C8B13042109BDF149E199E49A2BB3A5EB45714F20093FF896A72C1D7F9D901879E

Uniqueness

Uniqueness Score: -1.00%

Function 004029F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00402A12

Part of subcall function 0047A296: std::exception::exception.LIBCMT ref: 0047A2AB
Part of subcall function 0047A296: __CxxThrowException@8.LIBCMT ref: 0047A2C0
Part of subcall function 0047A296: std::exception::exception.LIBCMT ref: 0047A2D1

Part of subcall function 004028F8: std::_Xinvalid_argument.LIBCPMT ref: 0040290A

_memmove.LIBCMT ref: 00402A6F

Strings

invalid string position, xrefs: 00402A0D

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 3838bbcb5bf36b4938cb4fc634f1b8b9d3e4a4fbdddf7753ade4b8482e0b4a7a
Instruction ID: 5f93a3d41c30ba7e100ad22467e0cd290921ffaa19b34d281a70b1f6723fa6c8
Opcode Fuzzy Hash: 3838bbcb5bf36b4938cb4fc634f1b8b9d3e4a4fbdddf7753ade4b8482e0b4a7a
Instruction Fuzzy Hash: 3811A731304110A7CF149E19DE99D6A7356AB95324B04412FFC15B72C5DFF8AD108A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0045E0B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0045E0B7
std::_Xinvalid_argument.LIBCPMT ref: 0045E0CE

Part of subcall function 0047A249: std::exception::exception.LIBCMT ref: 0047A25E
Part of subcall function 0047A249: __CxxThrowException@8.LIBCMT ref: 0047A273
Part of subcall function 0047A249: std::exception::exception.LIBCMT ref: 0047A284

Strings

vector<T> too long, xrefs: 0045E0C9

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::exception::exception$Exception@8H_prolog3_catchThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 1877048013-3788999226
Opcode ID: 646382c43a26571e49d22acaaee8b83f59ce027d06b7716e0475266aaef5a481
Instruction ID: fa11c13c8fe09798bd22ba526819334ba9fe883c0331ef013d00dbfce93f73cb
Opcode Fuzzy Hash: 646382c43a26571e49d22acaaee8b83f59ce027d06b7716e0475266aaef5a481
Instruction Fuzzy Hash: 32113D76600701AFD724EF6AC881E4AB7E5DF44700F10882FF989C7242D779EA40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004286DB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0042871B

Part of subcall function 0042834B: _memset.LIBCMT ref: 0042838D

Strings

DELETE FROM %Q.%s WHERE %s=%Q, xrefs: 0042873E
sqlite_stat%d, xrefs: 00428713

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l_memset
String ID: DELETE FROM %Q.%s WHERE %s=%Q$sqlite_stat%d
API String ID: 4274417252-3667113883
Opcode ID: 146ef703dada2249748f477275428c64a7da5f0cf5946bc3ea44b0c87637c362
Instruction ID: 02dc9846c7927b7162dd5c305a6531efe2b155a489448b92ae0b74f8e46bafc9
Opcode Fuzzy Hash: 146ef703dada2249748f477275428c64a7da5f0cf5946bc3ea44b0c87637c362
Instruction Fuzzy Hash: 14115A75E00218ABCF00DFD9DC81AEEB7B9EF48308F50006EE505B7241D639A905CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040259C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004025AF

Part of subcall function 0047A296: std::exception::exception.LIBCMT ref: 0047A2AB
Part of subcall function 0047A296: __CxxThrowException@8.LIBCMT ref: 0047A2C0
Part of subcall function 0047A296: std::exception::exception.LIBCMT ref: 0047A2D1

_memmove.LIBCMT ref: 004025EA

Strings

invalid string position, xrefs: 004025AA

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: e85fe9a8f95cdfa34a4678f7778f4d4e55d4a238f19608aa6d72c0d1dd6a5820
Instruction ID: 6a59afadfa7b998593da91279607c1378b88799c35a6ad92f125cfcbbdd19600
Opcode Fuzzy Hash: e85fe9a8f95cdfa34a4678f7778f4d4e55d4a238f19608aa6d72c0d1dd6a5820
Instruction Fuzzy Hash: DA019E313046419BC7248E28CFD881BB3E6AB857047204D3ED482976C6DBB9EC86976D

Uniqueness

Uniqueness Score: -1.00%

Function 00422839, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00422873

Strings

%!.15g, xrefs: 00422869
%lld, xrefs: 0042285B

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: __fprintf_l
String ID: %!.15g$%lld
API String ID: 3906573944-2983862324
Opcode ID: f71eeecc9d0d729fad420262aae52109903707324fb832e0c8b59d1786f65620
Instruction ID: e7a6ed347d114f12e419c9d89c347bbc12e8801d8a0c2ca699ac59f52ffd316c
Opcode Fuzzy Hash: f71eeecc9d0d729fad420262aae52109903707324fb832e0c8b59d1786f65620
Instruction Fuzzy Hash: 72012461204751BAD7306BA6D801B27BBD0AF04700F10CC1FF0E6851D1C3ACD0909719

Uniqueness

Uniqueness Score: -1.00%

Function 004024AD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 004024DD
__CxxThrowException@8.LIBCMT ref: 004024F2

Part of subcall function 00462BD1: _malloc.LIBCMT ref: 00462BEB

Strings

,$@, xrefs: 004024EB

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: ,$@
API String ID: 4063778783-1227015840
Opcode ID: 07050ad0527a972bd5e0897eb808fbea74234f1c6203eeade3a3ed4a5cd9ab26
Instruction ID: 2d1835c2e26a2b1170e685739b6fe3204305c4b8251814b03ac4a71a50166a40
Opcode Fuzzy Hash: 07050ad0527a972bd5e0897eb808fbea74234f1c6203eeade3a3ed4a5cd9ab26
Instruction Fuzzy Hash: 50E0E53190020E7ADB14EEA5C5559DE73ECAF00718F10452FF911E10C1EBFCE644874A

Uniqueness

Uniqueness Score: -1.00%

Function 00402466, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00402491
__CxxThrowException@8.LIBCMT ref: 004024A6

Part of subcall function 00462BD1: _malloc.LIBCMT ref: 00462BEB

Strings

,$@, xrefs: 0040249F

Memory Dump Source

Source File: 00000000.00000002.496209342.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.496368220.000000000047E000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: ,$@
API String ID: 4063778783-1227015840
Opcode ID: ec16512caefd054cef6ae2198ea2ea22dcadaafcda6e81a4bea7f8c7fdee4806
Instruction ID: 79f58e2d8087225ecdef067f30e401a0a109ec6f4572213c206f449bac1593cb
Opcode Fuzzy Hash: ec16512caefd054cef6ae2198ea2ea22dcadaafcda6e81a4bea7f8c7fdee4806
Instruction Fuzzy Hash: 96E0653181050EBADF10EF65C9456CD77A8EB007ACF10C63BBC14A51C1E7B8D6448B8A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report vidar.bin

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Vidar

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers