{"id":2281,"date":"2024-09-25T14:43:13","date_gmt":"2024-09-25T14:43:13","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2281"},"modified":"2025-07-29T03:32:49","modified_gmt":"2025-07-29T03:32:49","slug":"promethium-strongpity-apt-c-41-an-element-no-match-for-lmntrix","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/promethium-strongpity-apt-c-41-an-element-no-match-for-lmntrix\/","title":{"rendered":"PROMETHIUM (StrongPity\/APT C-41) an element no match for LMNTRIX"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/PROMETHIUM-an-element-no-match-for-LMNTRIX.webp\" alt=\"PROMETHIUM an element no match for LMNTRIX\"\/><figcaption class=\"wp-element-caption\">PROMETHIUM an element no match for LMNTRIX<\/figcaption><\/figure>\n<\/div>\n\n\n<p>In this research, we have primarily focused on the Turkish APT group APT-C-41 (aka StrongPity and Promethium). The modus operandi of this group has been to install a backdoor on its victims machine to perform Cyber espionage operations. The main targets of this APT group have been Financial organisations, Industrial plants and Educational institutes. <a href=\"https:\/\/lmntrix.com\/\">LMNTRIX<\/a> threat research team brings together some of the payloads used by APT-C-41 (aka StrongPity and Promethium) in different campaigns across Europe in last quarter of the year 2020 by this threat actor group.<\/p>\n\n\n\n<p><strong>Payload details:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Payload Hash<\/strong><\/td><td><strong>Command &amp; Control Domains<\/strong><\/td><\/tr><tr><td>d7aae4694291a7811c18ccc0af9d4b53<\/td><td>mentiononecommon[.]com<\/td><\/tr><tr><td>06752c080a5c00baf971243be65a49b8<\/td><td>ms21-app3-upload[.]com<\/td><\/tr><tr><td>52a895199380705c514dd0a23ba52414<\/td><td>mailtransfersagents[.]com<\/td><\/tr><tr><td>c930f328b5b3894feced92d04908b256<\/td><td>applicationrepo[.]com<\/td><\/tr><tr><td>469c0460e4c1fefd01db4ae9f79c53c7<\/td><td>uppertrainingtool[.]com<\/td><\/tr><tr><td>d7c62bc2a06d5abd872152ec87c64c8b &nbsp; 07ee8219801ec09951b8609142639480 c009b0bcf1c02503fff0d0e511188b68 a57e5f2011d04117c28982a68db28e23 ff9b1e2d7ad8b022f3fd3d9395382cf5<\/td><td>hostoperationsystems[.]com<\/td><\/tr><tr><td>989af6e0bb7fa4d62815f4fdc4696b85<\/td><td>Protectapplication[.]com<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Sample Analysis<\/strong><\/p>\n\n\n\n<p>LMNTRIX Threat research team performed a binary analysis of one of the collected to understand different functions used by APT-C-41 (aka StrongPity and Promethium) in their payload.<\/p>\n\n\n\n<p>Hash (MD5): 52a895199380705c514dd0a23ba52414<\/p>\n\n\n\n<p>File size: 117 KB<\/p>\n\n\n\n<p>The collected specimen is an exe file (32 bit) and while checking the entry point, we confirmed that the file was compiled using VC++.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"312\" height=\"137\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity1.webp\" alt=\"\" class=\"wp-image-2283\" title=\"PROMETHIUM (StrongPity\/APT C-41) an element no match for LMNTRIX\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"247\" height=\"96\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity2.webp\" alt=\"\" class=\"wp-image-2284\" title=\"PROMETHIUM (StrongPity\/APT C-41) an element no match for LMNTRIX\"\/><\/figure>\n\n\n\n<p>The above disassembled code is the entry point (call function followed by Jmp instruction) known for VC++ compiled file. We confirmed the compiler detail again with the help of other static analysis tool.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"561\" height=\"207\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity3.webp\" alt=\"\" class=\"wp-image-2285\" title=\"PROMETHIUM (StrongPity\/APT C-41) an element no match for LMNTRIX\"\/><\/figure>\n\n\n\n<p>We further dissected the sample in the controlled environment to study the tactic used by the malware. We see the techniques like the discovery of file and directories, defence evasion mechanisms like VM aware, file obfuscation found in the sample. The sample has an anti-debugging function as:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"156\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity4.webp\" alt=\"\" class=\"wp-image-2286\" title=\"PROMETHIUM (StrongPity\/APT C-41) an element no match for LMNTRIX\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"210\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity5.webp\" alt=\"\" class=\"wp-image-2290\" title=\"PROMETHIUM (StrongPity\/APT C-41) an element no match for LMNTRIX\"\/><\/figure>\n\n\n\n<p>Further, we found the function to detect the presence of the virtual environment (VM aware functionality), it executes the anti-VM instructions.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"210\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity5-1.webp\" alt=\"\" class=\"wp-image-2287\" title=\"PROMETHIUM (StrongPity\/APT C-41) an element no match for LMNTRIX\"\/><\/figure>\n\n\n\n<p>After bypassing these functions, we found the command and control domain embedded into the code. The snapshot shows the communication happens to the malicious domain which we highlighted below [mailtransfersagents(dot)com]:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"210\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity5-2.webp\" alt=\"\" class=\"wp-image-2288\" title=\"PROMETHIUM (StrongPity\/APT C-41) an element no match for LMNTRIX\"\/><\/figure>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"67\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity10.webp\" alt=\"\" class=\"wp-image-2291\"\/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"112\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity11.webp\" alt=\"\" class=\"wp-image-2292\"\/><\/figure>\n<\/div>\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"210\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity5-3.webp\" alt=\"\" class=\"wp-image-2289\"\/><\/figure>\n\n\n\n<p><br>This communication was initialized by using WINHTTP libraries to add the header requests, WinHttpSetOption, WinHttpSendRequest-WriteData and finally performed the receive response.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"370\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity12.webp\" alt=\"\" class=\"wp-image-2293\"\/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"257\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/StrongPity13.webp\" alt=\"\" class=\"wp-image-2294\"\/><\/figure>\n<\/div>\n\n\n<p>The functions highlighted above in the disassembled code was used for data exfiltration. The below code further shows the ping command and directory remove command used by the malware sample as well.<br>This clearly states that the sample has the functionality of deleting the directory trees in the victim machine and perform it in quiet mode. These actions are done with the help of command \u201crmdir\u201d and parameters (\/q and \/s). This deletion with quiet mode didn\u2019t ask for any confirmation to the user.<\/p>\n\n\n\n<p><strong>MITRE ATTACK ID Mapping<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Techniques ID<\/td><td>Name<\/td><\/tr><tr><td>T1547<\/td><td>Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/td><\/tr><tr><td>T1543<\/td><td>Create or Modify System Process: Windows Service<\/td><\/tr><tr><td>T1578<\/td><td>Develop Capabilities: Digital Certificates, Code Signing Certificates<\/td><\/tr><tr><td>T1189<\/td><td>Drive-by Compromise<\/td><\/tr><tr><td>T1036<\/td><td>Masquerading: Match Legitimate Name or Location, task or service<\/td><\/tr><tr><td>T1553<\/td><td>Subvert Trust controls; Code Signing<\/td><\/tr><tr><td>T1205<\/td><td>Traffic Signaling: Port Knocking<\/td><\/tr><tr><td>T1204<\/td><td>User Execution: Malicious File<\/td><\/tr><tr><td>T1078<\/td><td>Valid Accounts: Local Accounts<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Mitigations:<\/strong><\/p>\n\n\n\n<p>The following is the Yara Detection Rule for APT-C-41 :<\/p>\n\n\n\n<p>rule win_strongpity_auto {<\/p>\n\n\n\n<p>meta:<\/p>\n\n\n\n<p>date = &#8220;2020-12-22&#8221;<\/p>\n\n\n\n<p>version = &#8220;1&#8221;<\/p>\n\n\n\n<p>tool = &#8220;yara-signator v0.6.0&#8221;<\/p>\n\n\n\n<p>signator_config = &#8220;callsandjumps;datarefs;binvalue&#8221;<\/p>\n\n\n\n<p>malpedia_rule_date = &#8220;20201222&#8221;<\/p>\n\n\n\n<p>malpedia_hash = &#8220;52a895199380705c514dd0a23ba52414&#8221;<\/p>\n\n\n\n<p>malpedia_version = &#8220;20201023&#8221;<\/p>\n\n\n\n<p>malpedia_license = &#8220;CC BY-SA 4.0&#8221;<\/p>\n\n\n\n<p>malpedia_sharing = &#8220;TLP:WHITE&#8221;<\/p>\n\n\n\n<p>strings:<\/p>\n\n\n\n<p>$sequence_0 = { 56 8b7508 f7d1 85f6 }<\/p>\n\n\n\n<p>\/\/ n = 4, score = 500<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 56&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esi<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b7508&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esi, dword ptr [ebp + 8]\n\n\n\n<p>\/\/&nbsp;&nbsp; f7d1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | not&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ecx<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 85f6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | test &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;esi, esi<\/p>\n\n\n\n<p>$sequence_1 = { a1???????? 33c4 89442450 8b03 55 8ba828010000 8b4d00 }<\/p>\n\n\n\n<p>\/\/ n = 7, score = 300<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; a1????????&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 33c4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | xor&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;eax, esp<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 89442450&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [esp + 0x50], eax<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b03&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax, dword ptr [ebx]\n\n\n\n<p>\/\/&nbsp;&nbsp; 55&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ebp<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8ba828010000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ebp, dword ptr [eax + 0x128]\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b4d00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ecx, dword ptr [ebp]\n\n\n\n<p>$sequence_2 = { e8???????? 8bd8 83c408 85db 0f85f5020000 8b442420 }<\/p>\n\n\n\n<p>\/\/ n = 6, score = 300<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; e8????????&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8bd8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ebx, eax<\/p>\n\n\n\n<p>\/\/&nbsp; &nbsp;83c408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | add&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esp, 8<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 85db&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | test&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ebx, ebx<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 0f85f5020000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | jne&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x2fb<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b442420&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax, dword ptr [esp + 0x20]\n\n\n\n<p>$sequence_3 = { 52 ff15???????? 83c404 837c241000 750a 837d0400 0f852e020000 }<\/p>\n\n\n\n<p>\/\/ n = 7, score = 300<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; edx<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; ff15????????&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 83c404&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | add&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esp, 4<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 837c241000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | cmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [esp + 0x10], 0<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 750a&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | jne&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0xc<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 837d0400&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;| cmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [ebp + 4], 0<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 0f852e020000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | jne&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x234<\/p>\n\n\n\n<p>$sequence_4 = { 83c408 83f8ff 0f845d050000 ff442410 85f6 7fe0 }<\/p>\n\n\n\n<p>\/\/ n = 6, score = 300<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 83c408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;| add&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esp, 8<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 83f8ff&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | cmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax, -1<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 0f845d050000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | je&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x563<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; ff442410&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | inc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [esp + 0x10]\n\n\n\n<p>\/\/&nbsp;&nbsp; 85f6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | test&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esi, esi<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 7fe0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | jg&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0xffffffe2<\/p>\n\n\n\n<p>$sequence_5 = { 57 50 8944246c 89442450 }<\/p>\n\n\n\n<p>\/\/ n = 4, score = 300<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; edi<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8944246c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [esp + 0x6c], eax<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 89442450&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [esp + 0x50], eax<\/p>\n\n\n\n<p>$sequence_6 = { 397704 0f8493000000 eb6b 8b54241c 6a04 }<\/p>\n\n\n\n<p>\/\/ n = 5, score = 300<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 397704&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | cmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [edi + 4], esi<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 0f8493000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | je&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x99<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; eb6b&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | jmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x6d<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b54241c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; edx, dword ptr [esp + 0x1c]\n\n\n\n<p>\/\/&nbsp;&nbsp; 6a04&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4<\/p>\n\n\n\n<p>$sequence_7 = { c3 837c240800 56 57 8b7c240c 8db710050000 7534 }<\/p>\n\n\n\n<p>\/\/ n = 7, score = 300<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; c3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | ret<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 837c240800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | cmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [esp + 8], 0<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 56&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esi<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; edi<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b7c240c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; edi, dword ptr [esp + 0xc]\n\n\n\n<p>\/\/&nbsp;&nbsp; 8db710050000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | lea &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;esi, [edi + 0x510]\n\n\n\n<p>\/\/&nbsp;&nbsp; 7534&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | jne&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x36<\/p>\n\n\n\n<p>$sequence_8 = { 68???????? 50 e8???????? 83c40c 8d85e0fdffff ffb574f7ffff }<\/p>\n\n\n\n<p>\/\/ n = 6, score = 200<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 68????????&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; e8????????&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 83c40c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | add&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esp, 0xc<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8d85e0fdffff&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | lea&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax, [ebp &#8211; 0x220]\n\n\n\n<p>\/\/&nbsp;&nbsp; ffb574f7ffff&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [ebp &#8211; 0x88c]\n\n\n\n<p>$sequence_9 = { 899570f7ffff 3b5708 0f82c3feffff e9???????? }<\/p>\n\n\n\n<p>\/\/ n = 4, score = 200<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 899570f7ffff&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [ebp &#8211; 0x890], edx<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 3b5708&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | cmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; edx, dword ptr [edi + 8]\n\n\n\n<p>\/\/&nbsp;&nbsp; 0f82c3feffff&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | jb&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0xfffffec9<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; e9????????&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<\/p>\n\n\n\n<p>$sequence_10 = { 6a5c 668945f2 58 56 }<\/p>\n\n\n\n<p>\/\/ n = 4, score = 200<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 6a5c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x5c<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 668945f2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;word ptr [ebp &#8211; 0xe], ax<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 58&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | pop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 56&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esi<\/p>\n\n\n\n<p>$sequence_11 = { 83ee01 75f8 e8???????? c3 8b770c 8d4710 8bd6 }<\/p>\n\n\n\n<p>\/\/ n = 7, score = 200<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 83ee01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | sub&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esi, 1<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 75f8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | jne&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0xfffffffa<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; e8????????&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; c3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | ret<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b770c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esi, dword ptr [edi + 0xc]\n\n\n\n<p>\/\/&nbsp;&nbsp; 8d4710&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | lea&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax, [edi + 0x10]\n\n\n\n<p>\/\/&nbsp;&nbsp; 8bd6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; edx, esi<\/p>\n\n\n\n<p>$sequence_12 = { e8???????? 83c410 ebe6 8b45e4 8b0c85a8bf4100 8b45e8 f644012880 }<\/p>\n\n\n\n<p>\/\/ n = 7, score = 200<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; e8????????&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 83c410&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | add&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esp, 0x10<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; ebe6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | jmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0xffffffe8<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b45e4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax, dword ptr [ebp &#8211; 0x1c]\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b0c85a8bf4100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ecx, dword ptr [eax*4 + 0x41bfa8]\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b45e8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax, dword ptr [ebp &#8211; 0x18]\n\n\n\n<p>\/\/&nbsp;&nbsp; f644012880&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | test&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; byte ptr [ecx + eax + 0x28], 0x80<\/p>\n\n\n\n<p>$sequence_13 = { c746345c4b4100 57 ff7634 c6463c01 e8???????? 59 59 }<\/p>\n\n\n\n<p>\/\/ n = 7, score = 200<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; c746345c4b4100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [esi + 0x34], 0x414b5c<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;edi<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; ff7634&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dword ptr [esi + 0x34]\n\n\n\n<p>\/\/&nbsp;&nbsp; c6463c01&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; byte ptr [esi + 0x3c], 1<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; e8????????&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 59&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;| pop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ecx<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 59&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | pop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ecx<\/p>\n\n\n\n<p>$sequence_14 = { 6a2f 59 668908 33c9 8b4608 66890c78 668b45d8 }<\/p>\n\n\n\n<p>\/\/ n = 7, score = 200<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 6a2f&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | push&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x2f<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 59&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | pop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ecx<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 668908&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; word ptr [eax], cx<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 33c9&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | xor&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ecx, ecx<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 8b4608&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eax, dword ptr [esi + 8]\n\n\n\n<p>\/\/&nbsp;&nbsp; 66890c78&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; word ptr [eax + edi*2], cx<\/p>\n\n\n\n<p>\/\/&nbsp;&nbsp; 668b45d8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ax, word ptr [ebp &#8211; 0x28]\n\n\n\n<p>condition:<\/p>\n\n\n\n<p>7 of them and filesize &amp;lt; 999424<\/p>\n\n\n\n<p>}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this research, we have primarily focused on the Turkish APT group APT-C-41 (aka StrongPity and Promethium). The modus operandi of this group has been to install a backdoor on its victims machine to perform Cyber espionage operations. The main targets of this APT group have been Financial organisations, Industrial plants and Educational institutes. LMNTRIX [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2282,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2281","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2281"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2281\/revisions"}],"predecessor-version":[{"id":4227,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2281\/revisions\/4227"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2282"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}