Loading ...

Play interactive tourEdit tour

Analysis Report New-PO-0485667-MED-April-Order-Quote,pdf.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:219988
Start date:03.04.2020
Start time:05:47:52
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 33s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:New-PO-0485667-MED-April-Order-Quote,pdf.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@24/2@10/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 60.7% (good quality ratio 54.3%)
  • Quality average: 73.7%
  • Quality standard deviation: 31.6%
HCA Information:
  • Successful, ratio: 56%
  • Number of executed functions: 174
  • Number of non-executed functions: 240
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 216.58.207.46, 2.18.68.82, 172.217.22.110, 67.27.235.126, 67.27.233.254, 67.27.159.126, 67.27.158.254, 67.27.233.126, 8.248.147.254, 8.253.95.249, 8.253.204.121, 67.27.157.254, 8.253.95.121, 8.253.207.120, 8.248.133.254, 205.185.216.42, 205.185.216.10
  • Excluded domains from analysis (whitelisted): docs.google.com, fs.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, drive.google.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook GuLoader
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Registry Run Keys / Startup Folder11Process Injection412Masquerading1Credential DumpingVirtualization/Sandbox Evasion12Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through Module Load1Port MonitorsAccessibility FeaturesSoftware Packing1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion12Input CaptureSecurity Software Discovery221Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection412Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceScripting11Brute ForceSystem Information Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exeVirustotal: Detection: 41%Perma Link
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exeReversingLabs: Detection: 35%
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000004.00000002.1018846869.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.923358478.000000001F060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.957308925.000000001F060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.897238234.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.938119817.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1013177053.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.New-PO-0485667-MED-April-Order-Quote,pdf.exe.2220000.0.unpackAvira: Label: TR/Dropper.Gen

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 172.217.23.97 172.217.23.97
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-04-0c-docs.googleusercontent.com
Urls found in memory or binary dataShow sources
Source: Lytte.exe, 00000004.00000003.827158055.000000000079C000.00000004.00000001.sdmp, Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.g
Source: Lytte.exe, 00000004.00000003.827158055.000000000079C000.00000004.00000001.sdmp, Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: Lytte.exe, 00000004.00000003.827158055.000000000079C000.00000004.00000001.sdmp, Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: Lytte.exeString found in binary or memory: http://myurl/myfile.bin
Source: Lytte.exe, 00000004.00000003.827158055.000000000079C000.00000004.00000001.sdmp, Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Lytte.exe, 00000004.00000003.827158055.000000000079C000.00000004.00000001.sdmp, Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: Lytte.exe, 00000004.00000003.827158055.000000000079C000.00000004.00000001.sdmp, Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.aidengourley.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.aidengourley.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.aidengourley.com/5ti/www.populationcanter.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.aidengourley.comReferer:
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000007.00000000.972878578.0000000007A37000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.avtexsecurity.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.avtexsecurity.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.avtexsecurity.com/5ti/www.qaguie.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.avtexsecurity.comReferer:
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.bethemen.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.bethemen.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.bethemen.com/5ti/www.collage.coffee
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.bethemen.comReferer:
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.bjsbqx.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.bjsbqx.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.bjsbqx.com/5ti/0
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.bjsbqx.comReferer:
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.campfirepunkrock.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.campfirepunkrock.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.campfirepunkrock.com/5ti/www.meekfit.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.campfirepunkrock.comReferer:
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.collage.coffee
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.collage.coffee/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.collage.coffee/5ti/www.mitsegeln-mallorca.net
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.collage.coffeeReferer:
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.domaky.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.domaky.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.domaky.com/5ti/www.bjsbqx.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.domaky.comReferer:
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.frankensteinmarketing.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.frankensteinmarketing.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.frankensteinmarketing.com/5ti/www.campfirepunkrock.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.frankensteinmarketing.comReferer:
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.itworksmx.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.itworksmx.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.itworksmx.com/5ti/www.frankensteinmarketing.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.itworksmx.comReferer:
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.ledo.ltd
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.ledo.ltd/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.ledo.ltd/5ti/www.unitedstatescpa.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.ledo.ltdReferer:
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.makeinmetal.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.makeinmetal.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.makeinmetal.com/5ti/www.domaky.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.makeinmetal.comReferer:
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.meekfit.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.meekfit.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.meekfit.com/5ti/www.ledo.ltd
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.meekfit.comReferer:
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.mitsegeln-mallorca.net
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.mitsegeln-mallorca.net/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.mitsegeln-mallorca.net/5ti/www.makeinmetal.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.mitsegeln-mallorca.netReferer:
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.populationcanter.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.populationcanter.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.populationcanter.com/5ti/www.bethemen.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.populationcanter.comReferer:
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.qaguie.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.qaguie.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.qaguie.com/5ti/www.itworksmx.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.qaguie.comReferer:
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.unitedstatescpa.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.unitedstatescpa.com/5ti/
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.unitedstatescpa.com/5ti/www.aidengourley.com
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpString found in binary or memory: http://www.unitedstatescpa.comReferer:
Source: explorer.exe, 00000007.00000000.982623902.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: https://doc-10-2s-docs.googleusercontent.com/docs/securesc/bl930ik2kpr52feb51v2mdu04inndbbi/d4a3aht3
Source: Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: https://doc-10-2s-docs.googleusercontent.com/y
Source: Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/
Source: Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=1ncnf2shob73i&continue=https://doc-10-2s-docs.googleuserco
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exe, 00000002.00000002.797760285.00000000004F0000.00000040.00000001.sdmp, Lytte.exe, 00000003.00000002.828306896.0000000002230000.00000040.00000001.sdmp, Lytte.exe, 00000004.00000002.1013812831.00000000004F0000.00000040.00000001.sdmp, Lytte.exe, 00000006.00000002.861701382.0000000002140000.00000040.00000001.sdmp, Lytte.exe, 00000009.00000002.897676428.00000000004F0000.00000040.00000001.sdmp, Lytte.exe, 0000000D.00000002.940619012.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=18TIugFCsCKK9IS0Rp00zoxgIwbymBhFv
Source: Lytte.exe, 00000004.00000003.827158055.000000000079C000.00000004.00000001.sdmp, Lytte.exe, 00000009.00000003.866067966.0000000000847000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000004.00000002.1018846869.000000001F170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.923358478.000000001F060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.957308925.000000001F060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.897238234.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.938119817.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1013177053.00000000000A0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000004.00000002.1018846869.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1018846869.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.923358478.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.923358478.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.957308925.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.957308925.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.897238234.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.897238234.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.938119817.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.938119817.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.991731665.0000000010CBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000004.00000002.1013177053.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1013177053.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: New-PO-0485667-MED-April-Order-Quote,pdf.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F9F57 NtProtectVirtualMemory,2_2_004F9F57
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F039B EnumWindows,NtSetInformationThread,TerminateProcess,2_2_004F039B
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F04DA NtSetInformationThread,TerminateProcess,2_2_004F04DA
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F04EE NtSetInformationThread,TerminateProcess,2_2_004F04EE
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_022336F8 NtWriteVirtualMemory,3_2_022336F8
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_0223A505 NtResumeThread,3_2_0223A505
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02239F57 NtProtectVirtualMemory,3_2_02239F57
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_0223039B EnumWindows,NtSetInformationThread,TerminateProcess,3_2_0223039B
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_0223A627 NtResumeThread,3_2_0223A627
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02233A4D NtWriteVirtualMemory,3_2_02233A4D
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_0223A85D NtResumeThread,3_2_0223A85D
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_022338B9 NtWriteVirtualMemory,3_2_022338B9
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_022304EE NtSetInformationThread,TerminateProcess,3_2_022304EE
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02233EF9 NtWriteVirtualMemory,3_2_02233EF9
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_022304DA NtSetInformationThread,TerminateProcess,3_2_022304DA
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_0223A50E NtResumeThread,3_2_0223A50E
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02233D6D NtWriteVirtualMemory,3_2_02233D6D
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_0223AF6D NtResumeThread,3_2_0223AF6D
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_0223A74B NtResumeThread,3_2_0223A74B
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02233753 NtWriteVirtualMemory,3_2_02233753
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_0223AB92 NtResumeThread,3_2_0223AB92
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_0223ADE5 NtResumeThread,3_2_0223ADE5
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02233BD9 NtWriteVirtualMemory,3_2_02233BD9
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A750 NtCreateFile,LdrInitializeThunk,4_2_1F40A750
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A700 NtProtectVirtualMemory,LdrInitializeThunk,4_2_1F40A700
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A720 NtResumeThread,LdrInitializeThunk,4_2_1F40A720
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A610 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_1F40A610
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A6A0 NtCreateSection,LdrInitializeThunk,4_2_1F40A6A0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A540 NtDelayExecution,LdrInitializeThunk,4_2_1F40A540
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A560 NtQuerySystemInformation,LdrInitializeThunk,4_2_1F40A560
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A5F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_1F40A5F0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A410 NtQueryInformationToken,LdrInitializeThunk,4_2_1F40A410
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A480 NtMapViewOfSection,LdrInitializeThunk,4_2_1F40A480
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A4A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_1F40A4A0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A360 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_1F40A360
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A3E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_1F40A3E0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A240 NtReadFile,LdrInitializeThunk,4_2_1F40A240
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A2D0 NtClose,LdrInitializeThunk,4_2_1F40A2D0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A710 NtQuerySection,4_2_1F40A710
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A780 NtOpenDirectoryObject,4_2_1F40A780
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A650 NtQueueApcThread,4_2_1F40A650
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A6D0 NtCreateProcessEx,4_2_1F40A6D0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40BD40 NtSuspendThread,4_2_1F40BD40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A520 NtEnumerateKey,4_2_1F40A520
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A5A0 NtWriteVirtualMemory,4_2_1F40A5A0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A460 NtOpenProcess,4_2_1F40A460
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A470 NtSetInformationFile,4_2_1F40A470
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40B470 NtOpenThread,4_2_1F40B470
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40B410 NtOpenProcessToken,4_2_1F40B410
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A430 NtQueryVirtualMemory,4_2_1F40A430
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40ACE0 NtCreateMutant,4_2_1F40ACE0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A350 NtQueryValueKey,4_2_1F40A350
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A370 NtQueryInformationProcess,4_2_1F40A370
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A310 NtEnumerateValueKey,4_2_1F40A310
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A3D0 NtCreateKey,4_2_1F40A3D0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A260 NtWriteFile,4_2_1F40A260
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A220 NtWaitForSingleObject,4_2_1F40A220
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40BA30 NtSetContextThread,4_2_1F40BA30
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A2F0 NtQueryInformationFile,4_2_1F40A2F0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40A800 NtSetValueKey,4_2_1F40A800
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40B0B0 NtGetContextThread,4_2_1F40B0B0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004F039B EnumWindows,NtSetInformationThread,4_2_004F039B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004FA505 NtSetInformationThread,4_2_004FA505
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004F9F57 NtProtectVirtualMemory,4_2_004F9F57
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004FA85D NtSetInformationThread,4_2_004FA85D
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004FAB92 NtSetInformationThread,4_2_004FAB92
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004F04DA NtSetInformationThread,4_2_004F04DA
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004F04EE NtSetInformationThread,4_2_004F04EE
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004FA50E NtSetInformationThread,4_2_004FA50E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004FADE5 NtSetInformationThread,4_2_004FADE5
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004FA627 NtSetInformationThread,4_2_004FA627
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004FA74B NtSetInformationThread,4_2_004FA74B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_004FAF6D NtSetInformationThread,4_2_004FAF6D
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_021436F8 NtWriteVirtualMemory,6_2_021436F8
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_0214A505 NtResumeThread,6_2_0214A505
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_02149F57 NtProtectVirtualMemory,6_2_02149F57
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_0214039B EnumWindows,NtSetInformationThread,TerminateProcess,6_2_0214039B
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_0214A627 NtResumeThread,6_2_0214A627
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_0214A85D NtResumeThread,6_2_0214A85D
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_02143A4D NtWriteVirtualMemory,6_2_02143A4D
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_021438B9 NtWriteVirtualMemory,6_2_021438B9
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_021404DA NtSetInformationThread,TerminateProcess,6_2_021404DA
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_02143EF9 NtWriteVirtualMemory,6_2_02143EF9
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_021404EE NtSetInformationThread,TerminateProcess,6_2_021404EE
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_0214A50E NtResumeThread,6_2_0214A50E
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_02143753 NtWriteVirtualMemory,6_2_02143753
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_0214A74B NtResumeThread,6_2_0214A74B
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_02143D6D NtWriteVirtualMemory,6_2_02143D6D
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_0214AF6D NtResumeThread,6_2_0214AF6D
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_0214AB92 NtResumeThread,6_2_0214AB92
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_02143BD9 NtWriteVirtualMemory,6_2_02143BD9
Source: C:\Users\user\TING\Lytte.exeCode function: 6_2_0214ADE5 NtResumeThread,6_2_0214ADE5
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A750 NtCreateFile,LdrInitializeThunk,9_2_1F40A750
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A700 NtProtectVirtualMemory,LdrInitializeThunk,9_2_1F40A700
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A720 NtResumeThread,LdrInitializeThunk,9_2_1F40A720
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A610 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_1F40A610
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A6A0 NtCreateSection,LdrInitializeThunk,9_2_1F40A6A0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A540 NtDelayExecution,LdrInitializeThunk,9_2_1F40A540
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A560 NtQuerySystemInformation,LdrInitializeThunk,9_2_1F40A560
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A5F0 NtReadVirtualMemory,LdrInitializeThunk,9_2_1F40A5F0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A410 NtQueryInformationToken,LdrInitializeThunk,9_2_1F40A410
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A480 NtMapViewOfSection,LdrInitializeThunk,9_2_1F40A480
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A4A0 NtUnmapViewOfSection,LdrInitializeThunk,9_2_1F40A4A0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A360 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_1F40A360
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A3E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_1F40A3E0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A240 NtReadFile,LdrInitializeThunk,9_2_1F40A240
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A2D0 NtClose,LdrInitializeThunk,9_2_1F40A2D0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A710 NtQuerySection,9_2_1F40A710
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A780 NtOpenDirectoryObject,9_2_1F40A780
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A650 NtQueueApcThread,9_2_1F40A650
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A6D0 NtCreateProcessEx,9_2_1F40A6D0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40BD40 NtSuspendThread,9_2_1F40BD40
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A520 NtEnumerateKey,9_2_1F40A520
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A5A0 NtWriteVirtualMemory,9_2_1F40A5A0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A460 NtOpenProcess,9_2_1F40A460
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A470 NtSetInformationFile,9_2_1F40A470
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40B470 NtOpenThread,9_2_1F40B470
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40B410 NtOpenProcessToken,9_2_1F40B410
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A430 NtQueryVirtualMemory,9_2_1F40A430
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40ACE0 NtCreateMutant,9_2_1F40ACE0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A350 NtQueryValueKey,9_2_1F40A350
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A370 NtQueryInformationProcess,9_2_1F40A370
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A310 NtEnumerateValueKey,9_2_1F40A310
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A3D0 NtCreateKey,9_2_1F40A3D0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A260 NtWriteFile,9_2_1F40A260
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A220 NtWaitForSingleObject,9_2_1F40A220
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40BA30 NtSetContextThread,9_2_1F40BA30
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A2F0 NtQueryInformationFile,9_2_1F40A2F0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40A800 NtSetValueKey,9_2_1F40A800
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F40B0B0 NtGetContextThread,9_2_1F40B0B0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004F039B EnumWindows,NtSetInformationThread,9_2_004F039B
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004FA505 NtSetInformationThread,9_2_004FA505
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004F9F57 NtProtectVirtualMemory,9_2_004F9F57
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004FA85D NtSetInformationThread,9_2_004FA85D
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004FAB92 NtSetInformationThread,9_2_004FAB92
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004F04DA NtSetInformationThread,9_2_004F04DA
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004F04EE NtSetInformationThread,9_2_004F04EE
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004FA50E NtSetInformationThread,9_2_004FA50E
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004FADE5 NtSetInformationThread,9_2_004FADE5
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004FA627 NtSetInformationThread,9_2_004FA627
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004FA74B NtSetInformationThread,9_2_004FA74B
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_004FAF6D NtSetInformationThread,9_2_004FAF6D
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A750 NtCreateFile,LdrInitializeThunk,13_2_1F40A750
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A700 NtProtectVirtualMemory,LdrInitializeThunk,13_2_1F40A700
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A720 NtResumeThread,LdrInitializeThunk,13_2_1F40A720
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A610 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_1F40A610
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A6A0 NtCreateSection,LdrInitializeThunk,13_2_1F40A6A0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A540 NtDelayExecution,LdrInitializeThunk,13_2_1F40A540
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A560 NtQuerySystemInformation,LdrInitializeThunk,13_2_1F40A560
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A5F0 NtReadVirtualMemory,LdrInitializeThunk,13_2_1F40A5F0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A410 NtQueryInformationToken,LdrInitializeThunk,13_2_1F40A410
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A480 NtMapViewOfSection,LdrInitializeThunk,13_2_1F40A480
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A4A0 NtUnmapViewOfSection,LdrInitializeThunk,13_2_1F40A4A0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A360 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_1F40A360
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A3E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_1F40A3E0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A240 NtReadFile,LdrInitializeThunk,13_2_1F40A240
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A2D0 NtClose,LdrInitializeThunk,13_2_1F40A2D0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A710 NtQuerySection,13_2_1F40A710
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A780 NtOpenDirectoryObject,13_2_1F40A780
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A650 NtQueueApcThread,13_2_1F40A650
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A6D0 NtCreateProcessEx,13_2_1F40A6D0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40BD40 NtSuspendThread,13_2_1F40BD40
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A520 NtEnumerateKey,13_2_1F40A520
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A5A0 NtWriteVirtualMemory,13_2_1F40A5A0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A460 NtOpenProcess,13_2_1F40A460
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A470 NtSetInformationFile,13_2_1F40A470
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40B470 NtOpenThread,13_2_1F40B470
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40B410 NtOpenProcessToken,13_2_1F40B410
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A430 NtQueryVirtualMemory,13_2_1F40A430
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40ACE0 NtCreateMutant,13_2_1F40ACE0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A350 NtQueryValueKey,13_2_1F40A350
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A370 NtQueryInformationProcess,13_2_1F40A370
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A310 NtEnumerateValueKey,13_2_1F40A310
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A3D0 NtCreateKey,13_2_1F40A3D0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A260 NtWriteFile,13_2_1F40A260
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A220 NtWaitForSingleObject,13_2_1F40A220
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40BA30 NtSetContextThread,13_2_1F40BA30
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A2F0 NtQueryInformationFile,13_2_1F40A2F0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40A800 NtSetValueKey,13_2_1F40A800
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F40B0B0 NtGetContextThread,13_2_1F40B0B0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004F039B EnumWindows,NtSetInformationThread,13_2_004F039B
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004FA505 NtSetInformationThread,13_2_004FA505
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004F9F57 NtProtectVirtualMemory,13_2_004F9F57
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004FA85D NtSetInformationThread,13_2_004FA85D
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004FAB92 NtSetInformationThread,13_2_004FAB92
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004F04DA NtSetInformationThread,13_2_004F04DA
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004F04EE NtSetInformationThread,13_2_004F04EE
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004FA50E NtSetInformationThread,13_2_004FA50E
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004FADE5 NtSetInformationThread,13_2_004FADE5
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004FA627 NtSetInformationThread,13_2_004FA627
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004FA74B NtSetInformationThread,13_2_004FA74B
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_004FAF6D NtSetInformationThread,13_2_004FAF6D
Detected potential crypto functionShow sources
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4917464_2_1F491746
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F491FCE4_2_1F491FCE
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E57904_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4827824_2_1F482782
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48CE664_2_1F48CE66
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66114_2_1F3F6611
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F5E704_2_1F3F5E70
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4E614_2_1F3F4E61
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E76404_2_1F3E7640
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4926F84_2_1F4926F8
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E964_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E15304_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4925194_2_1F492519
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F46C53F4_2_1F46C53F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C0D404_2_1F3C0D40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48D5D24_2_1F48D5D2
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F47FDDB4_2_1F47FDDB
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F471DE34_2_1F471DE3
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48E5814_2_1F48E581
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E14104_2_1F3E1410
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D740C4_2_1F3D740C
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F47F42B4_2_1F47F42B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F491C9F4_2_1F491C9F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4834904_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EFB404_2_1F3EFB40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4B964_2_1F3F4B96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3CEBE04_2_1F3CEBE0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F63C24_2_1F3F63C2
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F523D4_2_1F3F523D
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F480A024_2_1F480A02
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F49E2144_2_1F49E214
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4A5B4_2_1F3F4A5B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E42B04_2_1F3E42B0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4922DD4_2_1F4922DD
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F491A994_2_1F491A99
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F71104_2_1F3F7110
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F594B4_2_1F3F594B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4919E24_2_1F4919E2
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F61804_2_1F3F6180
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F49D9BE4_2_1F49D9BE
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F00214_2_1F3F0021
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FE0204_2_1F3FE020
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F10704_2_1F3F1070
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48D0164_2_1F48D016
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4928E84_2_1F4928E8
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3DA0804_2_1F3DA080
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4718B64_2_1F4718B6
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F48CB4_2_1F3F48CB
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4917469_2_1F491746
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F491FCE9_2_1F491FCE
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3E57909_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4827829_2_1F482782
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F48CE669_2_1F48CE66
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F66119_2_1F3F6611
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F5E709_2_1F3F5E70
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F4E619_2_1F3F4E61
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3E76409_2_1F3E7640
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4926F89_2_1F4926F8
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F483E969_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3E15309_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4925199_2_1F492519
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F481D1B9_2_1F481D1B
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F46C53F9_2_1F46C53F
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3C0D409_2_1F3C0D40
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F48D5D29_2_1F48D5D2
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F47FDDB9_2_1F47FDDB
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F471DE39_2_1F471DE3
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F48E5819_2_1F48E581
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F46E58A9_2_1F46E58A
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3E14109_2_1F3E1410
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3D740C9_2_1F3D740C
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F547E9_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F47F42B9_2_1F47F42B
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F48DCC59_2_1F48DCC5
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4844EF9_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F492C9A9_2_1F492C9A
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F491C9F9_2_1F491C9F
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4834909_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3EFB409_2_1F3EFB40
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F4B969_2_1F3F4B96
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3CEBE09_2_1F3CEBE0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F63C29_2_1F3F63C2
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F523D9_2_1F3F523D
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F480A029_2_1F480A02
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F49E2149_2_1F49E214
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F4A5B9_2_1F3F4A5B
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3E42B09_2_1F3E42B0
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4922DD9_2_1F4922DD
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F491A999_2_1F491A99
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F71109_2_1F3F7110
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4199069_2_1F419906
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F594B9_2_1F3F594B
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4861DF9_2_1F4861DF
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4919E29_2_1F4919E2
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F61809_2_1F3F6180
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F49D9BE9_2_1F49D9BE
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F00219_2_1F3F0021
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3FE0209_2_1F3FE020
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F98109_2_1F3F9810
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F10709_2_1F3F1070
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F48D0169_2_1F48D016
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4928E89_2_1F4928E8
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3DA0809_2_1F3DA080
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F4718B69_2_1F4718B6
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F3F48CB9_2_1F3F48CB
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F49174613_2_1F491746
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F491FCE13_2_1F491FCE
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3E579013_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F48278213_2_1F482782
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3C67D013_2_1F3C67D0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F48CE6613_2_1F48CE66
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F661113_2_1F3F6611
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F5E7013_2_1F3F5E70
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F4E6113_2_1F3F4E61
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3E764013_2_1F3E7640
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F4926F813_2_1F4926F8
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F483E9613_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3E153013_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F49251913_2_1F492519
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F481D1B13_2_1F481D1B
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F46C53F13_2_1F46C53F
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3C0D4013_2_1F3C0D40
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F48D5D213_2_1F48D5D2
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F47FDDB13_2_1F47FDDB
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F471DE313_2_1F471DE3
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F48E58113_2_1F48E581
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F46E58A13_2_1F46E58A
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3E141013_2_1F3E1410
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3D740C13_2_1F3D740C
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F547E13_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F47F42B13_2_1F47F42B
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F48DCC513_2_1F48DCC5
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F4844EF13_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F492C9A13_2_1F492C9A
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F491C9F13_2_1F491C9F
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F48349013_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3EFB4013_2_1F3EFB40
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F4B9613_2_1F3F4B96
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3CEBE013_2_1F3CEBE0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F63C213_2_1F3F63C2
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F523D13_2_1F3F523D
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F480A0213_2_1F480A02
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F49E21413_2_1F49E214
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F4A5B13_2_1F3F4A5B
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3E42B013_2_1F3E42B0
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F4922DD13_2_1F4922DD
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F491A9913_2_1F491A99
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F711013_2_1F3F7110
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F41990613_2_1F419906
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F594B13_2_1F3F594B
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F4861DF13_2_1F4861DF
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F4919E213_2_1F4919E2
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F618013_2_1F3F6180
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F49D9BE13_2_1F49D9BE
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F002113_2_1F3F0021
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3FE02013_2_1F3FE020
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F981013_2_1F3F9810
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F107013_2_1F3F1070
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F48D01613_2_1F48D016
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F4928E813_2_1F4928E8
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3DA08013_2_1F3DA080
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F4718B613_2_1F4718B6
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F3F48CB13_2_1F3F48CB
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\TING\Lytte.exeCode function: String function: 1F444F10 appears 72 times
Source: C:\Users\user\TING\Lytte.exeCode function: String function: 1F41DDE8 appears 127 times
Source: C:\Users\user\TING\Lytte.exeCode function: String function: 1F41DE44 appears 47 times
Source: C:\Users\user\TING\Lytte.exeCode function: String function: 1F455110 appears 107 times
Source: C:\Users\user\TING\Lytte.exeCode function: String function: 1F3CB0E0 appears 520 times
PE file contains strange resourcesShow sources
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exe, 00000002.00000000.791502820.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGlohedt6.exe vs New-PO-0485667-MED-April-Order-Quote,pdf.exe
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exe, 00000002.00000002.811164930.000000001E840000.00000002.00000001.sdmpBinary or memory string: originalfilename vs New-PO-0485667-MED-April-Order-Quote,pdf.exe
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exe, 00000002.00000002.811164930.000000001E840000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs New-PO-0485667-MED-April-Order-Quote,pdf.exe
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exe, 00000002.00000002.810541079.000000001E750000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs New-PO-0485667-MED-April-Order-Quote,pdf.exe
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exeBinary or memory string: OriginalFilenameGlohedt6.exe vs New-PO-0485667-MED-April-Order-Quote,pdf.exe
Yara signature matchShow sources
Source: 00000004.00000002.1018846869.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1018846869.000000001F170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.923358478.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.923358478.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.957308925.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.957308925.000000001F060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.897238234.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.897238234.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.938119817.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.938119817.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.991731665.0000000010CBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.1013177053.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1013177053.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@24/2@10/1
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeFile created: C:\Users\user\TINGJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_01
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\TING\Lytte.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\TING\Lytte.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\TING\Lytte.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\TING\Lytte.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\TING\Lytte.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exeVirustotal: Detection: 41%
Source: New-PO-0485667-MED-April-Order-Quote,pdf.exeReversingLabs: Detection: 35%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeFile read: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exe 'C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exe'
Source: unknownProcess created: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exe 'C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exe'
Source: unknownProcess created: C:\Users\user\TING\Lytte.exe 'C:\Users\user\TING\Lytte.exe'
Source: unknownProcess created: C:\Users\user\TING\Lytte.exe 'C:\Users\user\TING\Lytte.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\TING\Lytte.vbs'
Source: unknownProcess created: C:\Users\user\TING\Lytte.exe C:\Users\user\TING\Lytte.exe
Source: unknownProcess created: C:\Users\user\TING\Lytte.exe C:\Users\user\TING\Lytte.exe
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\TING\Lytte.vbs'
Source: unknownProcess created: C:\Users\user\TING\Lytte.exe C:\Users\user\TING\Lytte.exe
Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknownProcess created: C:\Users\user\TING\Lytte.exe C:\Users\user\TING\Lytte.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\TING\Lytte.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess created: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exe 'C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exe' Jump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess created: C:\Users\user\TING\Lytte.exe 'C:\Users\user\TING\Lytte.exe' Jump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess created: C:\Users\user\TING\Lytte.exe 'C:\Users\user\TING\Lytte.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\TING\Lytte.exe C:\Users\user\TING\Lytte.exeJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess created: C:\Users\user\TING\Lytte.exe C:\Users\user\TING\Lytte.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\TING\Lytte.exe C:\Users\user\TING\Lytte.exeJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess created: C:\Users\user\TING\Lytte.exe C:\Users\user\TING\Lytte.exeJump to behavior
Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\TING\Lytte.exe'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscript.pdbGCTL source: Lytte.exe, 00000004.00000002.1013543108.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.969523197.0000000007010000.00000002.00000001.sdmp
Source: Binary string: msdt.pdbGCTL source: Lytte.exe, 00000009.00000002.923982722.000000001F190000.00000040.00000001.sdmp, Lytte.exe, 0000000D.00000002.963383070.000000001F6D0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Lytte.exe, 00000004.00000002.1020966677.000000001F4BF000.00000040.00000001.sdmp, Lytte.exe, 00000009.00000002.927047959.000000001F4BF000.00000040.00000001.sdmp, Lytte.exe, 0000000D.00000003.906408438.000000001F200000.00000004.00000001.sdmp, msdt.exe, 00000011.00000003.937278528.00000000043A0000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Lytte.exe, msdt.exe, 00000011.00000003.937278528.00000000043A0000.00000004.00000001.sdmp
Source: Binary string: wscript.pdb source: Lytte.exe, 00000004.00000002.1013543108.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: msdt.pdb source: Lytte.exe, 00000009.00000002.923982722.000000001F190000.00000040.00000001.sdmp, Lytte.exe, 0000000D.00000002.963383070.000000001F6D0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.969523197.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoaderShow sources
Source: Yara matchFile source: Process Memory Space: Lytte.exe PID: 2232, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Lytte.exe PID: 4304, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Lytte.exe PID: 4816, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Lytte.exe PID: 5008, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Lytte.exe PID: 1568, type: MEMORY
Source: Yara matchFile source: Process Memory Space: New-PO-0485667-MED-April-Order-Quote,pdf.exe PID: 4352, type: MEMORY
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_0040F855 push cs; iretd 3_2_0040F856
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_00407207 push esp; retf 3_2_0040721E
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_00405CCA push es; iretd 3_2_00405D00
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_00405CDF push es; iretd 3_2_00405D00
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_00405FCD pushfd ; iretd 3_2_00405FCE
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_004101D5 push edi; iretd 3_2_004101DE
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_004099BE push edi; iretd 3_2_004099CA
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F41DE2D push ecx; ret 4_2_1F41DE40
Source: C:\Users\user\TING\Lytte.exeCode function: 9_2_1F41DE2D push ecx; ret 9_2_1F41DE40
Source: C:\Users\user\TING\Lytte.exeCode function: 13_2_1F41DE2D push ecx; ret 13_2_1F41DE40

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SKINT C:\Users\user\TING\Lytte.vbsJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SKINT C:\Users\user\TING\Lytte.vbsJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SKINTJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SKINTJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SKINTJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SKINTJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002DB7244 second address: 0000000002DB724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002DB74AE second address: 0000000002DB74B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002E67244 second address: 0000000002E6724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002E674AE second address: 0000000002E674B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 0000000000767244 second address: 000000000076724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000007674AE second address: 00000000007674B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F495595 rdtsc 4_2_1F495595
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\TING\Lytte.exeAPI coverage: 5.2 %
Source: C:\Users\user\TING\Lytte.exeAPI coverage: 4.2 %
Source: C:\Users\user\TING\Lytte.exeAPI coverage: 4.0 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 2748Thread sleep time: -58000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000007.00000000.970477266.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000000.970477266.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000007.00000000.970477266.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllta\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.dbV
Source: explorer.exe, 00000007.00000000.978276011.0000000007CD5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW04
Source: explorer.exe, 00000007.00000000.970477266.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\TING\Lytte.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debuggerShow sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F039B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000002_2_004F039B
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\TING\Lytte.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\TING\Lytte.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\TING\Lytte.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\TING\Lytte.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\TING\Lytte.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\TING\Lytte.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\TING\Lytte.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\TING\Lytte.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\TING\Lytte.exeThread information set: HideFromDebuggerJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\TING\Lytte.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\TING\Lytte.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F495595 rdtsc 4_2_1F495595
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F4CB8 LdrInitializeThunk,2_2_004F4CB8
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F9429 mov eax, dword ptr fs:[00000030h]2_2_004F9429
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F9424 mov eax, dword ptr fs:[00000030h]2_2_004F9424
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F86CA mov eax, dword ptr fs:[00000030h]2_2_004F86CA
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F1CFF mov eax, dword ptr fs:[00000030h]2_2_004F1CFF
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F4482 mov eax, dword ptr fs:[00000030h]2_2_004F4482
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F2CA4 mov eax, dword ptr fs:[00000030h]2_2_004F2CA4
Source: C:\Users\user\Desktop\New-PO-0485667-MED-April-Order-Quote,pdf.exeCode function: 2_2_004F8F34 mov eax, dword ptr fs:[00000030h]2_2_004F8F34
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02239424 mov eax, dword ptr fs:[00000030h]3_2_02239424
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02239429 mov eax, dword ptr fs:[00000030h]3_2_02239429
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02232CA4 mov eax, dword ptr fs:[00000030h]3_2_02232CA4
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02234482 mov eax, dword ptr fs:[00000030h]3_2_02234482
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02231CFF mov eax, dword ptr fs:[00000030h]3_2_02231CFF
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_022386CA mov eax, dword ptr fs:[00000030h]3_2_022386CA
Source: C:\Users\user\TING\Lytte.exeCode function: 3_2_02238F34 mov eax, dword ptr fs:[00000030h]3_2_02238F34
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F442F40 mov eax, dword ptr fs:[00000030h]4_2_1F442F40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F473740 mov eax, dword ptr fs:[00000030h]4_2_1F473740
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F1F10 mov eax, dword ptr fs:[00000030h]4_2_1F3F1F10
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F1F10 mov eax, dword ptr fs:[00000030h]4_2_1F3F1F10
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6F05 mov eax, dword ptr fs:[00000030h]4_2_1F3D6F05
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6F05 mov eax, dword ptr fs:[00000030h]4_2_1F3D6F05
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6F05 mov eax, dword ptr fs:[00000030h]4_2_1F3D6F05
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6F05 mov eax, dword ptr fs:[00000030h]4_2_1F3D6F05
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6F05 mov eax, dword ptr fs:[00000030h]4_2_1F3D6F05
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F409F7A mov eax, dword ptr fs:[00000030h]4_2_1F409F7A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F49870A mov eax, dword ptr fs:[00000030h]4_2_1F49870A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3DEF60 mov eax, dword ptr fs:[00000030h]4_2_1F3DEF60
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48DF39 mov eax, dword ptr fs:[00000030h]4_2_1F48DF39
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EC74A mov eax, dword ptr fs:[00000030h]4_2_1F3EC74A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EC74A mov eax, dword ptr fs:[00000030h]4_2_1F3EC74A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F5744 mov eax, dword ptr fs:[00000030h]4_2_1F3F5744
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F5744 mov eax, dword ptr fs:[00000030h]4_2_1F3F5744
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3DDF40 mov eax, dword ptr fs:[00000030h]4_2_1F3DDF40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EA7B6 mov eax, dword ptr fs:[00000030h]4_2_1F3EA7B6
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4467C9 mov eax, dword ptr fs:[00000030h]4_2_1F4467C9
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4467C9 mov eax, dword ptr fs:[00000030h]4_2_1F4467C9
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4467C9 mov eax, dword ptr fs:[00000030h]4_2_1F4467C9
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4467C9 mov ecx, dword ptr fs:[00000030h]4_2_1F4467C9
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4467C9 mov eax, dword ptr fs:[00000030h]4_2_1F4467C9
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4467C9 mov eax, dword ptr fs:[00000030h]4_2_1F4467C9
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EE79A mov eax, dword ptr fs:[00000030h]4_2_1F3EE79A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48F7E2 mov eax, dword ptr fs:[00000030h]4_2_1F48F7E2
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48F7E2 mov eax, dword ptr fs:[00000030h]4_2_1F48F7E2
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48F7E2 mov eax, dword ptr fs:[00000030h]4_2_1F48F7E2
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48F7E2 mov eax, dword ptr fs:[00000030h]4_2_1F48F7E2
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov ecx, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov ecx, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov ecx, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov ecx, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E5790 mov eax, dword ptr fs:[00000030h]4_2_1F3E5790
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4787F1 mov eax, dword ptr fs:[00000030h]4_2_1F4787F1
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D7781 mov eax, dword ptr fs:[00000030h]4_2_1F3D7781
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F482782 mov eax, dword ptr fs:[00000030h]4_2_1F482782
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F482782 mov eax, dword ptr fs:[00000030h]4_2_1F482782
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F482782 mov eax, dword ptr fs:[00000030h]4_2_1F482782
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F482782 mov eax, dword ptr fs:[00000030h]4_2_1F482782
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F482782 mov eax, dword ptr fs:[00000030h]4_2_1F482782
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F482782 mov eax, dword ptr fs:[00000030h]4_2_1F482782
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F482782 mov eax, dword ptr fs:[00000030h]4_2_1F482782
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C3FE5 mov eax, dword ptr fs:[00000030h]4_2_1F3C3FE5
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C3FE5 mov eax, dword ptr fs:[00000030h]4_2_1F3C3FE5
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C3FE5 mov eax, dword ptr fs:[00000030h]4_2_1F3C3FE5
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48FFAC mov eax, dword ptr fs:[00000030h]4_2_1F48FFAC
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48FFAC mov eax, dword ptr fs:[00000030h]4_2_1F48FFAC
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EFE37 mov eax, dword ptr fs:[00000030h]4_2_1F3EFE37
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FCE34 mov eax, dword ptr fs:[00000030h]4_2_1F3FCE34
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FCE34 mov eax, dword ptr fs:[00000030h]4_2_1F3FCE34
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F405651 mov eax, dword ptr fs:[00000030h]4_2_1F405651
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F405651 mov eax, dword ptr fs:[00000030h]4_2_1F405651
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F2616 mov eax, dword ptr fs:[00000030h]4_2_1F3F2616
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E2600 mov eax, dword ptr fs:[00000030h]4_2_1F3E2600
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FA675 mov eax, dword ptr fs:[00000030h]4_2_1F3FA675
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3CCE70 mov ecx, dword ptr fs:[00000030h]4_2_1F3CCE70
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481606 mov eax, dword ptr fs:[00000030h]4_2_1F481606
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F44660A mov eax, dword ptr fs:[00000030h]4_2_1F44660A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F44660A mov eax, dword ptr fs:[00000030h]4_2_1F44660A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F44660A mov eax, dword ptr fs:[00000030h]4_2_1F44660A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F44660A mov eax, dword ptr fs:[00000030h]4_2_1F44660A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F5E70 mov eax, dword ptr fs:[00000030h]4_2_1F3F5E70
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F5E70 mov eax, dword ptr fs:[00000030h]4_2_1F3F5E70
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F5E70 mov eax, dword ptr fs:[00000030h]4_2_1F3F5E70
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F5E70 mov eax, dword ptr fs:[00000030h]4_2_1F3F5E70
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4E61 mov eax, dword ptr fs:[00000030h]4_2_1F3F4E61
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4E61 mov eax, dword ptr fs:[00000030h]4_2_1F3F4E61
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4E61 mov eax, dword ptr fs:[00000030h]4_2_1F3F4E61
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3CCE50 mov eax, dword ptr fs:[00000030h]4_2_1F3CCE50
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FDE50 mov eax, dword ptr fs:[00000030h]4_2_1F3FDE50
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F45BE30 mov eax, dword ptr fs:[00000030h]4_2_1F45BE30
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F45BE30 mov eax, dword ptr fs:[00000030h]4_2_1F45BE30
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F66B4 mov eax, dword ptr fs:[00000030h]4_2_1F3F66B4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4066D0 mov eax, dword ptr fs:[00000030h]4_2_1F4066D0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3CC692 mov eax, dword ptr fs:[00000030h]4_2_1F3CC692
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F480EFB mov eax, dword ptr fs:[00000030h]4_2_1F480EFB
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6682 mov eax, dword ptr fs:[00000030h]4_2_1F3D6682
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F16E5 mov eax, dword ptr fs:[00000030h]4_2_1F3F16E5
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F16E5 mov eax, dword ptr fs:[00000030h]4_2_1F3F16E5
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F403E9A mov eax, dword ptr fs:[00000030h]4_2_1F403E9A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F403E9A mov eax, dword ptr fs:[00000030h]4_2_1F403E9A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F403E9A mov eax, dword ptr fs:[00000030h]4_2_1F403E9A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483E96 mov eax, dword ptr fs:[00000030h]4_2_1F483E96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4986A9 mov eax, dword ptr fs:[00000030h]4_2_1F4986A9
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1530 mov eax, dword ptr fs:[00000030h]4_2_1F3E1530
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FE52F mov ecx, dword ptr fs:[00000030h]4_2_1F3FE52F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FE52F mov eax, dword ptr fs:[00000030h]4_2_1F3FE52F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FE52F mov eax, dword ptr fs:[00000030h]4_2_1F3FE52F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F480D1B mov eax, dword ptr fs:[00000030h]4_2_1F480D1B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F056B mov eax, dword ptr fs:[00000030h]4_2_1F3F056B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F453D10 mov eax, dword ptr fs:[00000030h]4_2_1F453D10
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F444DCA mov eax, dword ptr fs:[00000030h]4_2_1F444DCA
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F444DCA mov eax, dword ptr fs:[00000030h]4_2_1F444DCA
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C2DAA mov eax, dword ptr fs:[00000030h]4_2_1F3C2DAA
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C2DAA mov eax, dword ptr fs:[00000030h]4_2_1F3C2DAA
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C2DAA mov eax, dword ptr fs:[00000030h]4_2_1F3C2DAA
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C2DAA mov eax, dword ptr fs:[00000030h]4_2_1F3C2DAA
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C2DAA mov eax, dword ptr fs:[00000030h]4_2_1F3C2DAA
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4985EA mov eax, dword ptr fs:[00000030h]4_2_1F4985EA
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1D9D mov eax, dword ptr fs:[00000030h]4_2_1F3E1D9D
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1D9D mov eax, dword ptr fs:[00000030h]4_2_1F3E1D9D
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1D9D mov eax, dword ptr fs:[00000030h]4_2_1F3E1D9D
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1D9D mov eax, dword ptr fs:[00000030h]4_2_1F3E1D9D
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1D9D mov eax, dword ptr fs:[00000030h]4_2_1F3E1D9D
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F471DE3 mov ecx, dword ptr fs:[00000030h]4_2_1F471DE3
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F471DE3 mov ecx, dword ptr fs:[00000030h]4_2_1F471DE3
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F471DE3 mov eax, dword ptr fs:[00000030h]4_2_1F471DE3
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EF591 mov eax, dword ptr fs:[00000030h]4_2_1F3EF591
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EF591 mov eax, dword ptr fs:[00000030h]4_2_1F3EF591
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EF591 mov eax, dword ptr fs:[00000030h]4_2_1F3EF591
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F496DFD mov eax, dword ptr fs:[00000030h]4_2_1F496DFD
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F496DFD mov eax, dword ptr fs:[00000030h]4_2_1F496DFD
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F496DFD mov eax, dword ptr fs:[00000030h]4_2_1F496DFD
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F0584 mov eax, dword ptr fs:[00000030h]4_2_1F3F0584
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F498589 mov eax, dword ptr fs:[00000030h]4_2_1F498589
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F480D8A mov eax, dword ptr fs:[00000030h]4_2_1F480D8A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48E581 mov eax, dword ptr fs:[00000030h]4_2_1F48E581
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F75F0 mov eax, dword ptr fs:[00000030h]4_2_1F3F75F0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F75F0 mov eax, dword ptr fs:[00000030h]4_2_1F3F75F0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F2DF0 mov eax, dword ptr fs:[00000030h]4_2_1F3F2DF0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6DE1 mov eax, dword ptr fs:[00000030h]4_2_1F3D6DE1
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6DE1 mov eax, dword ptr fs:[00000030h]4_2_1F3D6DE1
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6DE1 mov eax, dword ptr fs:[00000030h]4_2_1F3D6DE1
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6DE1 mov eax, dword ptr fs:[00000030h]4_2_1F3D6DE1
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6DE1 mov eax, dword ptr fs:[00000030h]4_2_1F3D6DE1
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D6DE1 mov eax, dword ptr fs:[00000030h]4_2_1F3D6DE1
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F495595 mov eax, dword ptr fs:[00000030h]4_2_1F495595
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F409DAF mov eax, dword ptr fs:[00000030h]4_2_1F409DAF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C95C0 mov eax, dword ptr fs:[00000030h]4_2_1F3C95C0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3C95C0 mov ecx, dword ptr fs:[00000030h]4_2_1F3C95C0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F453C47 mov eax, dword ptr fs:[00000030h]4_2_1F453C47
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F0430 mov eax, dword ptr fs:[00000030h]4_2_1F3F0430
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EF42B mov eax, dword ptr fs:[00000030h]4_2_1F3EF42B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EF42B mov eax, dword ptr fs:[00000030h]4_2_1F3EF42B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EF42B mov eax, dword ptr fs:[00000030h]4_2_1F3EF42B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EF42B mov eax, dword ptr fs:[00000030h]4_2_1F3EF42B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EF42B mov eax, dword ptr fs:[00000030h]4_2_1F3EF42B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EF42B mov eax, dword ptr fs:[00000030h]4_2_1F3EF42B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48145F mov eax, dword ptr fs:[00000030h]4_2_1F48145F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F498452 mov eax, dword ptr fs:[00000030h]4_2_1F498452
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48E455 mov eax, dword ptr fs:[00000030h]4_2_1F48E455
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3DA423 mov eax, dword ptr fs:[00000030h]4_2_1F3DA423
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3DA423 mov eax, dword ptr fs:[00000030h]4_2_1F3DA423
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3DA423 mov eax, dword ptr fs:[00000030h]4_2_1F3DA423
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F341B mov eax, dword ptr fs:[00000030h]4_2_1F3F341B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F341B mov eax, dword ptr fs:[00000030h]4_2_1F3F341B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F341B mov eax, dword ptr fs:[00000030h]4_2_1F3F341B
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F47AC60 mov eax, dword ptr fs:[00000030h]4_2_1F47AC60
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F47AC60 mov eax, dword ptr fs:[00000030h]4_2_1F47AC60
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E1410 mov ecx, dword ptr fs:[00000030h]4_2_1F3E1410
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F547E mov eax, dword ptr fs:[00000030h]4_2_1F3F547E
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3E7C7D mov eax, dword ptr fs:[00000030h]4_2_1F3E7C7D
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48A416 mov eax, dword ptr fs:[00000030h]4_2_1F48A416
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F48A416 mov eax, dword ptr fs:[00000030h]4_2_1F48A416
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F245F mov eax, dword ptr fs:[00000030h]4_2_1F3F245F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F245F mov eax, dword ptr fs:[00000030h]4_2_1F3F245F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F245F mov eax, dword ptr fs:[00000030h]4_2_1F3F245F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F245F mov eax, dword ptr fs:[00000030h]4_2_1F3F245F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F245F mov eax, dword ptr fs:[00000030h]4_2_1F3F245F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F245F mov eax, dword ptr fs:[00000030h]4_2_1F3F245F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F245F mov eax, dword ptr fs:[00000030h]4_2_1F3F245F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F245F mov eax, dword ptr fs:[00000030h]4_2_1F3F245F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F245F mov eax, dword ptr fs:[00000030h]4_2_1F3F245F
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F480C29 mov eax, dword ptr fs:[00000030h]4_2_1F480C29
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F453C38 mov eax, dword ptr fs:[00000030h]4_2_1F453C38
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4984CD mov eax, dword ptr fs:[00000030h]4_2_1F4984CD
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4844EF mov eax, dword ptr fs:[00000030h]4_2_1F4844EF
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3D7488 mov eax, dword ptr fs:[00000030h]4_2_1F3D7488
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F480C9A mov eax, dword ptr fs:[00000030h]4_2_1F480C9A
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F483490 mov eax, dword ptr fs:[00000030h]4_2_1F483490
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EE4C6 mov eax, dword ptr fs:[00000030h]4_2_1F3EE4C6
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EE4C6 mov eax, dword ptr fs:[00000030h]4_2_1F3EE4C6
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3CACC0 mov eax, dword ptr fs:[00000030h]4_2_1F3CACC0
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3CC330 mov eax, dword ptr fs:[00000030h]4_2_1F3CC330
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3CC330 mov eax, dword ptr fs:[00000030h]4_2_1F3CC330
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3CC330 mov eax, dword ptr fs:[00000030h]4_2_1F3CC330
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F481351 mov eax, dword ptr fs:[00000030h]4_2_1F481351
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40536C mov eax, dword ptr fs:[00000030h]4_2_1F40536C
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F40536C mov eax, dword ptr fs:[00000030h]4_2_1F40536C
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FAB0C mov eax, dword ptr fs:[00000030h]4_2_1F3FAB0C
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FAB0C mov eax, dword ptr fs:[00000030h]4_2_1F3FAB0C
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3DE370 mov eax, dword ptr fs:[00000030h]4_2_1F3DE370
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3DE370 mov eax, dword ptr fs:[00000030h]4_2_1F3DE370
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3DE370 mov eax, dword ptr fs:[00000030h]4_2_1F3DE370
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F1356 mov eax, dword ptr fs:[00000030h]4_2_1F3F1356
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F1356 mov eax, dword ptr fs:[00000030h]4_2_1F3F1356
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F1356 mov eax, dword ptr fs:[00000030h]4_2_1F3F1356
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F1356 mov eax, dword ptr fs:[00000030h]4_2_1F3F1356
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F1356 mov eax, dword ptr fs:[00000030h]4_2_1F3F1356
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F1356 mov eax, dword ptr fs:[00000030h]4_2_1F3F1356
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F1356 mov eax, dword ptr fs:[00000030h]4_2_1F3F1356
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EFB40 mov eax, dword ptr fs:[00000030h]4_2_1F3EFB40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EFB40 mov eax, dword ptr fs:[00000030h]4_2_1F3EFB40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EFB40 mov eax, dword ptr fs:[00000030h]4_2_1F3EFB40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EFB40 mov eax, dword ptr fs:[00000030h]4_2_1F3EFB40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EFB40 mov eax, dword ptr fs:[00000030h]4_2_1F3EFB40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3EFB40 mov eax, dword ptr fs:[00000030h]4_2_1F3EFB40
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FBBBC mov eax, dword ptr fs:[00000030h]4_2_1F3FBBBC
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F409BC7 mov eax, dword ptr fs:[00000030h]4_2_1F409BC7
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4813D8 mov eax, dword ptr fs:[00000030h]4_2_1F4813D8
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F453BD8 mov eax, dword ptr fs:[00000030h]4_2_1F453BD8
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4B96 mov eax, dword ptr fs:[00000030h]4_2_1F3F4B96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4B96 mov eax, dword ptr fs:[00000030h]4_2_1F3F4B96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4B96 mov eax, dword ptr fs:[00000030h]4_2_1F3F4B96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4B96 mov eax, dword ptr fs:[00000030h]4_2_1F3F4B96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3F4B96 mov eax, dword ptr fs:[00000030h]4_2_1F3F4B96
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FABFE mov eax, dword ptr fs:[00000030h]4_2_1F3FABFE
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F3FABFE mov eax, dword ptr fs:[00000030h]4_2_1F3FABFE
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F406399 mov eax, dword ptr fs:[00000030h]4_2_1F406399
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F406399 mov eax, dword ptr fs:[00000030h]4_2_1F406399
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F406399 mov eax, dword ptr fs:[00000030h]4_2_1F406399
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4463A6 mov eax, dword ptr fs:[00000030h]4_2_1F4463A6
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4843A4 mov eax, dword ptr fs:[00000030h]4_2_1F4843A4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4843A4 mov eax, dword ptr fs:[00000030h]4_2_1F4843A4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2_1F4843A4 mov eax, dword ptr fs:[00000030h]4_2_1F4843A4
Source: C:\Users\user\TING\Lytte.exeCode function: 4_2